From bcca316358a9d5e94587c6f8592870921bec7b6b Mon Sep 17 00:00:00 2001 From: xueqingkun Date: Sun, 28 Apr 2024 10:39:52 +0800 Subject: [PATCH] =?UTF-8?q?1.=20=E6=B7=BB=E5=8A=A0nginx-docker=E9=85=8D?= =?UTF-8?q?=E7=BD=AE=E5=86=85=E5=AE=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker/nginx/docs/conf.d/http.conf | 27 +++++++++ docker/nginx/docs/conf.d/https.conf | 44 ++++++++++++++ docker/nginx/docs/conf.d/nginx.conf | 33 +++++++++++ .../nginx/docs/conf.d/servers.conf.template | 6 ++ docker/nginx/docs/docker-entrypoint.sh | 57 +++++++++++++++++++ docker/nginx/docs/ssl/cert.pem | 21 +++++++ docker/nginx/docs/ssl/csr.pem | 17 ++++++ docker/nginx/docs/ssl/key.pem | 28 +++++++++ 8 files changed, 233 insertions(+) create mode 100644 docker/nginx/docs/conf.d/http.conf create mode 100644 docker/nginx/docs/conf.d/https.conf create mode 100644 docker/nginx/docs/conf.d/nginx.conf create mode 100644 docker/nginx/docs/conf.d/servers.conf.template create mode 100644 docker/nginx/docs/docker-entrypoint.sh create mode 100644 docker/nginx/docs/ssl/cert.pem create mode 100644 docker/nginx/docs/ssl/csr.pem create mode 100644 docker/nginx/docs/ssl/key.pem diff --git a/docker/nginx/docs/conf.d/http.conf b/docker/nginx/docs/conf.d/http.conf new file mode 100644 index 0000000..aed3a97 --- /dev/null +++ b/docker/nginx/docs/conf.d/http.conf @@ -0,0 +1,27 @@ +server { + listen 80; + listen [::]:80; + server_name localhost; + + #access_log /var/log/nginx/host.access.log main; + client_max_body_size 20M; # 设置客户端请求的最大上传大小为 20MB,可以根据实际情况修改 + + location / { + root /usr/share/nginx/html/dist; + index index.html index.htm; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html/dist; + } + + # 前台后端服务 + location /knowledge-graph/ { + proxy_pass http://kg_servers/knowledge-graph/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} \ No newline at end of file diff --git a/docker/nginx/docs/conf.d/https.conf b/docker/nginx/docs/conf.d/https.conf new file mode 100644 index 0000000..433541c --- /dev/null +++ b/docker/nginx/docs/conf.d/https.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl; + server_name example.com; + + ssl_certificate /data/vp/nginx/ssl/cert.pem; + ssl_certificate_key /data/vp/nginx/ssl/key.pem; + + # 配置SSL参数 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384; + + # 配置SSL会话缓存 + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 30m; + + # 配置SSL安全性选项 + ssl_stapling on; + ssl_stapling_verify on; + resolver 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; + + client_max_body_size 20M; # 设置客户端请求的最大上传大小为 20MB,可以根据实际情况修改 + + location / { + root /usr/share/nginx/html/dist; + index index.html index.htm; + # add_header Cache-Control no-store; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html/dist; + } + + # 前台后端服务 + location /knowledge-graph/ { + proxy_pass http://kg_servers/knowledge-graph/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} \ No newline at end of file diff --git a/docker/nginx/docs/conf.d/nginx.conf b/docker/nginx/docs/conf.d/nginx.conf new file mode 100644 index 0000000..012057b --- /dev/null +++ b/docker/nginx/docs/conf.d/nginx.conf @@ -0,0 +1,33 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /data/vp/nginx/conf/*.conf; + include /etc/nginx/conf.d/*.conf; + +} \ No newline at end of file diff --git a/docker/nginx/docs/conf.d/servers.conf.template b/docker/nginx/docs/conf.d/servers.conf.template new file mode 100644 index 0000000..63579b0 --- /dev/null +++ b/docker/nginx/docs/conf.d/servers.conf.template @@ -0,0 +1,6 @@ +# 前台服务后端地址,多个地址可用与负载均衡 +# 解析以逗号分隔的多个 upstream 值 + + upstream kg_servers { + server $UPSTREAM_KG_SERVERS; + } diff --git a/docker/nginx/docs/docker-entrypoint.sh b/docker/nginx/docs/docker-entrypoint.sh new file mode 100644 index 0000000..14fe128 --- /dev/null +++ b/docker/nginx/docs/docker-entrypoint.sh @@ -0,0 +1,57 @@ +#!/bin/sh +# vim:sw=4:ts=4:et + +set -e +# /etc/nginx/conf.d/servers.conf 文件不存在,就通过环境变量UPSTREAM_KG_SERVERS生成/data/vp/nginx/conf/servers.conf +if [ ! -f "/data/vp/nginx/conf/servers.conf" ]; then + echo "BEGIN REPLACE SERVERS.CONF ...." + # 替换文件中的变量 + envsubst '$UPSTREAM_KG_SERVERS' < /data/vp/nginx/conf/servers.conf.template > /data/vp/nginx/conf/servers.conf + echo "REPLACEMENT COMPLETE" +else + echo "SERVERS.CONF ALREADY EXISTS" +fi + + +entrypoint_log() { + if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then + echo "$@" + fi +} + +if [ "$1" = "nginx" ] || [ "$1" = "nginx-debug" ]; then + if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then + entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" + + entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/" + find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do + case "$f" in + *.envsh) + if [ -x "$f" ]; then + entrypoint_log "$0: Sourcing $f"; + . "$f" + else + # warn on shell scripts without exec bit + entrypoint_log "$0: Ignoring $f, not executable"; + fi + ;; + *.sh) + if [ -x "$f" ]; then + entrypoint_log "$0: Launching $f"; + "$f" + else + # warn on shell scripts without exec bit + entrypoint_log "$0: Ignoring $f, not executable"; + fi + ;; + *) entrypoint_log "$0: Ignoring $f";; + esac + done + + entrypoint_log "$0: Configuration complete; ready for start up" + else + entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration" + fi +fi + +exec "$@" \ No newline at end of file diff --git a/docker/nginx/docs/ssl/cert.pem b/docker/nginx/docs/ssl/cert.pem new file mode 100644 index 0000000..1764975 --- /dev/null +++ b/docker/nginx/docs/ssl/cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdzCCAl8CFC5Pwm//gTURwneg5cjhbkyueufNMA0GCSqGSIb3DQEBCwUAMHgx +CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJOSjEOMAwGA1UEBwwFbmogeWgxDDAKBgNV +BAoMA3NzdDEMMAoGA1UECwwDc3N0MQ8wDQYDVQQDDAZzc3RvcmcxHzAdBgkqhkiG +9w0BCQEWEDEyMzQ1NkBlbWFpbC5jb20wHhcNMjMxMTEwMDEyMzIzWhcNMjMxMjEw +MDEyMzIzWjB4MQswCQYDVQQGEwJDSDELMAkGA1UECAwCTkoxDjAMBgNVBAcMBW5q +IHloMQwwCgYDVQQKDANzc3QxDDAKBgNVBAsMA3NzdDEPMA0GA1UEAwwGc3N0b3Jn +MR8wHQYJKoZIhvcNAQkBFhAxMjM0NTZAZW1haWwuY29tMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA0/VotZw72C+GVQnKsVfwtxeXEPPfiUfE0/H6mp8A +jhxHnFofNK5mvjYs3++U9UEfP1jq84flaD5qgrEGzhauJg6NdrLdcd9RCguu8Pkm +YHIMVl9UzLQexKg15wh0Fc8S6vc3xGBPfosS29YJulXcUZB2CeVJ9CXCTx2Z1dRG +Ug9eMTiPwgB8GnQ56h2GjTyCnVWeVoXBFVef6sY0czkPoJVPk7TZI3K5BmaLBNX1 +0L4OzaJtOa6ZWll3rGxVrk/7oB+Z3t3l8NXF9SrmC039K3sZerNLjlVUdkGD52jz +xCc4Eixcus2pduKfIP3dUhdn05TNUln1/nIFRErcXUWdswIDAQABMA0GCSqGSIb3 +DQEBCwUAA4IBAQCLmsogw3J6KOyHnzaWQaKvhRzqPAupIBY4HYTk+hyOahgMMkkd ++3QIiWU/pp0Nu5iyYytzGRCQIz1Jh+xpk3UQVpayDB8C4XIB7oyzpuatTuyeCvq/ +lnDlk8jk64EewLLWE2pOce6yAKZ/xhcQiDI9YcjgGOkUOjv7Hgqhzwlafrt5FXGB +znFmVi5A52RqkkteplkRsl08OE5VmfxwFYJWZ7QXMlp5ec13oCE21PU+cmLLF/Vb +xl7JJKeMOgDICiSczcYzwP56SiYFktKQ8KmDotFWgBM9mtxkEcOqPb2Xe9vzOclk +AK+5bHhgF2yZGhjbNuzp/FwGSAIozuR5IXxJ +-----END CERTIFICATE----- diff --git a/docker/nginx/docs/ssl/csr.pem b/docker/nginx/docs/ssl/csr.pem new file mode 100644 index 0000000..ba2dff7 --- /dev/null +++ b/docker/nginx/docs/ssl/csr.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICvTCCAaUCAQAweDELMAkGA1UEBhMCQ0gxCzAJBgNVBAgMAk5KMQ4wDAYDVQQH +DAVuaiB5aDEMMAoGA1UECgwDc3N0MQwwCgYDVQQLDANzc3QxDzANBgNVBAMMBnNz +dG9yZzEfMB0GCSqGSIb3DQEJARYQMTIzNDU2QGVtYWlsLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANP1aLWcO9gvhlUJyrFX8LcXlxDz34lHxNPx ++pqfAI4cR5xaHzSuZr42LN/vlPVBHz9Y6vOH5Wg+aoKxBs4WriYOjXay3XHfUQoL +rvD5JmByDFZfVMy0HsSoNecIdBXPEur3N8RgT36LEtvWCbpV3FGQdgnlSfQlwk8d +mdXURlIPXjE4j8IAfBp0Oeodho08gp1VnlaFwRVXn+rGNHM5D6CVT5O02SNyuQZm +iwTV9dC+Ds2ibTmumVpZd6xsVa5P+6Afmd7d5fDVxfUq5gtN/St7GXqzS45VVHZB +g+do88QnOBIsXLrNqXbinyD93VIXZ9OUzVJZ9f5yBURK3F1FnbMCAwEAAaAAMA0G +CSqGSIb3DQEBCwUAA4IBAQCFdN/RMNZtduCGs21f5Le4uGePh2nHzqB2tPzPsWYV +LLPO/pInHB0lQ3vJLFtIeaTLIDwB+AFcdM7rNhMGz9rj/Qrk9LCvgm+CQGUOy1h4 +r1tJ27z+8xfwHls/fgghHnSLoaUvma2FfIQzZc/rGTDLkdERBZ1skxOVqIw56qlA +aPyKUt9s/fg6P5xMSv5SDIR89n0i3TChSa8nNdHV1Ld44mLZ7Aw29ChXI5DaQ05t +B6rdNz3AofmxlkzHIlFl46kPMy4H5jgHWlOBT+eLHv/fecPWCNpgnr9vi7O2Ih9o +i8KHDeK1T9Bl5U+sGof6E0Sey/xBOEGnYzuiQUl4kxfL +-----END CERTIFICATE REQUEST----- diff --git a/docker/nginx/docs/ssl/key.pem b/docker/nginx/docs/ssl/key.pem new file mode 100644 index 0000000..adb651d --- /dev/null +++ b/docker/nginx/docs/ssl/key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDT9Wi1nDvYL4ZV +CcqxV/C3F5cQ89+JR8TT8fqanwCOHEecWh80rma+Nizf75T1QR8/WOrzh+VoPmqC +sQbOFq4mDo12st1x31EKC67w+SZgcgxWX1TMtB7EqDXnCHQVzxLq9zfEYE9+ixLb +1gm6VdxRkHYJ5Un0JcJPHZnV1EZSD14xOI/CAHwadDnqHYaNPIKdVZ5WhcEVV5/q +xjRzOQ+glU+TtNkjcrkGZosE1fXQvg7Nom05rplaWXesbFWuT/ugH5ne3eXw1cX1 +KuYLTf0rexl6s0uOVVR2QYPnaPPEJzgSLFy6zal24p8g/d1SF2fTlM1SWfX+cgVE +StxdRZ2zAgMBAAECggEAAPoKh3u20uI1LkMjSfnrxAw5x/w3tXw9LfTZgMjmycDb +m57Wsflzw8CgKFAEUbUBHdudCY5AwmA3QW7rZxu3pbk/caKVXqb2yqMPJVEgmiUs +ZWF/FIpn8eQMi4oAbvFLVwXYnfELrLubVKQB23f10fJmeNkzpApggNjUEqYtxMcH +MjfUmXzrZhvFKdRjdmyITa4gI9djuRvOIfWz0bZTePUtcfgCfpkM3lbxWRIst7Dg +FqCcgX68XOHHDCzzWTE7LasFBZx3mAcOyRMC+MKw96becC4r1c2KFFKh8tFp57y2 +hQ1ybjxeF2MaWf3I/ioi2uTUza+L8m2RsKwABcRwIQKBgQDUrnn/WtKdryDU0rBj +cwsKTrMCycblwYCJj58cGSiETTVJOlhh1N2QtE/kwQI69tUVOc7C5p5FZzk+iff7 +KwvwDqurtW5kKHE5IamUnKqv32bbHuRtg9CB0ktmmbxOrwP5s+QGhh5fKGvFKs3D +xVytLVw76f+BLK4NaBbzCdEN6wKBgQD/IT0F9f9XnTIa1a/bNVLCuRRZdWjDK40i +bD8EgO9T/FxK4yXSV3IB2C6mQNdMxDcmFBTS7EoXPZpZYuFCqBKQvV1OQ0yUAy2b ++PmmZMBakbpQHkIjkq2cgXNXaVdDeKPfoG4SqPz/6x7p/Np/UG9Ey8juNuQXmIiH +wwjwTfqVWQKBgQDNd6ogykuDTvd24/zIdxIJaTKD1Q+0U5asTvY2HRAJkNWT4ywT +h6Rt8eTlaJmRAXmmQezAWjA5eJnTE1NhcZrc1i9/eY4mcPPBcAX2rswvkLI7qsKg +EqJTaSiy/H7xvR8oE2SN8PBSmihTmSCkq3z3SUU8FLpkvxd/mDnjnm469QKBgQCg +rRQ7ftPTH+MAV3erPIfkrp8MQA88a181QKrncTRI1nRhjXCyafQZCUdH2So+5Iw+ +5QLAW6PFwzxD8yweyK74jOoIcgX2aZH92u2PR4CFCaYm8weAU84W9MfpUyRsD7xV +CDqKcfb0TeVoQ6Bv8f5Be34N2HAKFDxYFBK7FMEt8QKBgDNBG3n8/912dDWV1Dve +o4v+TAnlAMHgEXZH+VCCzeIyj1UkUh4sxdIGGaGCPrWGrqxIYIKPKX8gPIWQ7QJj +QJZyL5nqGXWwZUvBuHzE3tB24XJpuHGfg+oBdDfg0aiEMTQKnRORdgHHVdB9W3SN +2TrXQbtwB1X+wioA4615n6ih +-----END PRIVATE KEY-----