web/nginx/yuheng.yuxindazhineng.com.conf

# yh_web 宿主机 Nginx：仅在做「宿主机 443 → compose 内 Nginx」时使用
# 证书路径：/etc/ssl/yh_web/yuheng.yuxindazhineng.com/
# 使用本配置时，compose 中 nginx 须改为映射 8443:443（避免与宿主机 443 冲突），本文件反代到 127.0.0.1:8443
# 部署：复制到 /etc/nginx/conf.d/ 后 nginx -t && systemctl reload nginx

# HTTP → HTTPS 强制跳转
server {
    listen 80;
    listen [::]:80;
    server_name yuheng.yuxindazhineng.com;
    return 301 https://$server_name$request_uri;
}

# HTTPS：整站反代到 compose 内 Nginx（宿主机 443 → 127.0.0.1:8443）
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yuheng.yuxindazhineng.com;

    ssl_certificate     /etc/ssl/yh_web/yuheng.yuxindazhineng.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

    # 直播 WebSocket 信令（经 compose 内 Nginx 再到 api）
    location /api/web/live/ws {
        proxy_pass http://127.0.0.1:8443;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400s;
    }

    location / {
        proxy_pass http://127.0.0.1:8443;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}