web/nginx/yuheng.host.conf

# 宿主机 Nginx 单实例：443 终止 TLS，反代到本机回环上的 Docker 服务（见 docker-compose.host-nginx.yml）
# 部署：
#   1. 证书：/etc/ssl/yh_web/yuheng.yuxindazhineng.com/{fullchain.pem,privkey.pem}
#   2. 替换下方 __VERIFY_ROOT__ 为项目内 verify-root 的绝对路径（或由 pull-and-restart.sh / restart.sh 自动生成）
#   3. sudo cp yuheng.host.conf /etc/nginx/conf.d/yuheng.yuxindazhineng.com.conf
#   4. sudo nginx -t && sudo systemctl reload nginx

# HTTP → HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name yuheng.yuxindazhineng.com;
    return 301 https://$server_name$request_uri;
}

upstream yh_admin_upstream {
    server 127.0.0.1:9081;
    keepalive 8;
}

server {
    # 关闭 http2：大体积分片 multipart 在部分浏览器+HTTP/2 组合下易出现 ERR_HTTP2_PROTOCOL_ERROR / 网络面板 status 0
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name yuheng.yuxindazhineng.com;
    client_max_body_size 800m;

    ssl_certificate     /etc/ssl/yh_web/yuheng.yuxindazhineng.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

    # 域名/证书等验证文件（与 compose 内 yh_nginx 行为一致）
    location ~ ^/[A-Za-z0-9._-]+\.(txt|html|xml)$ {
        root __VERIFY_ROOT__;
        try_files $uri =404;
        default_type text/plain;
        add_header Cache-Control "no-store";
    }

    location = /admin {
        return 301 /admin/;
    }

    location /api/web/live/ws {
        proxy_pass http://127.0.0.1:8088;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }

    location /api/web/live/danmaku/ws {
        proxy_pass http://127.0.0.1:8088;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }

    location /api/ {
        proxy_pass http://127.0.0.1:8088;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_connect_timeout 75s;
        # 大文件上传：client_body_timeout=0 表示不按时间切断读 body（见 ngx_http_core_module）；proxy_* 为反代到 Go 的读写等待上限
        client_body_timeout 0;
        proxy_send_timeout 86400s;
        proxy_read_timeout 86400s;
        proxy_buffering off;
        proxy_request_buffering off;
    }

    location /admin/ {
        proxy_pass http://yh_admin_upstream/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location / {
        proxy_pass http://127.0.0.1:9080;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_connect_timeout 75s;
        proxy_send_timeout 75s;
        proxy_read_timeout 75s;
    }
}