# 由 scripts/nginx-entrypoint-wait-dns.sh 在启动时 sed 替换 @@NGINX_RESOLVER@@(来自容器 /etc/resolv.conf) # 再写入 /etc/nginx/conf.d/default.conf。使用 resolver + 变量 proxy_pass,避免 Podman 下启动瞬间 host not found in upstream。 server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name yuheng.yuxindazhineng.com; client_max_body_size 800m; # valid 过短会频繁重解析,宿主机 DNS 往往解析不了 compose 服务名 → 502;与 entrypoint 中优先 127.0.0.11 配合 resolver @@NGINX_RESOLVER@@ valid=300s ipv6=off; ssl_certificate /etc/ssl/yh_web/yuheng.yuxindazhineng.com/fullchain.pem; ssl_certificate_key /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; # 验证文件在 443 上直接读挂载目录,不经 yh_web 反代(避免正则 alias 403、与内网路径不一致) location ~ ^/[A-Za-z0-9._-]+\.(txt|html|xml)$ { root /verify-root; try_files $uri =404; default_type text/plain; add_header Cache-Control "no-store"; } # /admin/ 由下方 location 处理;勿再单独 rewrite /admin/assets(rewrite+变量 proxy_pass 易 500) location / { set $upstream_web web; proxy_pass http://$upstream_web:80; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /admin/ { set $upstream_admin admin; proxy_pass http://$upstream_admin:80/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /api/ { set $upstream_api api; proxy_pass http://$upstream_api:8088; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }