拓扑
:443 ─ Nginx ─┬─→ / ────────→ /var/www/blog/ (静态文件)
├─→ /api/* ────→ 127.0.0.1:3001 (Node API)
└─→ ws-trojan ──→ 127.0.0.1:10086 (Trojan-WS)只用一个 443,全部走 SNI。
关键配置(精简到能跑就行)
server {
listen 443 ssl http2;
server_name fankex.com;
ssl_certificate /etc/letsencrypt/live/fankex.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fankex.com/privkey.pem;
root /var/www/blog;
index index.html;
location / {
try_files $uri $uri/ =404;
}
location /api/ {
proxy_pass http://127.0.0.1:3001/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /trojan-ws {
if ($http_upgrade != "websocket") { return 404; }
proxy_pass http://127.0.0.1:10086;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}三个容易踩的坑
/api/末尾的斜杠:proxy_pass带不带/行为完全不同,
带斜杠会去掉前缀转发,不带会保留。永远显式带上。- WebSocket 升级:必须显式
Connection "upgrade",否则降级到 HTTP/1.1 短连接。 - 静态文件缓存:
location ~* \.(woff2|webp|css|js)$ { add_header Cache-Control "public, max-age=31536000, immutable"; }
放在location /之前。