fix: nginx配置支持动态解析，解决后端服务不可用时启动失败问题

- 移除静态upstream定义，改用Docker DNS resolver动态解析 - 移除Docker nginx的SSL配置（系统nginx已处理SSL） - 使用set变量方式引用后端服务，避免启动时DNS解析失败 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 08:24:28 -08:00 · 2026-01-09 08:24:28 -08:00 · ac105a8c0b
parent 885e84f823
commit ac105a8c0b
2 changed files with 14 additions and 62 deletions
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@ -1,7 +1,8 @@
 #===============================================================================
-# iConsulting Nginx 配置
+# iConsulting Docker Nginx 配置
 #
-# 域名: iconsulting.szaiai.com
+# 注意: 此 Nginx 运行在 Docker 容器内，监听 80 端口
 #       系统 Nginx 负责 SSL 终止，然后反向代理到此处
 #
 # 路由规则:
 #   /              -> web-client (用户前端)
@ -11,55 +12,9 @@
 #
 #===============================================================================
 # HTTP -> HTTPS 重定向
 server {
    listen 80;
-    server_name iconsulting.szaiai.com;
+    server_name _;
    # Let's Encrypt 验证路径
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    # 健康检查端点 (不重定向)
    location /health {
        access_log off;
        return 200 'OK';
        add_header Content-Type text/plain;
    }
    # 其他请求重定向到 HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
 }
 # HTTPS 主服务
 server {
    listen 443 ssl http2;
    server_name iconsulting.szaiai.com;
    # SSL 证书配置
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    # SSL 优化配置
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # 现代 SSL 配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    # HSTS (启用后浏览器会强制使用 HTTPS)
    add_header Strict-Transport-Security "max-age=63072000" always;
    # 安全头
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    # 健康检查端点
    location /health {
@ -96,7 +51,9 @@ server {
    # API 请求代理到 Kong
    location /api/ {
-        proxy_pass http://kong_upstream/;
+        # 使用变量实现动态解析，避免启动时服务不可用导致失败
        set $kong_upstream kong:8000;
        proxy_pass http://$kong_upstream/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@ -116,7 +73,8 @@ server {
    # WebSocket 代理
    location /ws/ {
-        proxy_pass http://websocket_upstream/;
+        set $ws_upstream conversation-service:3004;
        proxy_pass http://$ws_upstream/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
@ -133,7 +91,8 @@ server {
    # Socket.IO 专用路径
    location /socket.io/ {
-        proxy_pass http://websocket_upstream/socket.io/;
+        set $ws_upstream conversation-service:3004;
        proxy_pass http://$ws_upstream/socket.io/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -36,16 +36,9 @@ http {
    # 请求大小限制
    client_max_body_size 50M;
-    # 上游服务定义
+    # Docker DNS 解析器 (允许动态解析服务名)
-    upstream kong_upstream {
+    resolver 127.0.0.11 valid=10s ipv6=off;
-        server kong:8000;
+    resolver_timeout 5s;
        keepalive 32;
    }
    upstream websocket_upstream {
        server conversation-service:3004;
        keepalive 32;
    }
    include /etc/nginx/conf.d/*.conf;
 }