feat(deploy): Nginx反向代理 + SSL + 前端切换域名

部署架构:
- Nginx (跳板机 14.215.128.96) → Kong (192.168.1.222:48080)
- SSL: Let's Encrypt 证书已为 api.gogenex.com 签发
- HTTP 自动 301 → HTTPS

前端 API 地址:
- genex-mobile: https://api.gogenex.com (ApiClient + UpdateService)
- miniapp: https://api.gogenex.com (development config)
- 备案完成后切回 https://api.gogenex.cn

Namecheap DNS 新增:
- admin.gogenex.com → 154.84.135.121
- ws.gogenex.com → 154.84.135.121

备注:
- gogenex.cn 的 80/443 端口被世纪互联 ISP 拦截，需完成 ICP 备案
- admin/ws 子域名的 SSL 证书待 DNS 传播后申请

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

deploy/nginx/deploy.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# ============================================================
+# Genex Nginx 部署脚本
+# 跳板机: 14.215.128.96 (gcx-jump)
+# SSH:    ssh -i ~/.ssh/id_ed25519 root@14.215.128.96
+# ============================================================
+set -euo pipefail
+
+CONF_NAME="genex-api.conf"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+CONF_SRC="${SCRIPT_DIR}/${CONF_NAME}"
+
+echo "=== Genex Nginx 部署 ==="
+
+# 1. 安装 Nginx 配置
+echo "[1/4] 安装配置 → /etc/nginx/sites-available/"
+cp "${CONF_SRC}" /etc/nginx/sites-available/${CONF_NAME}
+
+# 2. 启用站点
+echo "[2/4] 创建 sites-enabled 软链..."
+ln -sf /etc/nginx/sites-available/${CONF_NAME} /etc/nginx/sites-enabled/${CONF_NAME}
+
+# 3. 创建 certbot webroot
+echo "[3/4] 创建 ACME 验证目录..."
+mkdir -p /var/www/certbot
+
+# 4. 测试并重载
+echo "[4/4] 测试配置并重载..."
+nginx -t
+systemctl reload nginx
+
+echo ""
+echo "=== 部署完成 ==="
+echo "HTTPS 已启用: https://api.gogenex.com"
+echo ""
+echo "续签 SSL 证书 (自动续签已配置):"
+echo "  certbot renew --dry-run"
+echo ""
+echo "新增域名证书:"
+echo "  certbot certonly --webroot -w /var/www/certbot -d admin.gogenex.com -d ws.gogenex.com"

deploy/nginx/genex-api.conf

@@ -0,0 +1,92 @@
+# ============================================================
+# Genex API Gateway — Nginx 反向代理
+# 海外: api.gogenex.com → 154.84.135.121 → Kong 192.168.1.222:48080
+# 国内: api.gogenex.cn  → 14.215.128.96  → Kong 192.168.1.222:48080
+#       (gogenex.cn 需备案后才能走 80/443 端口)
+# ============================================================
+
+upstream genex_kong {
+    server 192.168.1.222:48080;
+    keepalive 32;
+}
+
+# --- HTTP: 保留用于 ACME 验证 + 301 跳转 ---
+server {
+    listen 80;
+    listen [::]:80;
+    server_name api.gogenex.cn api.gogenex.com
+                admin.gogenex.cn admin.gogenex.com
+                ws.gogenex.cn ws.gogenex.com;
+
+    # Let's Encrypt ACME 验证路径
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # HTTP → HTTPS 301 跳转（有证书的域名）
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# --- HTTPS: api.gogenex.com ---
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name api.gogenex.com;
+
+    ssl_certificate     /etc/letsencrypt/live/api.gogenex.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/api.gogenex.com/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    location / {
+        proxy_pass http://genex_kong;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+
+        proxy_connect_timeout 10s;
+        proxy_send_timeout    60s;
+        proxy_read_timeout    60s;
+
+        # WebSocket 支持（交易推送 / AI Agent 等）
+        proxy_set_header Upgrade    $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+
+# --- HTTPS: admin.gogenex.com + ws.gogenex.com ---
+# （DNS 传播后申请证书，再取消注释）
+# server {
+#     listen 443 ssl http2;
+#     listen [::]:443 ssl http2;
+#     server_name admin.gogenex.com ws.gogenex.com;
+#
+#     ssl_certificate     /etc/letsencrypt/live/admin.gogenex.com/fullchain.pem;
+#     ssl_certificate_key /etc/letsencrypt/live/admin.gogenex.com/privkey.pem;
+#     ssl_protocols       TLSv1.2 TLSv1.3;
+#     ssl_ciphers         HIGH:!aNULL:!MD5;
+#     ssl_prefer_server_ciphers on;
+#
+#     location / {
+#         proxy_pass http://genex_kong;
+#         proxy_set_header Host              $host;
+#         proxy_set_header X-Real-IP         $remote_addr;
+#         proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+#         proxy_set_header X-Forwarded-Proto $scheme;
+#         proxy_http_version 1.1;
+#         proxy_set_header Connection "";
+#
+#         proxy_connect_timeout 10s;
+#         proxy_send_timeout    60s;
+#         proxy_read_timeout    60s;
+#
+#         proxy_set_header Upgrade    $http_upgrade;
+#         proxy_set_header Connection "upgrade";
+#     }
+# }

frontend/genex-mobile/lib/core/network/api_client.dart

@@ -19,8 +19,9 @@ class ApiClient {
     ));
   }
 
-  /// 默认 API 地址；正式上线后切回 https://api.gogenex.cn
-  static const String defaultBaseUrl = 'http://154.84.135.121:48080';
+  /// 默认 API 地址（走 Nginx 反向代理 → Kong 网关）
+  /// 备案完成后切回 https://api.gogenex.cn
+  static const String defaultBaseUrl = 'https://api.gogenex.com';
 
   static ApiClient get instance {
     _instance ??= ApiClient._(baseUrl: defaultBaseUrl);

frontend/genex-mobile/lib/main.dart

@@ -40,9 +40,9 @@ import 'features/coupons/presentation/pages/wallet_coupons_page.dart';
 Future<void> main() async {
   WidgetsFlutterBinding.ensureInitialized();
 
-  // 初始化升级服务（测试阶段指向内部服务器）
+  // 初始化升级服务（走 Nginx 反向代理 → Kong 网关）
   UpdateService().initialize(UpdateConfig.selfHosted(
-    apiBaseUrl: 'http://154.84.135.121:48080',
+    apiBaseUrl: 'https://api.gogenex.com',
     enabled: true,
   ));
 

frontend/miniapp/src/config/index.ts

@@ -4,7 +4,7 @@
 
 const envConfig = {
   development: {
-    API_BASE_URL: 'http://154.84.135.121:48080',
+    API_BASE_URL: 'https://api.gogenex.com',
   },
   production: {
     API_BASE_URL: 'https://api.gogenex.cn',