# nginx配置文件 # 用于OAuth2/OIDC系统的反向代理 # 工作进程数 worker_processes auto; # PID文件路径 pid /tmp/nginx.pid; # 错误日志 error_log /tmp/nginx_error.log; # 事件模块配置 events { worker_connections 1024; } # HTTP模块配置 http { # MIME类型 include /opt/homebrew/etc/nginx/mime.types; default_type application/octet-stream; # 日志格式 log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # 访问日志 access_log /tmp/nginx_access.log main; # 基本设置 sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # Gzip压缩 gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json; # 前端应用服务器 (a.com) - HTTPS server { listen 443 ssl; server_name a.com; # SSL配置 ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt; ssl_certificate_key /Users/sunpeng/workspace/remote/oauth2/ssl/private.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # 静态文件目录 root /Users/sunpeng/workspace/remote/oauth2/resourceservicehtml; # 首页和静态文件 location / { try_files $uri $uri/ /index.html; # 添加CORS头 add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; } # 处理OPTIONS预检请求 location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { expires 1y; add_header Cache-Control "public, immutable"; } # /api 路径转发到网关 location /api/ { proxy_pass http://localhost:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 处理CORS add_header Access-Control-Allow-Origin "https://a.com" always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; # 处理OPTIONS请求 if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin "https://a.com" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; add_header Access-Control-Max-Age 1728000; add_header Content-Type "text/plain; charset=utf-8"; add_header Content-Length 0; return 204; } } # /test 路径转发到网关 (测试用) location /test/ { proxy_pass http://localhost:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 处理CORS add_header Access-Control-Allow-Origin "https://a.com" always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; # 处理OPTIONS请求 if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin "https://a.com" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; add_header Access-Control-Max-Age 1728000; add_header Content-Type "text/plain; charset=utf-8"; add_header Content-Length 0; return 204; } } # 错误页面 error_page 404 /404.html; error_page 500 502 503 504 /50x.html; } # OIDC服务器代理 (oidc.com) - HTTPS server { listen 443 ssl; server_name oidc.com; # SSL配置 ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt; ssl_certificate_key /Users/sunpeng/workspace/remote/oauth2/ssl/private.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # 代理到OIDC服务器 location / { proxy_pass http://localhost:9000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Cookie $http_cookie; # 处理CORS add_header Access-Control-Allow-Origin "https://a.com" always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; # 移除CSP限制 (开发环境) add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: http: https:;" always; # 处理OPTIONS请求 if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin "https://a.com" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; add_header Access-Control-Max-Age 1728000; add_header Content-Type "text/plain; charset=utf-8"; add_header Content-Length 0; return 204; } } # 错误页面 error_page 404 /404.html; error_page 500 502 503 504 /50x.html; } # HTTP重定向到HTTPS server { listen 80; server_name a.com oidc.com; return 301 https://$server_name$request_uri; } # 默认服务器块(防止未匹配的请求) server { listen 80 default_server; server_name _; return 444; } }