From 1583d0a5815a32c8b0974867e810a2346cac05bb Mon Sep 17 00:00:00 2001 From: gitadmin Date: Thu, 14 May 2026 16:37:41 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E7=94=A8=20OA=20=E7=BB=9F=E4=B8=80?= =?UTF-8?q?=E9=97=A8=E6=88=B7=E9=85=8D=E7=BD=AE=E6=9B=BF=E6=8D=A2=20SSO=20?= =?UTF-8?q?=E9=85=8D=E7=BD=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 新增 oa-ai.conf 反向代理配置 - 移除 sso-ai.conf(已迁移至 OA 门户) - 更新各站点 conf:适配新 SSO auth_request 路径 - 清理 nginx.conf 中已废弃的 SSO 相关配置 --- conf.d/assets-ai.conf | 43 ++++------------------------------------- conf.d/cloud-ai.conf | 4 ++-- conf.d/git-ai.conf | 4 ++-- conf.d/issue-ai.conf | 43 ++++------------------------------------- conf.d/oa-ai.conf | 28 +++++++++++++++++++++++++++ conf.d/root-domain.conf | 4 ++-- conf.d/sso-ai.conf | 23 ---------------------- conf.d/token-ai.conf | 4 ++-- conf.d/www-ai.conf | 8 +++++--- nginx.conf | 3 --- 10 files changed, 49 insertions(+), 115 deletions(-) create mode 100644 conf.d/oa-ai.conf delete mode 100644 conf.d/sso-ai.conf diff --git a/conf.d/assets-ai.conf b/conf.d/assets-ai.conf index 30d5d46..ae0fb06 100644 --- a/conf.d/assets-ai.conf +++ b/conf.d/assets-ai.conf @@ -2,48 +2,13 @@ server { listen 443 ssl; server_name assets.tlyq.ai; - ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem; - - # Authelia 认证端点(internal = 仅子请求可访问) - location /authelia-auth { - internal; - proxy_pass http://authelia:9091/api/authz/auth-request; - proxy_set_header Cookie $http_cookie; - proxy_set_header X-Original-Method $request_method; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-URI $request_uri; - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - } + ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem; location / { - auth_request /authelia-auth; - - auth_request_set $user $upstream_http_remote_user; - auth_request_set $groups $upstream_http_remote_groups; - - proxy_set_header X-Remote-User $user; - proxy_set_header X-Remote-Groups $groups; - proxy_set_header X-Auth-Proxy-Key "internal-auth-key-tlyq-2026"; - + proxy_pass http://assets-ai:3000; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://assets-ai:3000; - } - - error_page 401 =302 https://sso.tlyq.ai/?rd=$scheme://$http_host$request_uri; - error_page 502 503 = @fallback; - - location @fallback { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://assets-ai:3000; + proxy_set_header X-Forwarded-Proto https; } } diff --git a/conf.d/cloud-ai.conf b/conf.d/cloud-ai.conf index fb985f7..f4c9bf8 100644 --- a/conf.d/cloud-ai.conf +++ b/conf.d/cloud-ai.conf @@ -2,8 +2,8 @@ server { listen 443 ssl; server_name cloud.tlyq.ai; - ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem; + ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem; location / { proxy_pass http://cloud-ai; diff --git a/conf.d/git-ai.conf b/conf.d/git-ai.conf index 5157ac8..1839091 100644 --- a/conf.d/git-ai.conf +++ b/conf.d/git-ai.conf @@ -2,8 +2,8 @@ server { listen 443 ssl; server_name git.tlyq.ai; - ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem; + ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem; # Gitea 通过 OIDC 认证,不走 auth_request,只需基本反向代理 location / { diff --git a/conf.d/issue-ai.conf b/conf.d/issue-ai.conf index e703bd9..8392ff4 100644 --- a/conf.d/issue-ai.conf +++ b/conf.d/issue-ai.conf @@ -2,48 +2,13 @@ server { listen 443 ssl; server_name issue.tlyq.ai; - ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem; - - # Authelia 认证端点(internal = 仅子请求可访问) - location /authelia-auth { - internal; - proxy_pass http://authelia:9091/api/authz/auth-request; - proxy_set_header Cookie $http_cookie; - proxy_set_header X-Original-Method $request_method; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-URI $request_uri; - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - } + ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem; location / { - auth_request /authelia-auth; - - auth_request_set $user $upstream_http_remote_user; - auth_request_set $groups $upstream_http_remote_groups; - - proxy_set_header X-Remote-User $user; - proxy_set_header X-Remote-Groups $groups; - proxy_set_header X-Auth-Proxy-Key "internal-auth-key-tlyq-2026"; - + proxy_pass http://issue-ai:3000; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://issue-ai:3000; - } - - error_page 401 =302 https://sso.tlyq.ai/?rd=$scheme://$http_host$request_uri; - error_page 502 503 = @fallback; - - location @fallback { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://issue-ai:3000; + proxy_set_header X-Forwarded-Proto https; } } diff --git a/conf.d/oa-ai.conf b/conf.d/oa-ai.conf new file mode 100644 index 0000000..a75ce3b --- /dev/null +++ b/conf.d/oa-ai.conf @@ -0,0 +1,28 @@ +server { + listen 443 ssl; + server_name oa.tlyq.ai; + + ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem; + + location /_next/static/ { + resolver 127.0.0.11 valid=30s; + set $upstream oa-ai:3000; + proxy_pass http://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto https; + expires 1y; + add_header Cache-Control "public, immutable"; + } + + location / { + resolver 127.0.0.11 valid=30s; + set $upstream oa-ai:3000; + proxy_pass http://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto https; + add_header Cache-Control "no-cache, no-store, must-revalidate"; + } +} diff --git a/conf.d/root-domain.conf b/conf.d/root-domain.conf index 4e836fe..545b7f9 100644 --- a/conf.d/root-domain.conf +++ b/conf.d/root-domain.conf @@ -5,8 +5,8 @@ server { server_name tlyq.ai; # 共用现有证书 - ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem; + ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem; return 301 https://www.tlyq.ai$request_uri; } diff --git a/conf.d/sso-ai.conf b/conf.d/sso-ai.conf deleted file mode 100644 index 81ef68e..0000000 --- a/conf.d/sso-ai.conf +++ /dev/null @@ -1,23 +0,0 @@ -server { - listen 443 ssl; - server_name sso.tlyq.ai; - - ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem; - - # 登录接口限流 - location /api/firstfactor { - limit_req zone=sso_login burst=3 nodelay; - proxy_pass http://authelia:9091; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location / { - proxy_pass http://authelia:9091; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - } -} diff --git a/conf.d/token-ai.conf b/conf.d/token-ai.conf index 2f55f1e..ed0129e 100644 --- a/conf.d/token-ai.conf +++ b/conf.d/token-ai.conf @@ -2,8 +2,8 @@ server { listen 443 ssl; server_name token.tlyq.ai; - ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem; + ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem; location / { proxy_pass http://token-ai; diff --git a/conf.d/www-ai.conf b/conf.d/www-ai.conf index 52e0ba1..dde8f3b 100644 --- a/conf.d/www-ai.conf +++ b/conf.d/www-ai.conf @@ -2,11 +2,13 @@ server { listen 443 ssl; server_name www.tlyq.ai; - ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem; + ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem; location / { - proxy_pass http://www-ai; + resolver 127.0.0.11 valid=30s; + set $upstream www-ai; + proxy_pass http://$upstream; proxy_set_header Host $host; } } diff --git a/nginx.conf b/nginx.conf index 62f6da0..6914273 100644 --- a/nginx.conf +++ b/nginx.conf @@ -3,9 +3,6 @@ events {} http { include /etc/nginx/conf.d/*.conf; - # SSO 登录限流:按真实客户端 IP(X-Forwarded-For),每分钟 5 次,burst 3 - limit_req_zone $http_x_forwarded_for zone=sso_login:10m rate=5r/m; - # 所有 HTTP 自动跳 HTTPS server { listen 80 default_server;