# nginx配置文件 # 用于OAuth2/OIDC系统的反向代理 # 工作进程数 worker_processes auto; # PID文件路径 pid /tmp/nginx.pid; # 错误日志 error_log /tmp/nginx_error.log; # 事件模块配置 events { worker_connections 1024; } # HTTP模块配置 http { map $http_origin $cors_origin { default ""; "https://a.local.com" "https://a.local.com"; "https://b.local.com" "https://b.local.com"; } # MIME类型 include /opt/homebrew/etc/nginx/mime.types; default_type application/octet-stream; # 日志格式 log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # 在http块添加main_cookie日志格式 log_format main_cookie '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'cookie:"$http_cookie"'; # 访问日志 access_log /tmp/nginx_access.log main; # 基本设置 sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # Gzip压缩 gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json; # 前端应用服务器 (a.local.com) - HTTPS server { listen 443 ssl; server_name b.local.com; # SSL配置 ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt; ssl_certificate_key /Users/sunpeng/workspace/remote/oauth2/ssl/private.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # 静态文件目录 root /Users/sunpeng/workspace/remote/oauth2/resourceservicehtmlb; # 首页和静态文件 location / { try_files $uri $uri/ /index.html; # 添加CORS头 add_header Access-Control-Allow-Origin $cors_origin; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; } # 防止前端server拦截OIDC登录页,/login直接返回404 location = /login { return 404; } # 处理OPTIONS预检请求 location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { expires 1y; add_header Cache-Control "public, immutable"; } # /api 路径转发到网关 location /api { rewrite ^/api/(.*)$ /b/$1 break; proxy_pass http://localhost:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 处理CORS add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; # 处理OPTIONS请求 if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; add_header Access-Control-Max-Age 1728000; add_header Content-Type "text/plain; charset=utf-8"; add_header Content-Length 0; return 204; } } # /oidc-logout 路径转发到 OIDC 服务 location /oidc-logout { proxy_pass http://localhost:9000/oidc-logout; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Cookie $http_cookie; # 记录cookie内容到专用日志 access_log /tmp/nginx_oidc_logout.log main_cookie; # 处理CORS add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; # 处理OPTIONS请求 if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; add_header Access-Control-Max-Age 1728000; add_header Content-Type "text/plain; charset=utf-8"; add_header Content-Length 0; return 204; } } # 错误页面 error_page 404 /404.html; error_page 500 502 503 504 /50x.html; } server { listen 443 ssl; server_name a.local.com; # SSL配置 ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt; ssl_certificate_key /Users/sunpeng/workspace/remote/oauth2/ssl/private.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # 静态文件目录 root /Users/sunpeng/workspace/remote/oauth2/resourceservicehtml; # 首页和静态文件 location / { try_files $uri $uri/ /index.html; # 添加CORS头 add_header Access-Control-Allow-Origin $cors_origin; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; } # 防止前端server拦截OIDC登录页,/login直接返回404 location = /login { return 404; } # 处理OPTIONS预检请求 location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { expires 1y; add_header Cache-Control "public, immutable"; } # /api 路径转发到网关 location /api/ { rewrite ^/api/(.*)$ /a/$1 break; proxy_pass http://localhost:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 处理CORS add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; # 处理OPTIONS请求 if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; add_header Access-Control-Max-Age 1728000; add_header Content-Type "text/plain; charset=utf-8"; add_header Content-Length 0; return 204; } } # /oidc-logout 路径转发到 OIDC 服务 location /oidc-logout { proxy_pass http://localhost:9000/oidc-logout; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Cookie $http_cookie; # 记录cookie内容到专用日志 access_log /tmp/nginx_oidc_logout.log main_cookie; # 处理CORS add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; # 处理OPTIONS请求 if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; add_header Access-Control-Max-Age 1728000; add_header Content-Type "text/plain; charset=utf-8"; add_header Content-Length 0; return 204; } } # 错误页面 error_page 404 /404.html; error_page 500 502 503 504 /50x.html; } # OIDC服务器代理 (oidc.local.com) - HTTPS server { listen 443 ssl; server_name oidc.local.com; # SSL配置 ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt; ssl_certificate_key /Users/sunpeng/workspace/remote/oauth2/ssl/private.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # 代理到OIDC服务器 location / { proxy_pass http://localhost:9000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Ssl on; proxy_set_header Cookie $http_cookie; add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; add_header Access-Control-Max-Age 1728000; add_header Content-Type "text/plain; charset=utf-8"; add_header Content-Length 0; return 204; } } # 错误页面 error_page 404 /404.html; error_page 500 502 503 504 /50x.html; } # HTTP重定向到HTTPS server { listen 80; server_name a.local.com oidc.local.com; return 301 https://$server_name$request_uri; } # 默认服务器块(防止未匹配的请求) server { listen 80 default_server; server_name _; return 444; } }