client_body_buffer_size 10M; large_client_header_buffers 4 8M; server { listen 80; server_name localhost; client_max_body_size 100M; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; #add_header X-Frame-Options SAMEORIGIN; add_header Cache-Control no-store,max-age:0; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy DENY; add_header Referrer-Policy no-referrer; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Permitted-Cross-Domain-Policies "master-only"; add_header X-Download-Options "noopen" always; add_header 'Referrer-Policy' 'origin'; gzip_vary on; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; location / { root /usr/share/nginx/html; index index.html index.htm; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.1; gzip_comp_level 9; gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php application/javascript application/json; gzip_disable "MSIE [1-6]\."; gzip_vary on; gzip_static on; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # location ^~/api/ { proxy_pass http://cloud-gateway-service:8001/; proxy_connect_timeout 60s; proxy_read_timeout 120s; proxy_send_timeout 120s; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto http; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; } # 屏蔽所有敏感路径,不用改代码配置开关,双重保护 location ~* ^/(actuator|swagger-ui|v3/api-docs|swagger-resources|webjars|doc.html) { return 403; # 禁止访问 } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # 避免端点安全问题 location ~ .*\/actuator.* { deny all; # 这样配置返回403 } # 避免接口暴露问题 location ~ .*\/api-docs.* { deny all; # 这样配置返回403 } }