Route same-origin API via /apnew/api to bypass ALB /api* rule.

ALB sends /api/* to an unreachable backend target group (502 on apex). Use VITE_API_PREFIX=/apnew with nginx proxy to backend-1 until the listener rule is removed. Co-authored-by: Cursor <cursoragent@cursor.com>
Same-origin API: empty VITE_API_URL with nginx proxy to backend-1.
2026-05-23 17:56:38 +08:00 · 2026-05-23 17:42:59 +08:00
6 changed files with 146 additions and 2 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -34,7 +34,8 @@ jobs:
      - name: Build
        run: npm run build
        env:
-          VITE_API_URL: https://api.ark-library.com
+          VITE_API_URL: ""
+          VITE_API_PREFIX: "/apnew"
          VITE_DISABLE_ADMIN: "true"

      - name: Setup SSH key
@@ -54,6 +55,22 @@ jobs:
              -e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no" \
              dist/ \
              ec2-user@${HOST}:/var/www/ark-library/
+            rsync -avz \
+              -e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no" \
+              deploy/nginx-frontend-locations.inc \
+              ec2-user@${HOST}:/tmp/ark-library-frontend.inc
+            rsync -avz \
+              -e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no" \
+              deploy/nginx-frontend-native.conf \
+              ec2-user@${HOST}:/tmp/ark-library-native.conf
+            ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no ec2-user@${HOST} bash -s <<'REMOTE'
+          set -euo pipefail
+          sudo mkdir -p /etc/nginx/snippets
+          sudo install -m 0644 /tmp/ark-library-frontend.inc /etc/nginx/snippets/ark-library-frontend.inc
+          sudo install -m 0644 /tmp/ark-library-native.conf /etc/nginx/conf.d/ark-library.conf
+          rm -f /tmp/ark-library-frontend.inc /tmp/ark-library-native.conf
+          sudo nginx -t && sudo systemctl reload nginx
+          REMOTE
            echo ">>> $HOST 部署完成"
          }
          deploy_to "${{ secrets.FRONTEND_1_HOST }}" &
--- a/deploy/nginx-frontend-locations.inc
+++ b/deploy/nginx-frontend-locations.inc
@@ -0,0 +1,102 @@
+# Shared SPA locations. Browser calls same-origin /apnew/api/ + /uploads/ (VITE_API_PREFIX=/apnew).
+# /apnew/api/ avoids ALB listener rule that sends /api/* to an unreachable backend target group.
+# Nginx proxies internally to ark-library-backend-1 (Tailscale); Host header for backend TLS.
+gzip on;
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 5;
+gzip_types text/plain text/css application/javascript application/json application/xml image/svg+xml;
+gzip_min_length 256;
+
+location ^~ /apnew/api/admin {
+  return 404;
+}
+location ^~ /api/admin {
+  return 404;
+}
+location ^~ /admin {
+  return 404;
+}
+
+location ^~ /apnew/api/ {
+  proxy_pass https://100.93.205.19/api/;
+  proxy_http_version 1.1;
+  proxy_ssl_server_name on;
+  proxy_set_header Host api.ark-library.com;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  client_max_body_size 512m;
+  client_body_timeout 600s;
+  proxy_read_timeout 600s;
+  proxy_send_timeout 600s;
+}
+
+location ^~ /api/ {
+  proxy_pass https://100.93.205.19/api/;
+  proxy_http_version 1.1;
+  proxy_ssl_server_name on;
+  proxy_set_header Host api.ark-library.com;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  client_max_body_size 512m;
+  client_body_timeout 600s;
+  proxy_read_timeout 600s;
+  proxy_send_timeout 600s;
+}
+
+location ^~ /uploads/ {
+  proxy_pass https://100.93.205.19/uploads/;
+  proxy_http_version 1.1;
+  proxy_ssl_server_name on;
+  proxy_set_header Host api.ark-library.com;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location = /health {
+  default_type text/plain;
+  return 200 "ok\n";
+}
+
+location = /healthz {
+  default_type text/plain;
+  return 200 "ok\n";
+}
+
+location = /index.html {
+  try_files $uri =404;
+  add_header Cache-Control "no-cache, no-store, must-revalidate" always;
+}
+
+# Exact `/` so the HTML shell is never edge-cached without validators (avoids stale index.html → 404 on hashed /index-*.js or /assets/*).
+location = / {
+  try_files /index.html =404;
+  add_header Cache-Control "no-cache, no-store, must-revalidate" always;
+}
+
+location = /assets/logo-primary.webp {
+  try_files $uri =404;
+  add_header Cache-Control "public, max-age=3600, stale-while-revalidate=86400" always;
+}
+location ^~ /assets/ark-library/ {
+  try_files $uri =404;
+  add_header Cache-Control "public, max-age=86400, stale-while-revalidate=604800" always;
+}
+
+location ^~ /assets/ {
+  try_files $uri =404;
+  add_header Cache-Control "public, max-age=31536000, immutable" always;
+}
+
+# Hashed entry chunk at /index-[hash].js (Vite entryFileNames). Do not 308 to /assets — file lives here.
+location ~* ^/index-[A-Za-z0-9_-]+\.(js|mjs)$ {
+  try_files $uri =404;
+  add_header Cache-Control "public, max-age=31536000, immutable" always;
+}
+
+location / {
+  try_files $uri $uri/ /index.html;
+}
--- a/deploy/nginx-frontend-native.conf
+++ b/deploy/nginx-frontend-native.conf
@@ -0,0 +1,18 @@
+# Native system nginx (not Docker). SPA root: /var/www/ark-library
+# Snippet: /etc/nginx/snippets/ark-library-frontend.inc
+# ALB terminates TLS; apex uses X-Forwarded-Proto so we do not 301-loop behind the LB.
+
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name ark-library.com www.ark-library.com;
+
+  if ($http_x_forwarded_proto != "https") {
+    return 301 https://$host$request_uri;
+  }
+
+  root /var/www/ark-library;
+  index index.html;
+
+  include /etc/nginx/snippets/ark-library-frontend.inc;
+}
--- a/src/api.ts
+++ b/src/api.ts
@@ -1,4 +1,5 @@
-export const apiBase = import.meta.env.VITE_API_URL || "";
+export const apiPrefix = import.meta.env.VITE_API_PREFIX || "";
+export const apiBase = (import.meta.env.VITE_API_URL || "") + apiPrefix;

 /** Go JSON encodes nil slices as null — normalize before .map() */
 export function itemsOrEmpty<T>(items: T[] | null | undefined): T[] {
--- a/src/vite-env.d.ts
+++ b/src/vite-env.d.ts
@@ -2,6 +2,7 @@

 interface ImportMetaEnv {
  readonly VITE_API_URL: string;
+  readonly VITE_API_PREFIX?: string;
  readonly VITE_WALLETCONNECT_PROJECT_ID: string;
  readonly VITE_ADMIN_UI_PREFIX?: string;
  /** When `"true"`, bundle admin UI only (no public pages); use with `VITE_ADMIN_UI_PREFIX` or default secret prefix. */
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -20,6 +20,11 @@ export default defineConfig(({ mode }) => {
    server: {
      port: 5173,
      proxy: {
+        "/apnew/api": {
+          target: apiProxyTarget,
+          changeOrigin: true,
+          rewrite: (path) => path.replace(/^\/apnew/, ""),
+        },
        "/api": { target: apiProxyTarget, changeOrigin: true },
        "/uploads": { target: apiProxyTarget, changeOrigin: true },
      },