# Gitea Nginx 反向代理配置 # 由 deploy.sh 自动部署到 /etc/nginx/sites-available/gitea # __GITEA_DOMAIN__ 会被脚本替换为实际域名 # HTTP → HTTPS 重定向 server { listen 80; listen [::]:80; server_name __GITEA_DOMAIN__; # Let's Encrypt 证书验证 location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } # HTTPS 主站点 server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name __GITEA_DOMAIN__; # SSL 证书(Certbot 自动管理) ssl_certificate /etc/letsencrypt/live/__GITEA_DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__GITEA_DOMAIN__/privkey.pem; # SSL 安全配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS(启用后浏览器会强制使用 HTTPS) add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; # 安全头 add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy strict-origin-when-cross-origin always; # Git LFS 和大仓库推送需要足够大的 body 限制 client_max_body_size 512M; # 代理超时(大仓库 clone/push 可能较慢) proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; location / { proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket 支持(Gitea 实时通知) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } # Git LFS 大文件upload需要特殊处理 location ~ ^/.*\.git/info/lfs/ { proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # LFS 上传可能很大 client_max_body_size 4G; proxy_request_buffering off; } }