Initial commit: 浼佷笟寰俊 AI 鏈哄櫒浜哄姪鐞?MVP

Co-authored-by: Cursor <cursoragent@cursor.com>

deploy/nginx-ssl.conf

@@ -0,0 +1,59 @@
+events { worker_connections 1024; }
+
+http {
+    upstream backend {
+        server backend:8000;
+    }
+
+    # HTTP → HTTPS 重定向
+    server {
+        listen 80;
+        server_name _;
+        
+        # Let's Encrypt 验证路径
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+        
+        # 其他请求重定向到 HTTPS
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    # HTTPS
+    server {
+        listen 443 ssl http2;
+        server_name _;
+
+        # SSL 证书（Let's Encrypt）
+        # 注意：在生产环境中，需要将证书路径挂载到容器中
+        # ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
+        # ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
+        
+        # 临时自签名证书（仅用于测试，生产环境必须使用 Let's Encrypt）
+        # ssl_certificate /etc/nginx/ssl/cert.pem;
+        # ssl_certificate_key /etc/nginx/ssl/key.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        # /api -> backend
+        location /api/ {
+            proxy_pass http://backend;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_read_timeout 30s;
+            proxy_connect_timeout 10s;
+        }
+
+        # 健康检查
+        location /health {
+            proxy_pass http://backend/health;
+            access_log off;
+        }
+    }
+}