im_wower
·
2026-03-22
baa-conductor.conf
1# 部署目标:
2# - /etc/nginx/sites-available/baa-conductor.conf
3# - /etc/nginx/sites-enabled/baa-conductor.conf -> symlink to sites-available
4# - /etc/nginx/includes/baa-conductor/*.conf 由仓库里的 ops/nginx/includes/* 同步过去
5#
6# 说明:
7# - conductor.makefile.so 作为统一入口,走 mini 主、mac 备的 upstream
8# - mini-conductor.makefile.so 与 mac-conductor.makefile.so 直连单节点 upstream
9# - 所有 upstream 都直接写 Tailscale 100.x 地址
10# - 不使用 mini.tail0125d.ts.net / mbp.tail0125d.ts.net 等 MagicDNS 名称
11# - 这样可以避开 ClashX 与 MagicDNS 的 DNS 接管冲突
12# - 证书路径使用 Let's Encrypt 默认目录,若走 Cloudflare Origin Cert 请替换为实际文件路径
13
14map $http_upgrade $connection_upgrade {
15 default upgrade;
16 '' '';
17}
18
19upstream conductor_primary {
20 # mini 主节点,使用 Tailscale IPv4 私网地址回源
21 server 100.71.210.78:4317 max_fails=2 fail_timeout=5s;
22 # mac 备用节点,使用 Tailscale IPv4 私网地址回源
23 server 100.112.239.13:4317 backup;
24 keepalive 32;
25}
26
27upstream mini_conductor_direct {
28 server 100.71.210.78:4317;
29 keepalive 16;
30}
31
32upstream mac_conductor_direct {
33 server 100.112.239.13:4317;
34 keepalive 16;
35}
36
37server {
38 listen 80;
39 listen [::]:80;
40 server_name conductor.makefile.so mini-conductor.makefile.so mac-conductor.makefile.so;
41
42 return 301 https://$host$request_uri;
43}
44
45server {
46 listen 443 ssl http2;
47 listen [::]:443 ssl http2;
48 server_name conductor.makefile.so;
49
50 ssl_certificate /etc/letsencrypt/live/conductor.makefile.so/fullchain.pem;
51 ssl_certificate_key /etc/letsencrypt/live/conductor.makefile.so/privkey.pem;
52 ssl_protocols TLSv1.2 TLSv1.3;
53 ssl_session_cache shared:BAAConductorTLS:10m;
54 ssl_session_timeout 1d;
55
56 access_log /var/log/nginx/baa-conductor.access.log;
57 error_log /var/log/nginx/baa-conductor.error.log warn;
58
59 location = /healthz {
60 proxy_pass http://conductor_primary/healthz;
61 include /etc/nginx/includes/baa-conductor/common-proxy.conf;
62 }
63
64 location = /readyz {
65 proxy_pass http://conductor_primary/readyz;
66 include /etc/nginx/includes/baa-conductor/common-proxy.conf;
67 }
68
69 location = /rolez {
70 proxy_pass http://conductor_primary/rolez;
71 include /etc/nginx/includes/baa-conductor/common-proxy.conf;
72 }
73
74 location / {
75 proxy_pass http://conductor_primary;
76 include /etc/nginx/includes/baa-conductor/common-proxy.conf;
77 }
78}
79
80server {
81 listen 443 ssl http2;
82 listen [::]:443 ssl http2;
83 server_name mini-conductor.makefile.so;
84
85 ssl_certificate /etc/letsencrypt/live/mini-conductor.makefile.so/fullchain.pem;
86 ssl_certificate_key /etc/letsencrypt/live/mini-conductor.makefile.so/privkey.pem;
87 ssl_protocols TLSv1.2 TLSv1.3;
88 ssl_session_cache shared:BAAConductorTLS:10m;
89 ssl_session_timeout 1d;
90
91 access_log /var/log/nginx/baa-conductor-mini.access.log;
92 error_log /var/log/nginx/baa-conductor-mini.error.log warn;
93
94 location / {
95 include /etc/nginx/includes/baa-conductor/direct-node-auth.conf;
96 proxy_pass http://mini_conductor_direct;
97 include /etc/nginx/includes/baa-conductor/common-proxy.conf;
98 }
99}
100
101server {
102 listen 443 ssl http2;
103 listen [::]:443 ssl http2;
104 server_name mac-conductor.makefile.so;
105
106 ssl_certificate /etc/letsencrypt/live/mac-conductor.makefile.so/fullchain.pem;
107 ssl_certificate_key /etc/letsencrypt/live/mac-conductor.makefile.so/privkey.pem;
108 ssl_protocols TLSv1.2 TLSv1.3;
109 ssl_session_cache shared:BAAConductorTLS:10m;
110 ssl_session_timeout 1d;
111
112 access_log /var/log/nginx/baa-conductor-mac.access.log;
113 error_log /var/log/nginx/baa-conductor-mac.error.log warn;
114
115 location / {
116 include /etc/nginx/includes/baa-conductor/direct-node-auth.conf;
117 proxy_pass http://mac_conductor_direct;
118 include /etc/nginx/includes/baa-conductor/common-proxy.conf;
119 }
120}