下面是一份**面向「机构按域名访问、同一套前端」的 Nginx 示例,可直接按需改域名、证书路径和后端地址。机构与域名的绑定仍在后台维护,Nginx 只负责把各域名指到同一站点(或按域名拆目录)**并可选反代 API。
1. 思路说明
- 用户用各自机构域名 访问 → 浏览器
Host即该域名 → 前端getByDomain用hostname调后台解析机构。 - 同一套静态资源:多个
server_name共用同一root,或拆成多个server块共用include。 - SPA:
try_files回退到index.html。 - API:建议用
location /api-c/反代到真实网关,避免 CORS 与路径混乱。
2. 单站点多域名(推荐起步形态)
nginx
# /etc/nginx/conf.d/pro-a.conf
upstream api_backend {
# 换成你们 api-c 实际地址(内网或 SLB)
server 10.0.0.10:8080;
keepalive 32;
}
# 可拆成多个 server,或在一个 server 里写多个 server_name
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
# 机构域名:在后台绑定后,把对外域名都列在这里(或用通配 *.example.com)
server_name
www.tenant-a.com
tenant-a.com
www.tenant-b.com
tenant-b.com
tenant-b.example.com;
# 若强制 HTTPS,可整段改为 301
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name
www.tenant-a.com
tenant-a.com
www.tenant-b.com
tenant-b.com
tenant-b.example.com;
# SSL 证书:按主域或多 SAN 证书配置;通配符用 *.example.com
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1.2 TLSv1.3;
root /var/www/pro-a/dist;
index index.html;
# 前端构建产物(与 Vite outDir 一致,如 dist-tenanantId)
# root /var/www/pro-a/dist-tenanantId;
charset utf-8;
# 静态资源缓存(带 hash 的文件可长缓存)
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?|ttf|eot)$ {
expires 7d;
add_header Cache-Control "public, immutable";
try_files $uri =404;
}
# API:与前端 request baseURL 一致(常见为 /api-c)
location /api-c/ {
proxy_pass http://api_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 若后端需要从网关认租户,一般读 Host 或你们约定的头;勿随意改 Host 为内网名,除非网关要求
proxy_connect_timeout 10s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
# SPA
location / {
try_files $uri $uri/ /index.html;
}
# 可选:安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
}要点:
server_name与后台为各机构配置的访问域名 一致;新机构上线 = DNS 指过来 + 证书覆盖该域名 + 把域名加进server_name(或换通配证书)。proxy_set_header Host $host:后端若按Host做getByDomain,与浏览器直接访问一致。
3. 通配符子域(若机构是 *.platform.com)
nginx
server {
listen 443 ssl http2;
server_name *.platform.com platform.com;
ssl_certificate /etc/nginx/ssl/wildcard-platform.fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/wildcard-platform.key;
root /var/www/pro-a/dist;
index index.html;
location /api-c/ {
proxy_pass http://api_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
try_files $uri $uri/ /index.html;
}
}新机构只配子域时,DNS 与证书就绪即可,不必每次改 Nginx(子域已在通配范围内)。
4. 多份白标构建、不同 root(可选)
若线上按机构出不同构建目录 (不同 VITE_TENANT_ID 产物),可按域名拆 server,root 指向不同目录:
nginx
server {
listen 443 ssl http2;
server_name tenant-a.com www.tenant-a.com;
ssl_certificate /etc/nginx/ssl/tenant-a.pem;
ssl_certificate_key /etc/nginx/ssl/tenant-a.key;
root /var/www/pro-a/dist-tenant-a;
index index.html;
location /api-c/ {
proxy_pass http://api_backend;
proxy_set_header Host $host;
# ...
}
location / { try_files $uri $uri/ /index.html; }
}
server {
listen 443 ssl http2;
server_name tenant-b.com www.tenant-b.com;
ssl_certificate /etc/nginx/ssl/tenant-b.pem;
ssl_certificate_key /etc/nginx/ssl/tenant-b.key;
root /var/www/pro-a/dist-tenant-b;
index index.html;
location /api-c/ { proxy_pass http://api_backend; proxy_set_header Host $host; }
location / { try_files $uri $uri/ /index.html; }
}5. 与「机构入驻」的对应关系
| 环节 | Nginx 侧 |
|---|---|
| 后台绑定机构域名 | server_name / DNS / 证书包含该域名 |
前端 getByDomain |
保持 Host 为访问域名(上面 proxy_set_header Host $host) |
| 新机构上线 | 加域名、重载 nginx -s reload;通配符子域可不改配置 |
| HTTPS | listen 443 ssl + 证书路径 |
6. 自检命令
bash
nginx -t && nginx -s reload
curl -I -H "Host: tenant-a.com" https://127.0.0.1/