server { listen 80; listen [::]:80; server_name ci.f.novalon.cn; # 重定向到 HTTPS return 301 https://$server_name$request_uri; } server { listen 443 ssl; listen [::]:443 ssl; server_name ci.f.novalon.cn; # SSL 证书配置 ssl_certificate /etc/nginx/ssl/ci.f.novalon.cn/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/ci.f.novalon.cn/privkey.pem; # SSL 优化配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # 客户端请求体大小限制 client_max_body_size 100M; # 代理到 Woodpecker CI location / { proxy_pass http://woodpecker-server:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket 支持 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # 超时设置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } # API 端点(包括 webhook) location /api/ { proxy_pass http://woodpecker-server:8000/api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Webhook 需要的特殊头 proxy_set_header X-GitHub-Delivery $http_x_github_delivery; proxy_set_header X-GitHub-Event $http_x_github_event; proxy_set_header X-Gitea-Delivery $http_x_gitea_delivery; proxy_set_header X-Gitea-Event $http_x_gitea_event; proxy_set_header X-Gitea-Signature $http_x_gitea_signature; proxy_set_header X-Hub-Signature $http_x_hub_signature; # 超时设置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } # 健康检查 location /healthz { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } }