im_wower
·
2026-03-22
baa-conductor.conf.template
1# 部署目标:
2# - __NGINX_SITE_INSTALL_PATH__
3# - __NGINX_SITE_ENABLED_PATH__ -> symlink to sites-available
4# - __NGINX_INCLUDE_GLOB__ 由仓库里的 ops/nginx/includes/* 同步过去
5#
6# 说明:
7# - __CONDUCTOR_HOST__ 作为统一入口,走 mini 主、mac 备的 upstream
8# - __MINI_DIRECT_HOST__ 与 __MAC_DIRECT_HOST__ 直连单节点 upstream
9# - 所有 upstream 都直接写 Tailscale 100.x 地址
10# - 不使用 mini.tail0125d.ts.net / mbp.tail0125d.ts.net 等 MagicDNS 名称
11# - 这样可以避开 ClashX 与 MagicDNS 的 DNS 接管冲突
12# - 证书路径使用 Let's Encrypt 默认目录,若走 Cloudflare Origin Cert 请替换为实际文件路径
13
14map $http_upgrade $connection_upgrade {
15 default upgrade;
16 '' '';
17}
18
19upstream conductor_primary {
20 # mini 主节点,使用 Tailscale IPv4 私网地址回源
21 server __MINI_TAILSCALE_IP__:__CONDUCTOR_PORT__ max_fails=2 fail_timeout=5s;
22 # mac 备用节点,使用 Tailscale IPv4 私网地址回源
23 server __MAC_TAILSCALE_IP__:__CONDUCTOR_PORT__ backup;
24 keepalive 32;
25}
26
27upstream mini_conductor_direct {
28 server __MINI_TAILSCALE_IP__:__CONDUCTOR_PORT__;
29 keepalive 16;
30}
31
32upstream mac_conductor_direct {
33 server __MAC_TAILSCALE_IP__:__CONDUCTOR_PORT__;
34 keepalive 16;
35}
36
37server {
38 listen 80;
39 listen [::]:80;
40 server_name __CONDUCTOR_HOST__ __MINI_DIRECT_HOST__ __MAC_DIRECT_HOST__;
41
42 return 301 https://$host$request_uri;
43}
44
45server {
46 listen 443 ssl http2;
47 listen [::]:443 ssl http2;
48 server_name __CONDUCTOR_HOST__;
49
50 ssl_certificate __CONDUCTOR_CERT_FULLCHAIN__;
51 ssl_certificate_key __CONDUCTOR_CERT_KEY__;
52 ssl_protocols TLSv1.2 TLSv1.3;
53 ssl_session_cache shared:BAAConductorTLS:10m;
54 ssl_session_timeout 1d;
55
56 access_log /var/log/nginx/baa-conductor.access.log;
57 error_log /var/log/nginx/baa-conductor.error.log warn;
58
59 location = /healthz {
60 proxy_pass http://conductor_primary/healthz;
61 include __NGINX_INCLUDE_DIR__/common-proxy.conf;
62 }
63
64 location = /readyz {
65 proxy_pass http://conductor_primary/readyz;
66 include __NGINX_INCLUDE_DIR__/common-proxy.conf;
67 }
68
69 location = /rolez {
70 proxy_pass http://conductor_primary/rolez;
71 include __NGINX_INCLUDE_DIR__/common-proxy.conf;
72 }
73
74 location / {
75 proxy_pass http://conductor_primary;
76 include __NGINX_INCLUDE_DIR__/common-proxy.conf;
77 }
78}
79
80server {
81 listen 443 ssl http2;
82 listen [::]:443 ssl http2;
83 server_name __MINI_DIRECT_HOST__;
84
85 ssl_certificate __MINI_CERT_FULLCHAIN__;
86 ssl_certificate_key __MINI_CERT_KEY__;
87 ssl_protocols TLSv1.2 TLSv1.3;
88 ssl_session_cache shared:BAAConductorTLS:10m;
89 ssl_session_timeout 1d;
90
91 access_log /var/log/nginx/baa-conductor-mini.access.log;
92 error_log /var/log/nginx/baa-conductor-mini.error.log warn;
93
94 location / {
95 include __NGINX_INCLUDE_DIR__/direct-node-auth.conf;
96 proxy_pass http://mini_conductor_direct;
97 include __NGINX_INCLUDE_DIR__/common-proxy.conf;
98 }
99}
100
101server {
102 listen 443 ssl http2;
103 listen [::]:443 ssl http2;
104 server_name __MAC_DIRECT_HOST__;
105
106 ssl_certificate __MAC_CERT_FULLCHAIN__;
107 ssl_certificate_key __MAC_CERT_KEY__;
108 ssl_protocols TLSv1.2 TLSv1.3;
109 ssl_session_cache shared:BAAConductorTLS:10m;
110 ssl_session_timeout 1d;
111
112 access_log /var/log/nginx/baa-conductor-mac.access.log;
113 error_log /var/log/nginx/baa-conductor-mac.error.log warn;
114
115 location / {
116 include __NGINX_INCLUDE_DIR__/direct-node-auth.conf;
117 proxy_pass http://mac_conductor_direct;
118 include __NGINX_INCLUDE_DIR__/common-proxy.conf;
119 }
120}