server { listen 80; listen 443 ssl; server_name localhost; # SSL证书配置 ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # 日志配置 access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; # 设置较大的客户端请求体大小限制,以支持上传文件 client_max_body_size 20M; # 设置超时时间 proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; # 启用gzip压缩 gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_min_length 256; gzip_types application/javascript application/json application/x-javascript application/xml application/xml+rss image/svg+xml text/css text/javascript text/plain text/xml; # 反向代理到应用服务 location / { proxy_pass http://app:8888; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket支持 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # 安全相关头信息 add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN; add_header Referrer-Policy strict-origin-when-cross-origin; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; } # API请求处理 location /api/ { proxy_pass http://app:8888; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket支持 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # 流式输出支持 proxy_buffering off; # 禁用代理缓冲 proxy_cache off; # 禁用代理缓存 chunked_transfer_encoding on; # 启用分块传输编码 tcp_nopush off; # 禁用TCP NOPUSH选项,确保数据立即发送 tcp_nodelay on; # 启用TCP NODELAY选项,禁用Nagle算法 keepalive_timeout 65; # 保持连接超时 # 确保不会压缩流式响应 gzip off; # 对API响应禁用gzip压缩 } # 静态文件缓存设置 location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ { proxy_pass http://app:8888; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; expires 30d; add_header Cache-Control "public, max-age=2592000"; add_header X-Content-Type-Options nosniff; } }