feat: Nginx 反代配置、证书与 server/.env.example（证书日后可删或改由服务器单独放）

Made-with: Cursor
2026-03-17 17:27:25 +08:00
parent 022a71dfd3
commit 16a77ab3c8
4 changed files with 195 additions and 6 deletions
--- a/nginx/README.md
+++ b/nginx/README.md
@@ -0,0 +1,70 @@
+# Nginx 配置（新服务器无 NPM 时使用）
+
+域名：**yuheng.yuxindazhineng.com**，强制 HTTPS，SSL 证书按域名单独存放。
+
+## 1. 证书目录（按域名命名）
+
+在服务器上创建专门存放 SSL 的目录，以域名为子目录名：
+
+```bash
+sudo mkdir -p /etc/ssl/yh_web/yuheng.yuxindazhineng.com
+```
+
+将证书文件放入该目录（Let's Encrypt 或自有证书均可）：
+
+- **fullchain.pem** — 证书链（或你的 `fullchain.crt`，需在配置里改扩展名）
+- **privkey.pem** — 私钥（或你的 `privkey.key`）
+
+**一键脚本自动同步**：也可把证书放在项目 **`nginx/`** 下，运行 `./pull-and-restart.sh` 或 `./restart.sh` 会自动复制到系统目录。支持两种命名方式：
+- **`nginx/yuheng.yuxindazhineng.com.pem`** + **`nginx/yuheng.yuxindazhineng.com.key`**（按域名命名）
+- **`nginx/fullchain.pem`** + **`nginx/privkey.pem`**
+
+示例（若用 certbot）：
+
+```bash
+# certbot 默认路径，可复制到统一目录或做软链接
+sudo cp /etc/letsencrypt/live/yuheng.yuxindazhineng.com/fullchain.pem /etc/ssl/yh_web/yuheng.yuxindazhineng.com/
+sudo cp /etc/letsencrypt/live/yuheng.yuxindazhineng.com/privkey.pem /etc/ssl/yh_web/yuheng.yuxindazhineng.com/
+sudo chown -R root:root /etc/ssl/yh_web/yuheng.yuxindazhineng.com
+sudo chmod 600 /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem
+```
+
+## 2. 部署 Nginx 配置
+
+```bash
+# 复制项目内配置到 Nginx 配置目录（按实际路径调整）
+sudo cp /www/yh_web/nginx/yuheng.yuxindazhineng.com.conf /etc/nginx/conf.d/
+
+# 检查配置
+sudo nginx -t
+
+# 重载
+sudo systemctl reload nginx
+```
+
+若 Nginx 使用其他路径（如 `sites-enabled`），请把上述 conf 放到对应目录并 `include` 到主配置。
+
+## 3. 路由对应关系
+
+| 访问路径 | 后端端口 | 说明 |
+|----------|----------|------|
+| `https://yuheng.yuxindazhineng.com/` | 9528 | 前台 |
+| `https://yuheng.yuxindazhineng.com/admin/` | 9529 | 管理后台 |
+| `https://yuheng.yuxindazhineng.com/api/` | 9527 | API |
+
+确保 `docker compose` 已启动，且本机 9527、9528、9529 已监听。
+
+## 4. 新服务器首次安装 Nginx
+
+```bash
+# CentOS / RHEL / 阿里云
+sudo dnf install -y nginx
+# 或
+sudo yum install -y nginx
+
+# 开机自启并启动
+sudo systemctl enable nginx
+sudo systemctl start nginx
+```
+
+然后再按上面步骤创建证书目录、放入证书、复制 conf 并重载。
--- a/nginx/yuheng.yuxindazhineng.com.conf
+++ b/nginx/yuheng.yuxindazhineng.com.conf
@@ -0,0 +1,57 @@
+# yh_web 反向代理：强制 HTTPS，SSL 证书按域名存放在独立目录
+# 证书路径：/etc/ssl/yh_web/yuheng.yuxindazhineng.com/
+# 部署：复制到 /etc/nginx/conf.d/ 或 include 到 nginx.conf 后 nginx -t && systemctl reload nginx
+
+# HTTP → HTTPS 强制跳转
+server {
+    listen 80;
+    listen [::]:80;
+    server_name yuheng.yuxindazhineng.com;
+    return 301 https://$server_name$request_uri;
+}
+
+# HTTPS
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name yuheng.yuxindazhineng.com;
+
+    # 证书按域名命名存放
+    ssl_certificate     /etc/ssl/yh_web/yuheng.yuxindazhineng.com/fullchain.pem;
+    ssl_certificate_key /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+
+    # 前台
+    location / {
+        proxy_pass http://127.0.0.1:9528;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # 管理后台
+    location /admin/ {
+        proxy_pass http://127.0.0.1:9529/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # API
+    location /api/ {
+        proxy_pass http://127.0.0.1:9527/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
--- a/nginx/yuheng.yuxindazhineng.com.pem
+++ b/nginx/yuheng.yuxindazhineng.com.pem
@@ -0,0 +1,62 @@
+-----BEGIN CERTIFICATE-----
+MIIGKDCCBRCgAwIBAgIQDVgsPajfGvmIkXPM4ij1tTANBgkqhkiG9w0BAQsFADBu
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
+RFYgVExTIENBIC0gRzIwHhcNMjYwMzE3MDAwMDAwWhcNMjYwNjE0MjM1OTU5WjAk
+MSIwIAYDVQQDExl5dWhlbmcueXV4aW5kYXpoaW5lbmcuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA188iiRdYOJhtpDOpdnvcASNh37gYBih+dxDZ
+1NBdWWEWvb029kEfwoAeBCL5vp+PQ1IroBNIc37ZpDbDzCsYjboSlD29x2gskem5
+tj2av5UkTLpb3LMLfzwRBOGjGL4Eps2iLEzIKEAz5N+GY+xRHOQgSSTOia6zg4uw
+TANom7eiRsj+cLlkambAhor4ZyqQ0mjgAF4LhCfutj909cvrCvWK9AgD1SpCu2TF
+09gQ3i6pGhzZYZVCydCitypQ60xBix/VszVAdHBo73l1gluF71cu4+lrCsjzw3Mp
+oeO0pD1i0cUbkAzF3ypSmgrv0+3adtazm6rY9PefqB4fFHDtAwIDAQABo4IDCjCC
+AwYwHwYDVR0jBBgwFoAUeN+RkF/u3qz2xXXr1UxVU+8kSrYwHQYDVR0OBBYEFGdl
+14ALpI+hvS6aG1IwkK3pUnGTMEMGA1UdEQQ8MDqCGXl1aGVuZy55dXhpbmRhemhp
+bmVuZy5jb22CHXd3dy55dWhlbmcueXV4aW5kYXpoaW5lbmcuY29tMD4GA1UdIAQ3
+MDUwMwYGZ4EMAQIBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQu
+Y29tL0NQUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+AQUFBwMCMIGABggrBgEFBQcBAQR0MHIwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
+LmRpZ2ljZXJ0LmNvbTBKBggrBgEFBQcwAoY+aHR0cDovL2NhY2VydHMuZGlnaWNl
+cnQuY29tL0VuY3J5cHRpb25FdmVyeXdoZXJlRFZUTFNDQS1HMi5jcnQwDAYDVR0T
+AQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUAZBHEbKQS7KeJHKIC
+LgC8q08oB9QeNSer6v7VA8l9zfAAAAGc+poK0AAABAMARjBEAiBLVUb3SHyMsb5q
+F+Q8hCDcZUQ2OZ1mgW/CAJDQhgPkrgIgRtWBs7dFvHVp2vYXogcZu7G3Nh7knysX
+zviq4/3HsIkAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0hqSWsYcVOIQAAAZz6
+mgqrAAAEAwBHMEUCIQC+PjQ+sLSlbAJoLu7ZlMP2RJhvhcV5KIUnwFrP0Pxw6gIg
+YDXJsORch6kCTT0Ifar6x8Jz5Gvcj1Th1QFEIjWjNtgAdgBJnJtp3h187Pw23s2H
+ZKa4W68Kh4AZ0VVS++nrKd34wwAAAZz6mgreAAAEAwBHMEUCICIct7bW86B0PI0l
+inV8fe3awErWdf6o+WSlbDYp6VHtAiEA8/VCFN/U24dmaYOTB84SIuvrm8UWuZ5/
+JGcEgMczmyswDQYJKoZIhvcNAQELBQADggEBAKkFx94P90j3xqUGpPsdzXop8cc9
+nhCaJP6NgNgL0PuiZILWHaafM0S0+4rK4xYvvh3FrfuK7ZX0ppmtPCfsQF5/RatQ
+b1pZS2f/0ypCCYAfGL12IXJWX69CPBSS6fzw3dTtJD/wl3ZNzE0+w61xoGA1cByQ
+uo9P5CZ4bULdZon8udau2KW9pF4zjb9Uz7H+RWOIejwZGzJAMCVGZPVlGHLz8KEo
+1fJhr8mYtDRdWvsrCR2rUuFQGccz7IyWsc4Kz/YA7hcEjQit4ZZ0dinLVw5XL7R4
+TG4cwq95NCmhkT6cWOGU0JpebkDDGFrvh4WxtC8/7OwYgAGMYBEs1s2xPZ4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEqjCCA5KgAwIBAgIQDeD/te5iy2EQn2CMnO1e0zANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0xNzExMjcxMjQ2NDBaFw0yNzExMjcxMjQ2NDBaMG4xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
+MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO8Uf46i/nr7pkgTDqnE
+eSIfCFqvPnUq3aF1tMJ5hh9MnO6Lmt5UdHfBGwC9Si+XjK12cjZgxObsL6Rg1njv
+NhAMJ4JunN0JGGRJGSevbJsA3sc68nbPQzuKp5Jc8vpryp2mts38pSCXorPR+sch
+QisKA7OSQ1MjcFN0d7tbrceWFNbzgL2csJVQeogOBGSe/KZEIZw6gXLKeFe7mupn
+NYJROi2iC11+HuF79iAttMc32Cv6UOxixY/3ZV+LzpLnklFq98XORgwkIJL1HuvP
+ha8yvb+W6JislZJL+HLFtidoxmI7Qm3ZyIV66W533DsGFimFJkz3y0GeHWuSVMbI
+lfsCAwEAAaOCAU8wggFLMB0GA1UdDgQWBBR435GQX+7erPbFdevVTFVT7yRKtjAf
+BgNVHSMEGDAWgBROIlQgGJXm427mD/r6uRLtBhePOTAOBgNVHQ8BAf8EBAMCAYYw
+HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
+Y2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQu
+Y29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
+/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
+MAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAoBs1eCLKakLtVRPFRjBIJ9LJ
+L0s8ZWum8U8/1TMVkQMBn+CPb5xnCD0GSA6L/V0ZFrMNqBirrr5B241OesECvxIi
+98bZ90h9+q/X5eMyOD35f8YTaEMpdnQCnawIwiHx06/0BfiTj+b/XQih+mqt3ZXe
+xNCJqKexdiB2IWGSKcgahPacWkk/BAQFisKIFYEqHzV974S3FAz/8LIfD58xnsEN
+GfzyIDkH3JrwYZ8caPTf6ZX9M1GrISN8HnWTtdNCH2xEajRa/h9ZBXjUyFKQrGk2
+n2hcLrfZSbynEC/pSw/ET7H5nWwckjmAJ1l9fcnbqkU/pf6uMQmnfl0JQjJNSg==
+-----END CERTIFICATE-----