feat: Nginx 反代配置、证书与 server/.env.example(证书日后可删或改由服务器单独放)
Made-with: Cursor
This commit is contained in:
70
nginx/README.md
Normal file
70
nginx/README.md
Normal file
@@ -0,0 +1,70 @@
|
|||||||
|
# Nginx 配置(新服务器无 NPM 时使用)
|
||||||
|
|
||||||
|
域名:**yuheng.yuxindazhineng.com**,强制 HTTPS,SSL 证书按域名单独存放。
|
||||||
|
|
||||||
|
## 1. 证书目录(按域名命名)
|
||||||
|
|
||||||
|
在服务器上创建专门存放 SSL 的目录,以域名为子目录名:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo mkdir -p /etc/ssl/yh_web/yuheng.yuxindazhineng.com
|
||||||
|
```
|
||||||
|
|
||||||
|
将证书文件放入该目录(Let's Encrypt 或自有证书均可):
|
||||||
|
|
||||||
|
- **fullchain.pem** — 证书链(或你的 `fullchain.crt`,需在配置里改扩展名)
|
||||||
|
- **privkey.pem** — 私钥(或你的 `privkey.key`)
|
||||||
|
|
||||||
|
**一键脚本自动同步**:也可把证书放在项目 **`nginx/`** 下,运行 `./pull-and-restart.sh` 或 `./restart.sh` 会自动复制到系统目录。支持两种命名方式:
|
||||||
|
- **`nginx/yuheng.yuxindazhineng.com.pem`** + **`nginx/yuheng.yuxindazhineng.com.key`**(按域名命名)
|
||||||
|
- **`nginx/fullchain.pem`** + **`nginx/privkey.pem`**
|
||||||
|
|
||||||
|
示例(若用 certbot):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# certbot 默认路径,可复制到统一目录或做软链接
|
||||||
|
sudo cp /etc/letsencrypt/live/yuheng.yuxindazhineng.com/fullchain.pem /etc/ssl/yh_web/yuheng.yuxindazhineng.com/
|
||||||
|
sudo cp /etc/letsencrypt/live/yuheng.yuxindazhineng.com/privkey.pem /etc/ssl/yh_web/yuheng.yuxindazhineng.com/
|
||||||
|
sudo chown -R root:root /etc/ssl/yh_web/yuheng.yuxindazhineng.com
|
||||||
|
sudo chmod 600 /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
## 2. 部署 Nginx 配置
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# 复制项目内配置到 Nginx 配置目录(按实际路径调整)
|
||||||
|
sudo cp /www/yh_web/nginx/yuheng.yuxindazhineng.com.conf /etc/nginx/conf.d/
|
||||||
|
|
||||||
|
# 检查配置
|
||||||
|
sudo nginx -t
|
||||||
|
|
||||||
|
# 重载
|
||||||
|
sudo systemctl reload nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
若 Nginx 使用其他路径(如 `sites-enabled`),请把上述 conf 放到对应目录并 `include` 到主配置。
|
||||||
|
|
||||||
|
## 3. 路由对应关系
|
||||||
|
|
||||||
|
| 访问路径 | 后端端口 | 说明 |
|
||||||
|
|----------|----------|------|
|
||||||
|
| `https://yuheng.yuxindazhineng.com/` | 9528 | 前台 |
|
||||||
|
| `https://yuheng.yuxindazhineng.com/admin/` | 9529 | 管理后台 |
|
||||||
|
| `https://yuheng.yuxindazhineng.com/api/` | 9527 | API |
|
||||||
|
|
||||||
|
确保 `docker compose` 已启动,且本机 9527、9528、9529 已监听。
|
||||||
|
|
||||||
|
## 4. 新服务器首次安装 Nginx
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# CentOS / RHEL / 阿里云
|
||||||
|
sudo dnf install -y nginx
|
||||||
|
# 或
|
||||||
|
sudo yum install -y nginx
|
||||||
|
|
||||||
|
# 开机自启并启动
|
||||||
|
sudo systemctl enable nginx
|
||||||
|
sudo systemctl start nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
然后再按上面步骤创建证书目录、放入证书、复制 conf 并重载。
|
||||||
57
nginx/yuheng.yuxindazhineng.com.conf
Normal file
57
nginx/yuheng.yuxindazhineng.com.conf
Normal file
@@ -0,0 +1,57 @@
|
|||||||
|
# yh_web 反向代理:强制 HTTPS,SSL 证书按域名存放在独立目录
|
||||||
|
# 证书路径:/etc/ssl/yh_web/yuheng.yuxindazhineng.com/
|
||||||
|
# 部署:复制到 /etc/nginx/conf.d/ 或 include 到 nginx.conf 后 nginx -t && systemctl reload nginx
|
||||||
|
|
||||||
|
# HTTP → HTTPS 强制跳转
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name yuheng.yuxindazhineng.com;
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
# HTTPS
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
server_name yuheng.yuxindazhineng.com;
|
||||||
|
|
||||||
|
# 证书按域名命名存放
|
||||||
|
ssl_certificate /etc/ssl/yh_web/yuheng.yuxindazhineng.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem;
|
||||||
|
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
||||||
|
|
||||||
|
# 前台
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:9528;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
|
# 管理后台
|
||||||
|
location /admin/ {
|
||||||
|
proxy_pass http://127.0.0.1:9529/;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
|
# API
|
||||||
|
location /api/ {
|
||||||
|
proxy_pass http://127.0.0.1:9527/;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
}
|
||||||
62
nginx/yuheng.yuxindazhineng.com.pem
Normal file
62
nginx/yuheng.yuxindazhineng.com.pem
Normal file
@@ -0,0 +1,62 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIGKDCCBRCgAwIBAgIQDVgsPajfGvmIkXPM4ij1tTANBgkqhkiG9w0BAQsFADBu
|
||||||
|
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||||
|
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
|
||||||
|
RFYgVExTIENBIC0gRzIwHhcNMjYwMzE3MDAwMDAwWhcNMjYwNjE0MjM1OTU5WjAk
|
||||||
|
MSIwIAYDVQQDExl5dWhlbmcueXV4aW5kYXpoaW5lbmcuY29tMIIBIjANBgkqhkiG
|
||||||
|
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA188iiRdYOJhtpDOpdnvcASNh37gYBih+dxDZ
|
||||||
|
1NBdWWEWvb029kEfwoAeBCL5vp+PQ1IroBNIc37ZpDbDzCsYjboSlD29x2gskem5
|
||||||
|
tj2av5UkTLpb3LMLfzwRBOGjGL4Eps2iLEzIKEAz5N+GY+xRHOQgSSTOia6zg4uw
|
||||||
|
TANom7eiRsj+cLlkambAhor4ZyqQ0mjgAF4LhCfutj909cvrCvWK9AgD1SpCu2TF
|
||||||
|
09gQ3i6pGhzZYZVCydCitypQ60xBix/VszVAdHBo73l1gluF71cu4+lrCsjzw3Mp
|
||||||
|
oeO0pD1i0cUbkAzF3ypSmgrv0+3adtazm6rY9PefqB4fFHDtAwIDAQABo4IDCjCC
|
||||||
|
AwYwHwYDVR0jBBgwFoAUeN+RkF/u3qz2xXXr1UxVU+8kSrYwHQYDVR0OBBYEFGdl
|
||||||
|
14ALpI+hvS6aG1IwkK3pUnGTMEMGA1UdEQQ8MDqCGXl1aGVuZy55dXhpbmRhemhp
|
||||||
|
bmVuZy5jb22CHXd3dy55dWhlbmcueXV4aW5kYXpoaW5lbmcuY29tMD4GA1UdIAQ3
|
||||||
|
MDUwMwYGZ4EMAQIBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQu
|
||||||
|
Y29tL0NQUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
|
||||||
|
AQUFBwMCMIGABggrBgEFBQcBAQR0MHIwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
|
||||||
|
LmRpZ2ljZXJ0LmNvbTBKBggrBgEFBQcwAoY+aHR0cDovL2NhY2VydHMuZGlnaWNl
|
||||||
|
cnQuY29tL0VuY3J5cHRpb25FdmVyeXdoZXJlRFZUTFNDQS1HMi5jcnQwDAYDVR0T
|
||||||
|
AQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUAZBHEbKQS7KeJHKIC
|
||||||
|
LgC8q08oB9QeNSer6v7VA8l9zfAAAAGc+poK0AAABAMARjBEAiBLVUb3SHyMsb5q
|
||||||
|
F+Q8hCDcZUQ2OZ1mgW/CAJDQhgPkrgIgRtWBs7dFvHVp2vYXogcZu7G3Nh7knysX
|
||||||
|
zviq4/3HsIkAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0hqSWsYcVOIQAAAZz6
|
||||||
|
mgqrAAAEAwBHMEUCIQC+PjQ+sLSlbAJoLu7ZlMP2RJhvhcV5KIUnwFrP0Pxw6gIg
|
||||||
|
YDXJsORch6kCTT0Ifar6x8Jz5Gvcj1Th1QFEIjWjNtgAdgBJnJtp3h187Pw23s2H
|
||||||
|
ZKa4W68Kh4AZ0VVS++nrKd34wwAAAZz6mgreAAAEAwBHMEUCICIct7bW86B0PI0l
|
||||||
|
inV8fe3awErWdf6o+WSlbDYp6VHtAiEA8/VCFN/U24dmaYOTB84SIuvrm8UWuZ5/
|
||||||
|
JGcEgMczmyswDQYJKoZIhvcNAQELBQADggEBAKkFx94P90j3xqUGpPsdzXop8cc9
|
||||||
|
nhCaJP6NgNgL0PuiZILWHaafM0S0+4rK4xYvvh3FrfuK7ZX0ppmtPCfsQF5/RatQ
|
||||||
|
b1pZS2f/0ypCCYAfGL12IXJWX69CPBSS6fzw3dTtJD/wl3ZNzE0+w61xoGA1cByQ
|
||||||
|
uo9P5CZ4bULdZon8udau2KW9pF4zjb9Uz7H+RWOIejwZGzJAMCVGZPVlGHLz8KEo
|
||||||
|
1fJhr8mYtDRdWvsrCR2rUuFQGccz7IyWsc4Kz/YA7hcEjQit4ZZ0dinLVw5XL7R4
|
||||||
|
TG4cwq95NCmhkT6cWOGU0JpebkDDGFrvh4WxtC8/7OwYgAGMYBEs1s2xPZ4=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEqjCCA5KgAwIBAgIQDeD/te5iy2EQn2CMnO1e0zANBgkqhkiG9w0BAQsFADBh
|
||||||
|
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||||
|
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
|
||||||
|
MjAeFw0xNzExMjcxMjQ2NDBaFw0yNzExMjcxMjQ2NDBaMG4xCzAJBgNVBAYTAlVT
|
||||||
|
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
|
||||||
|
b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
|
||||||
|
MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO8Uf46i/nr7pkgTDqnE
|
||||||
|
eSIfCFqvPnUq3aF1tMJ5hh9MnO6Lmt5UdHfBGwC9Si+XjK12cjZgxObsL6Rg1njv
|
||||||
|
NhAMJ4JunN0JGGRJGSevbJsA3sc68nbPQzuKp5Jc8vpryp2mts38pSCXorPR+sch
|
||||||
|
QisKA7OSQ1MjcFN0d7tbrceWFNbzgL2csJVQeogOBGSe/KZEIZw6gXLKeFe7mupn
|
||||||
|
NYJROi2iC11+HuF79iAttMc32Cv6UOxixY/3ZV+LzpLnklFq98XORgwkIJL1HuvP
|
||||||
|
ha8yvb+W6JislZJL+HLFtidoxmI7Qm3ZyIV66W533DsGFimFJkz3y0GeHWuSVMbI
|
||||||
|
lfsCAwEAAaOCAU8wggFLMB0GA1UdDgQWBBR435GQX+7erPbFdevVTFVT7yRKtjAf
|
||||||
|
BgNVHSMEGDAWgBROIlQgGJXm427mD/r6uRLtBhePOTAOBgNVHQ8BAf8EBAMCAYYw
|
||||||
|
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8C
|
||||||
|
AQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
|
||||||
|
Y2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQu
|
||||||
|
Y29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
|
||||||
|
/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
|
||||||
|
MAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAoBs1eCLKakLtVRPFRjBIJ9LJ
|
||||||
|
L0s8ZWum8U8/1TMVkQMBn+CPb5xnCD0GSA6L/V0ZFrMNqBirrr5B241OesECvxIi
|
||||||
|
98bZ90h9+q/X5eMyOD35f8YTaEMpdnQCnawIwiHx06/0BfiTj+b/XQih+mqt3ZXe
|
||||||
|
xNCJqKexdiB2IWGSKcgahPacWkk/BAQFisKIFYEqHzV974S3FAz/8LIfD58xnsEN
|
||||||
|
GfzyIDkH3JrwYZ8caPTf6ZX9M1GrISN8HnWTtdNCH2xEajRa/h9ZBXjUyFKQrGk2
|
||||||
|
n2hcLrfZSbynEC/pSw/ET7H5nWwckjmAJ1l9fcnbqkU/pf6uMQmnfl0JQjJNSg==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
@@ -1,9 +1,9 @@
|
|||||||
# 复制为 .env 或 .env.production 后修改
|
# 复制为 .env 后按需修改(一键脚本会在缺失时自动复制)
|
||||||
# Go 不会自动加载 .env,需在启动前导出变量(见项目根目录 .env.example 的说明)
|
# Docker 部署时 MONGODB_URI 使用 mongo:27017(compose 服务名)
|
||||||
|
|
||||||
MONGODB_URI=mongodb://localhost:27017
|
MONGODB_URI=mongodb://mongo:27017
|
||||||
MONGODB_DB=yxd-agent-testing
|
MONGODB_DB=yxd-agent-testing
|
||||||
PORT=8080
|
PORT=9527
|
||||||
GIN_MODE=release
|
GIN_MODE=release
|
||||||
# CORS 允许的来源:对外域名 + 开发时前端地址(多个用逗号分隔)
|
# 对外域名(CORS、日志),与 nginx 反代域名一致
|
||||||
ALLOWED_ORIGINS=https://yuheng.yuxindazhineng.com,http://localhost:3000,http://localhost:3001
|
ALLOWED_ORIGINS=https://yuheng.yuxindazhineng.com
|
||||||
|
|||||||
Reference in New Issue
Block a user