# Todo: May be can auto discovery
upstream http_server {
ip_hash;
server web:8080; # 这个是可以通过容器访问, 外部访问是 80端口
# server HOST2:80; # 另外的要写真实IP
}
server {
listen 80;
# listen [::]:80;
# server_name demo.jumpserver.org; # 取消注释并自行修改成你自己的域名
return 307 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name demo.jumpserver.org; # 取消注释并自行修改成你自己的域名
server_tokens off;
ssl_certificate cert/server.crt; # 修改 server.crt 为你的证书, 不要改路径 certs/
ssl_certificate_key cert/server.key; # 修改 server.key 为你的证书, 不要改路径 certs/
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
client_max_body_size 5000m;
location / {
proxy_pass http://http_server;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
#proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 如果上层还有其他 slb 需要使用 $proxy_add_x_forwarded_for 获取真实 ip
proxy_ignore_client_abort on;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 6000;
}
}
~