fix: nginx配置支持动态解析，解决后端服务不可用时启动失败问题

- 移除静态upstream定义，改用Docker DNS resolver动态解析
- 移除Docker nginx的SSL配置（系统nginx已处理SSL）
- 使用set变量方式引用后端服务，避免启动时DNS解析失败

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

nginx/conf.d/default.conf

@@ -1,7 +1,8 @@
 #===============================================================================
-# iConsulting Nginx 配置
+# iConsulting Docker Nginx 配置
 #
-# 域名: iconsulting.szaiai.com
+# 注意: 此 Nginx 运行在 Docker 容器内，监听 80 端口
+#       系统 Nginx 负责 SSL 终止，然后反向代理到此处
 #
 # 路由规则:
 #   /              -> web-client (用户前端)
@@ -11,55 +12,9 @@
 #
 #===============================================================================
 
-# HTTP -> HTTPS 重定向
 server {
     listen 80;
-    server_name iconsulting.szaiai.com;
-
-    # Let's Encrypt 验证路径
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # 健康检查端点 (不重定向)
-    location /health {
-        access_log off;
-        return 200 'OK';
-        add_header Content-Type text/plain;
-    }
-
-    # 其他请求重定向到 HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-# HTTPS 主服务
-server {
-    listen 443 ssl http2;
-    server_name iconsulting.szaiai.com;
-
-    # SSL 证书配置
-    ssl_certificate /etc/nginx/ssl/fullchain.pem;
-    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
-
-    # SSL 优化配置
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:50m;
-    ssl_session_tickets off;
-
-    # 现代 SSL 配置
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers off;
-
-    # HSTS (启用后浏览器会强制使用 HTTPS)
-    add_header Strict-Transport-Security "max-age=63072000" always;
-
-    # 安全头
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block" always;
+    server_name _;
 
     # 健康检查端点
     location /health {
@@ -96,7 +51,9 @@ server {
 
     # API 请求代理到 Kong
     location /api/ {
-        proxy_pass http://kong_upstream/;
+        # 使用变量实现动态解析，避免启动时服务不可用导致失败
+        set $kong_upstream kong:8000;
+        proxy_pass http://$kong_upstream/;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -116,7 +73,8 @@ server {
 
     # WebSocket 代理
     location /ws/ {
-        proxy_pass http://websocket_upstream/;
+        set $ws_upstream conversation-service:3004;
+        proxy_pass http://$ws_upstream/;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
@@ -133,7 +91,8 @@ server {
 
     # Socket.IO 专用路径
     location /socket.io/ {
-        proxy_pass http://websocket_upstream/socket.io/;
+        set $ws_upstream conversation-service:3004;
+        proxy_pass http://$ws_upstream/socket.io/;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";

nginx/nginx.conf

@@ -36,16 +36,9 @@ http {
     # 请求大小限制
     client_max_body_size 50M;
 
-    # 上游服务定义
-    upstream kong_upstream {
-        server kong:8000;
-        keepalive 32;
-    }
-
-    upstream websocket_upstream {
-        server conversation-service:3004;
-        keepalive 32;
-    }
+    # Docker DNS 解析器 (允许动态解析服务名)
+    resolver 127.0.0.11 valid=10s ipv6=off;
+    resolver_timeout 5s;
 
     include /etc/nginx/conf.d/*.conf;
 }