server { listen 80; server_name your-admin-domain.com; # 替换为你的域名 # 重定向到HTTPS return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name your-admin-domain.com; # 替换为你的域名 # SSL证书配置 ssl_certificate /path/to/your/certificate.crt; ssl_certificate_key /path/to/your/private.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # 网站根目录 root /var/www/admin/dist; index index.html; # Gzip压缩 gzip on; gzip_vary on; gzip_min_length 1024; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/atom+xml image/svg+xml; # 静态资源缓存 location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; add_header Vary Accept-Encoding; } # API代理 location /api/ { proxy_pass http://your-backend-server:8080/; # 替换为你的后端服务器地址 rewrite ^/api/(.*)$ /$1 break; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 超时设置 proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; } # SPA路由支持 location / { try_files $uri $uri/ /index.html; # 安全头 add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;" always; } # 禁止访问敏感文件 location ~ /\. { deny all; } location ~ \.(env|log|config)$ { deny all; } # 错误页面 error_page 404 /index.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }