server { listen 443 ssl; server_name open-isle.com www.open-isle.com; ssl_certificate /etc/letsencrypt/live/open-isle.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/open-isle.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://127.0.0.1:3000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; add_header Cache-Control "no-store" always; add_header X-Upstream $upstream_addr always; } location /api/ { proxy_pass http://127.0.0.1:8080/api/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; proxy_no_cache 1; proxy_cache_bypass 1; } # 通过 https://open-isle.com/rabbitmq/ 访问管理界面 location ^~ /rabbitmq/ { # 关键点:proxy_pass 以 "/" 结尾,保留后缀子路径映射 proxy_pass http://127.0.0.1:15672/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300s; proxy_send_timeout 300s; # 把上游返回的绝对重定向 /... 改写为 /rabbitmq/... proxy_redirect ~^(/.*)$ /rabbitmq$1; # 为了做 HTML/CSS/JS 内绝对路径替换,需要关闭压缩 proxy_set_header Accept-Encoding ""; # 将页面中以 "/" 开头的 src/href 替换为 "/rabbitmq/..." sub_filter_types text/html text/css application/javascript; sub_filter 'href="/' 'href="/rabbitmq/'; sub_filter 'src="/' 'src="/rabbitmq/'; sub_filter_once off; # 建议对管理台再加一道保护(可选) # auth_basic "RabbitMQ Console"; # auth_basic_user_file /etc/nginx/.htpasswd; } # 通过 https://open-isle.com/docker/ 访问 Portainer(上游是自签名 HTTPS) location ^~ /docker/ { proxy_pass https://127.0.0.1:19000/; # 末尾 / 保留子路径 proxy_http_version 1.1; # 上游是自签证书,关闭校验(仅内网/自签场景) proxy_ssl_verify off; # 透传头 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; # WebSocket/事件流(Portainer 某些功能会用到) proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_buffering off; proxy_cache off; # 把上游返回的绝对重定向 /... 改写为 /docker/... proxy_redirect ~^(/.*)$ /docker$1; # 为了替换 HTML/CSS/JS 中的绝对路径,需要关闭压缩 proxy_set_header Accept-Encoding ""; # 将页面中以 "/" 开头的 src/href 替换为 "/docker/..." sub_filter_types text/html text/css application/javascript; sub_filter 'href="/' 'href="/docker/'; sub_filter 'src="/' 'src="/docker/'; sub_filter_once off; # 可选:再加一道基本认证 # auth_basic "Portainer"; # auth_basic_user_file /etc/nginx/.htpasswd; } location ^~ /websocket/ { proxy_pass http://127.0.0.1:8084/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_buffering off; proxy_cache off; add_header Cache-Control "no-store" always; } location /mcp { proxy_pass http://127.0.0.1:8085; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_buffering off; proxy_cache off; add_header Cache-Control "no-store" always; } } server { listen 80; server_name open-isle.com www.open-isle.com; return 301 https://$host$request_uri; }