fix: Git push HTTP 413 — 添加 client_max_body_size 和代理超时配置

feat: 用 OA 统一门户配置替换 SSO 配置
- 新增 oa-ai.conf 反向代理配置 - 移除 sso-ai.conf（已迁移至 OA 门户） - 更新各站点 conf：适配新 SSO auth_request 路径 - 清理 nginx.conf 中已废弃的 SSO 相关配置
2026-06-03 09:58:21 +08:00 · 2026-05-14 16:37:41 +08:00 · 2026-05-09 17:15:28 +08:00
9 changed files with 57 additions and 19 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,6 @@
 .DS_Store
 .claude/
 nginx-local.conf
 docker-compose.local.yml
 certs/
 conf.d.sso-backup/
--- a/conf.d/assets-ai.conf
+++ b/conf.d/assets-ai.conf
@ -2,14 +2,13 @@ server {
    listen 443 ssl;
    server_name assets.tlyq.ai;
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
    location / {
        proxy_pass http://assets-ai:3000;
        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
 }
--- a/conf.d/cloud-ai.conf
+++ b/conf.d/cloud-ai.conf
@ -2,8 +2,8 @@ server {
    listen 443 ssl;
    server_name cloud.tlyq.ai;
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
    location / {
        proxy_pass http://cloud-ai;
--- a/conf.d/git-ai.conf
+++ b/conf.d/git-ai.conf
@ -2,14 +2,20 @@ server {
    listen 443 ssl;
    server_name git.tlyq.ai;
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
    # Gitea 通过 OIDC 认证，不走 auth_request，只需基本反向代理
    location / {
        proxy_pass http://gitea-ai:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        client_max_body_size 0;
        proxy_request_buffering off;
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
    }
 }
--- a/conf.d/issue-ai.conf
+++ b/conf.d/issue-ai.conf
@ -2,14 +2,13 @@ server {
    listen 443 ssl;
    server_name issue.tlyq.ai;
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
    location / {
        proxy_pass http://issue-ai:3000;
        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
 }
--- a/conf.d/oa-ai.conf
+++ b/conf.d/oa-ai.conf
@ -0,0 +1,28 @@
 server {
    listen 443 ssl;
    server_name oa.tlyq.ai;
    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
    location /_next/static/ {
        resolver 127.0.0.11 valid=30s;
        set $upstream oa-ai:3000;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
    location / {
        resolver 127.0.0.11 valid=30s;
        set $upstream oa-ai:3000;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }
 }
--- a/conf.d/root-domain.conf
+++ b/conf.d/root-domain.conf
@ -5,8 +5,8 @@ server {
    server_name tlyq.ai;
    # 共用现有证书
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
    return 301 https://www.tlyq.ai$request_uri;
 }
--- a/conf.d/token-ai.conf
+++ b/conf.d/token-ai.conf
@ -2,8 +2,8 @@ server {
    listen 443 ssl;
    server_name token.tlyq.ai;
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
    location / {
        proxy_pass http://token-ai;
--- a/conf.d/www-ai.conf
+++ b/conf.d/www-ai.conf
@ -2,11 +2,13 @@ server {
    listen 443 ssl;
    server_name www.tlyq.ai;
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
    location / {
-        proxy_pass http://www-ai;
+        resolver 127.0.0.11 valid=30s;
        set $upstream www-ai;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
    }
 }