server {
listen 443 ssl;
server_name sxbscm.sxbscm.com;
# 1. SSL 证书配置(关键:补充中间证书,避免链不完整导致兼容问题)
ssl_certificate /mnt/sxbscm/ssl/sxbscm.sxbscm.com/sxbscm.sxbscm.com.pem; # 主证书(含域名证书+中间证书,若分开需合并)
ssl_certificate_key /mnt/sxbscm/ssl/sxbscm.sxbscm.com/sxbscm.sxbscm.com.key; # 私钥
ssl_trusted_certificate /mnt/sxbscm/ssl/sxbscm.sxbscm.com/sxbscm.sxbscm.com.pem; # 信任链(与主证书一致即可,确保中间证书被识别)
# 2. 协议版本(兼容旧客户端,同时保留安全性)
ssl_protocols TLSv1.2 TLSv1.3; # 优先这两个,若仍报错可临时加 TLSv1.1(不推荐长期用)
ssl_prefer_server_ciphers on; # 优先使用服务器支持的套件
# 3. 兼容型加密套件(覆盖老新客户端,避免小众套件)
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384";
# 4. 优化 SSL 握手(减少失败概率)
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # 关闭会话票据,避免兼容性冲突
ssl_stapling on; # OCSP stapling(加速握手,需证书支持)
ssl_stapling_verify on;
resolver 8.8.8.8 114.114.114.114 valid=300s; # DNS 解析器,用于验证 OCSP
resolver_timeout 5s;
# ==================== 9009端口:根路径访问(sxbscm.sxbscm.com) ====================
# 前端静态文件(原www域名的前端目录)
root /mnt/sxbscm/web_front/sxbscm.sxbscm.com;
index index.html;
# 根路径前端访问(如 sxbscm.sxbscm.com → 对应原www的前端)
location / {
try_files $uri $uri/ =404;
}
# 根路径API转发(如 sxbscm.sxbscm.com/api/→ 9009端口)
location /api/ {
proxy_pass http://127.0.0.1:9009/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# ==================== 9006端口:/cus路径访问(sxbscm.sxbscm.com/cus) ====================
location ^~ /cus{
alias /mnt/sxbscm/web_front/cus.sxbscm.com/;
index index.html;
# 尝试访问文件,如果不存在,则返回 index.html
try_files $uri $uri/ /index.html;
}
# /cus 路径的API转发(不变,确保正确)
location ^~ /cus/api/ {
rewrite ^/cus/api/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:9006/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# ==================== 9007端口:/pur路径访问(sxbscm.sxbscm.com/pur) ====================
location ^~ /pur{
# Windows 路径
alias /mnt/sxbscm/web_front/pur.sxbscm.com/;
index index.html;
# 尝试访问文件,如果不存在,则返回 index.html
try_files $uri $uri/ /index.html;
}
# /cus 路径的API转发(不变,确保正确)
location ^~ /pur/api/ {
rewrite ^/pur/api/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:9006/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# ==================== 9008端口:/tms路径访问(sxbscm.sxbscm.com/tms) ====================
location ^~ /tms{
# Windows 路径
alias /mnt/sxbscm/web_front/tms.sxbscm.com/;
index index.html;
# 尝试访问文件,如果不存在,则返回 index.html
try_files $uri $uri/ /index.html;
}
# /cus 路径的API转发(不变,确保正确)
location ^~ /tms/api/ {
rewrite ^/tms/api/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:9008/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# ==================== 9010端口:/sup路径访问(sxbscm.sxbscm.com/sup) ====================
location ^~ /sup{
# centos路径
alias /mnt/sxbscm/web_front/sup.sxbscm.com/;
index index.html;
# 尝试访问文件,如果不存在,则返回 index.html
try_files $uri $uri/ /index.html;
}
# /cus 路径的API转发(不变,确保正确)
location ^~ /sup/api/ {
rewrite ^/sup/api/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:9010/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# ==================== 9011端口:/sort路径访问(sxbscm.sxbscm.com/sort) ====================
location ^~ /sort{
alias /mnt/sxbscm/web_front/sort.sxbscm.com/;
index index.html;
# 尝试访问文件,如果不存在,则返回 index.html
try_files $uri $uri/ /index.html;
}
# /sort 路径的API转发(不变,确保正确)
location ^~ /sort/api/ {
rewrite ^/sort/api/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:9011/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# 可选:HTTP自动跳转HTTPS(推荐,避免浏览器警告)
server {
listen 80;
server_name sxbscm.sxbscm.com;
return 301 https://$host$request_uri;
}
浙公网安备 33010602011771号