user www www; worker_processes auto; error_log logs/error.log warn; pid /var/run/nginx/nginx.pid; events { worker_connections 65535; } stream{ include /data/nginx/conf/blacklist.conf; include /data/nginx/conf/blacklist_zhejiang.conf; deny all; #飞行数据-mqtt upstream tcp31883{ server 127.0.0.1:32883; #中移凌云飞行数据 } server{ listen 31883; proxy_pass tcp31883; } #飞行数据-mqtt-websocket upstream tcp38083{ server 127.0.0.1:39083; } server{ listen 38083; proxy_pass tcp38083; } #视频流媒体-RTMP upstream tcp31935{ server 127.0.0.1:32935; } server{ listen 31935; proxy_pass tcp31935; } #视频流媒体-WEBRTC upstream udp30090{ server 127.0.0.1:31090; } server{ listen 30090 udp; proxy_pass udp30090; } #视频流播放TCP端口 #upstream tcp30080{ # server 127.0.0.1:31080; #} #server{ # listen 30080; # proxy_pass tcp30080; #} #rtsp-控制TCP端口 #upstream tcp30554{ # server 127.0.0.1:32554; #} #server{ # listen 30554; # proxy_pass tcp30554; #} #rtsp-数据TCP端口 #upstream tcp30556{ # server 127.0.0.1:32556; #} #server{ # listen 30556; # proxy_pass tcp30556; #} #rtsp-数据UDP端口 #upstream udp30556{ # server 127.0.0.1:32556; #} #server{ # listen 30556 udp; # proxy_pass udp30556; #} #模拟数据测试UDP端口 #upstream udp30556{ # server 127.0.0.1:31556; #} #server{ # listen 30556 udp; # proxy_pass udp30556; #} #RabbitMQ控制台端口 # server{ # listen 32002; # proxy_pass 192.168.10.11:15672; # } } http { include /data/nginx/conf/blacklist.conf; include /data/nginx/conf/blacklist_zhejiang.conf; deny all; include mime.types; default_type application/octet-stream; ## 去除版本信息 ## server_tokens off; #error日志更换 #fastcgi_intercept_errors on; error_log logs/error.log warn; ##### sendfile on; keepalive_timeout 60; client_body_timeout 30s; client_header_timeout 30s; send_timeout 30s; gzip on; #more_clear_headers 'Server'; add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff; #开启HTTP严格传输安全HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; underscores_in_headers on; log_format main '$remote_addr - $remote_user [$time_local]' '#"$request_method $scheme://$host$request_uri $server_protocol" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" - "$request_time"'; access_log /data/nginx/logs/access.log main; server { listen 8088 ssl; server_name lingyun.zyjctech.com index index.jsp index.htm index.html; ### 跨域设置(临时) ### add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization'; if ($request_method = 'OPTIONS') { return 204; } # 禁止 iframe 嵌套 add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; #######Cookie 标记为 HttpOnly 缺少、不一致或相互矛盾属性的 Cookie 漏洞修复 add_header Set-Cookie "sessionid=aFM9PPvmF7kpynnx; HttpOnly; Secure; Path=/; SameSite=Lax;"; #开启HTTP严格传输安全HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ### ssl配置 ### ssl_certificate /data/nginx/conf/zyjctech.com_cert_chain.pem; ssl_certificate_key /data/nginx/conf/zyjctech.com_key.key; ssl_session_timeout 10m; ## 新增 ## #ssl_stapling_verify on; #ssl_session_cache shared:SSL:50m; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; #ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; ############################## include /data/nginx/conf/vhost8088/*.conf; client_max_body_size 1024m; client_body_buffer_size 512k; client_header_timeout 3m; send_timeout 3m; proxy_connect_timeout 600; proxy_read_timeout 600; proxy_send_timeout 600; ###自定义403返回拦截的ip######### error_page 403 /error.html; location = /error.html { default_type text/plain; return 403 "Access failed. Please contact the administrator to add the IP whitelist IP:$remote_addr"; } } #K8S DashBoard # server { # listen 30554 ssl; # ssl_certificate /data/nginx/conf/zyjctech.com_cert_chain.pem; # ssl_certificate_key /data/nginx/conf/zyjctech.com_key.key; # ssl_session_timeout 5m; # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; # ssl_prefer_server_ciphers off; # ssl_protocols TLSv1.2 TLSv1.3; # client_max_body_size 1024m; # client_body_buffer_size 256k; # client_header_timeout 3m; # client_body_timeout 3m; # send_timeout 3m; # proxy_connect_timeout 600; # proxy_read_timeout 600; # proxy_send_timeout 600; # proxy_buffer_size 256k; # proxy_buffers 4 256k; # proxy_busy_buffers_size 256k; # location / { # proxy_pass https://127.0.0.1:32000; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # } # } ## minio控制台 ## # server { # listen 32002; #或者用80端口也可以 # server_name 188.106.25.136; #可以用域名 # add_header X-Frame-Options SAMEORIGIN always; # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # location / { # proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header; # proxy_set_header Host $http_host; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_pass http://188.106.25.132:9001; # expires 0; # } # } ## AiMapServer ## # server { # listen 32007; #或者用80端口也可以 # server_name 188.106.25.136; #可以用域名 # add_header X-Frame-Options SAMEORIGIN always; # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # location / { # proxy_pass http://188.106.25.222:5090/aimap-server/manager/login; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # } # location /aimap-server { # proxy_pass http://188.106.25.222:5090/aimap-server; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # } # location /gisapi { # proxy_pass http://188.106.25.222:5090/gisapi; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # } # } }