# ============================================================================= # WOOO TECH - Monitor Dashboard # Nginx 配置 - UAT Server (192.168.0.110) # 所有監控工具統一入口 # 2026-02-08 整理版本 - 移除 Harbor,其他服務保留 # ============================================================================= # 上游服務定義 upstream grafana_backend { server 127.0.0.1:3000; } upstream prometheus_backend { # K8s Prometheus ClusterIP server 10.43.25.78:9090; } upstream alertmanager_backend { # K8s Alertmanager ClusterIP server 10.43.79.187:9093; } upstream portainer_backend { server 127.0.0.1:9000; } upstream n8n_backend { server 127.0.0.1:5678; } upstream superset_backend { server 127.0.0.1:8088; } upstream gitlab_backend { server 127.0.0.1:8929; } upstream nextcloud_backend { server 127.0.0.1:8081; } upstream loki_backend { server 127.0.0.1:3100; } upstream metabase_backend { server 127.0.0.1:3001; } upstream grist_backend { server 127.0.0.1:8484; } upstream cadvisor_backend { server 127.0.0.1:8080; } upstream blackbox_backend { server 127.0.0.1:9115; } upstream node_exporter_backend { server 127.0.0.1:9100; } upstream postgres_exporter_backend { server 127.0.0.1:9187; } # K8s Grafana (NodePort) upstream k8s_grafana_backend { server 127.0.0.1:30030; } # Docker Registry (HTTPS 通過 Nginx 代理) upstream registry_backend { server 127.0.0.1:5002; } # ============================================================================= # monitor.wooo.work - 監控入口 (HTTP -> HTTPS 重定向) # ============================================================================= server { listen 80; server_name monitor.wooo.work; # HSTS - 強制 HTTPS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; return 301 https://$server_name$request_uri; } # ============================================================================= # monitor.wooo.work - 監控入口 (HTTPS) # ============================================================================= server { listen 443 ssl http2; server_name monitor.wooo.work; # HSTS - 強制 HTTPS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; # SSL 證書 ssl_certificate /etc/letsencrypt/live/monitor.wooo.work/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/monitor.wooo.work/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # 監控首頁 (靜態頁面) root /var/www/monitor; index index.html; # 首頁 location = / { try_files /index.html =404; } # ========================================================================= # Docker Grafana (Port 3000) # ========================================================================= location /grafana/ { proxy_pass http://grafana_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket 支援 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # ========================================================================= # K8s Grafana (NodePort 30030) # ========================================================================= location /k8s-grafana/ { proxy_pass http://k8s_grafana_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect / /k8s-grafana/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; sub_filter_once off; sub_filter_types text/html application/javascript; sub_filter 'src="/' 'src="/k8s-grafana/'; sub_filter '"/api/' '"/k8s-grafana/api/'; } # ========================================================================= # Prometheus (Port 9090) # ========================================================================= location /prometheus/ { proxy_pass http://prometheus_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect / /prometheus/; } # ========================================================================= # Alertmanager (Port 9093) # ========================================================================= location /alertmanager/ { proxy_pass http://alertmanager_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect / /alertmanager/; } # ========================================================================= # Portainer (Port 9000) # ========================================================================= location /portainer/ { proxy_pass http://portainer_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /portainer/api/ { proxy_pass http://portainer_backend/api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # ========================================================================= # n8n (Port 5678) # ========================================================================= location /n8n/ { proxy_pass http://n8n_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 300s; proxy_send_timeout 300s; } # ========================================================================= # Apache Superset BI (Port 8088) # ========================================================================= # 認證相關路徑重定向 location = /login/ { return 302 /superset/login/; } location = /logout/ { return 302 /superset/logout/; } location ^~ /lang/ { return 302 /superset$request_uri; } location ^~ /users/ { return 302 /superset$request_uri; } location ^~ /static/ { return 302 /superset$request_uri; } location /superset/ { proxy_pass http://superset_backend/; proxy_redirect ~^(/superset/.*)$ $1; proxy_redirect ~^/(?!superset)(.*)$ /superset/$1; gzip off; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; sub_filter '"/static/' '"/superset/static/'; sub_filter "'/static/" "'/superset/static/"; sub_filter_once off; sub_filter_types text/html application/javascript text/css; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; } # ========================================================================= # Loki (Port 3100) # ========================================================================= location /loki/ { proxy_pass http://loki_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # ========================================================================= # Metabase (Port 3001) # ========================================================================= location /metabase/ { proxy_pass http://metabase_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect / /metabase/; } # ========================================================================= # cAdvisor (Port 8080) # ========================================================================= location /cadvisor/ { proxy_pass http://cadvisor_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect / /cadvisor/; } # ========================================================================= # Blackbox Exporter (Port 9115) # ========================================================================= location /blackbox/ { proxy_pass http://blackbox_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # ========================================================================= # Node Exporter (Port 9100) # ========================================================================= location /node-exporter/ { proxy_pass http://node_exporter_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # ========================================================================= # PostgreSQL Exporter (Port 9187) # ========================================================================= location /postgres-exporter/ { proxy_pass http://postgres_exporter_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # ========================================================================= # Docker Registry (Port 5002) # ========================================================================= location /registry/ { proxy_pass http://registry_backend/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Registry 需要大檔案上傳 client_max_body_size 0; proxy_read_timeout 900; proxy_send_timeout 900; } } # ============================================================================= # gitlab.wooo.work - GitLab (僅內網) # ============================================================================= server { listen 80; server_name gitlab.wooo.work; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; location / { proxy_pass http://gitlab_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffers 8 32k; proxy_buffer_size 64k; client_max_body_size 0; proxy_read_timeout 600s; } } # ============================================================================= # cloud.wooo.work - Nextcloud (僅內網) # ============================================================================= server { listen 80; server_name cloud.wooo.work; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; location / { proxy_pass http://nextcloud_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 10G; proxy_read_timeout 600s; } } # ============================================================================= # grist.wooo.work - Grist (僅內網) # ============================================================================= server { listen 80; server_name grist.wooo.work; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; location / { proxy_pass http://grist_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }