gaoxiaopei
/
nginx-proxy-ai
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: 用 OA 统一门户配置替换 SSO 配置 

- 新增 oa-ai.conf 反向代理配置
- 移除 sso-ai.conf(已迁移至 OA 门户)
- 更新各站点 conf:适配新 SSO auth_request 路径
- 清理 nginx.conf 中已废弃的 SSO 相关配置
This commit is contained in:
gitadmin 2026-05-14 16:37:41 +08:00
parent 1e99698aef
commit 1583d0a581
10 changed files with 49 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
conf.d/assets-ai.conf
View File

@ -2,48 +2,13 @@ server {
listen 443 ssl;
server_name assets.tlyq.ai;
ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
# Authelia 认证端点internal = 仅子请求可访问)
location /authelia-auth {
internal;
proxy_pass http://authelia:9091/api/authz/auth-request;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
location / {
auth_request /authelia-auth;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header X-Remote-User $user;
proxy_set_header X-Remote-Groups $groups;
proxy_set_header X-Auth-Proxy-Key "internal-auth-key-tlyq-2026";
proxy_pass http://assets-ai:3000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://assets-ai:3000;
}
error_page 401 =302 https://sso.tlyq.ai/?rd=$scheme://$http_host$request_uri;
error_page 502 503 = @fallback;
location @fallback {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://assets-ai:3000;
proxy_set_header X-Forwarded-Proto https;
}
}

4
conf.d/cloud-ai.conf
View File

@ -2,8 +2,8 @@ server {
listen 443 ssl;
server_name cloud.tlyq.ai;
ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
location / {
proxy_pass http://cloud-ai;

4
conf.d/git-ai.conf
View File

@ -2,8 +2,8 @@ server {
listen 443 ssl;
server_name git.tlyq.ai;
ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
# Gitea 通过 OIDC 认证,不走 auth_request只需基本反向代理
location / {

43
conf.d/issue-ai.conf
View File

@ -2,48 +2,13 @@ server {
listen 443 ssl;
server_name issue.tlyq.ai;
ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
# Authelia 认证端点internal = 仅子请求可访问)
location /authelia-auth {
internal;
proxy_pass http://authelia:9091/api/authz/auth-request;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
location / {
auth_request /authelia-auth;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header X-Remote-User $user;
proxy_set_header X-Remote-Groups $groups;
proxy_set_header X-Auth-Proxy-Key "internal-auth-key-tlyq-2026";
proxy_pass http://issue-ai:3000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://issue-ai:3000;
}
error_page 401 =302 https://sso.tlyq.ai/?rd=$scheme://$http_host$request_uri;
error_page 502 503 = @fallback;
location @fallback {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://issue-ai:3000;
proxy_set_header X-Forwarded-Proto https;
}
}

28
conf.d/oa-ai.conf Normal file
View File

@ -0,0 +1,28 @@
server {
listen 443 ssl;
server_name oa.tlyq.ai;
ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
location /_next/static/ {
resolver 127.0.0.11 valid=30s;
set $upstream oa-ai:3000;
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
expires 1y;
add_header Cache-Control "public, immutable";
}
location / {
resolver 127.0.0.11 valid=30s;
set $upstream oa-ai:3000;
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
}

4
conf.d/root-domain.conf
View File

@ -5,8 +5,8 @@ server {
server_name tlyq.ai;
# 共用现有证书
ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
return 301 https://www.tlyq.ai$request_uri;
}

23
conf.d/sso-ai.conf
View File

@ -1,23 +0,0 @@
server {
listen 443 ssl;
server_name sso.tlyq.ai;
ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
# 登录接口限流
location /api/firstfactor {
limit_req zone=sso_login burst=3 nodelay;
proxy_pass http://authelia:9091;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://authelia:9091;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

4
conf.d/token-ai.conf
View File

@ -2,8 +2,8 @@ server {
listen 443 ssl;
server_name token.tlyq.ai;
ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
location / {
proxy_pass http://token-ai;

8
conf.d/www-ai.conf
View File

@ -2,11 +2,13 @@ server {
listen 443 ssl;
server_name www.tlyq.ai;
ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
location / {
proxy_pass http://www-ai;
resolver 127.0.0.11 valid=30s;
set $upstream www-ai;
proxy_pass http://$upstream;
proxy_set_header Host $host;
}
}

3
nginx.conf
View File

@ -3,9 +3,6 @@ events {}
http {
include /etc/nginx/conf.d/*.conf;
# SSO 登录限流:按真实客户端 IPX-Forwarded-For每分钟 5 burst 3
limit_req_zone $http_x_forwarded_for zone=sso_login:10m rate=5r/m;
# 所有 HTTP 自动跳 HTTPS
server {
listen 80 default_server;