feat: 傻瓜式nginx反向代理配置

- Docker nginx使用8080端口避免与系统nginx冲突
- 启动nginx时自动配置系统nginx反向代理
- 支持Debian/Ubuntu和CentOS/RHEL两种配置目录
- 自动测试配置并重载nginx

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

deploy.sh

@@ -71,7 +71,7 @@ declare -A SERVICE_PORTS=(
     ["postgres"]=5432
     ["redis"]=6379
     ["neo4j"]=7474
-    ["nginx"]=80
+    ["nginx"]=8080
 )
 
 # 服务目录映射
@@ -437,10 +437,108 @@ start_all_backend() {
 
 # 启动 Nginx (静态文件服务)
 start_nginx() {
-    log_step "启动 Nginx..."
+    log_step "启动 iConsulting Nginx..."
     $DOCKER_COMPOSE up -d nginx
-    wait_for_service localhost 80 "Nginx"
-    log_success "Nginx 启动完成"
+    wait_for_service localhost 8080 "Nginx"
+    log_success "iConsulting Nginx 启动完成 (端口 8080)"
+
+    # 自动配置系统nginx反向代理
+    setup_system_nginx_proxy
+}
+
+# 自动配置系统nginx反向代理 (傻瓜式)
+setup_system_nginx_proxy() {
+    log_step "配置系统 Nginx 反向代理..."
+
+    # 检查系统nginx是否存在
+    if ! command -v nginx &> /dev/null; then
+        log_warning "系统未安装 nginx，跳过反向代理配置"
+        log_info "您可以通过 http://服务器IP:8080 直接访问"
+        return 0
+    fi
+
+    # 检查nginx配置目录
+    local nginx_available="/etc/nginx/sites-available"
+    local nginx_enabled="/etc/nginx/sites-enabled"
+    local nginx_conf_d="/etc/nginx/conf.d"
+
+    # 生成配置文件内容
+    local proxy_conf="# iConsulting 反向代理配置 (自动生成)
+# 生成时间: $(date)
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $DOMAIN;
+
+    # Let's Encrypt 验证
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    # 反向代理到 iConsulting Docker Nginx
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection \"upgrade\";
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+"
+
+    # 尝试写入配置 (需要sudo权限)
+    if [ -d "$nginx_available" ]; then
+        # Debian/Ubuntu 风格
+        echo "$proxy_conf" | sudo tee "$nginx_available/iconsulting.conf" > /dev/null 2>&1
+        if [ $? -eq 0 ]; then
+            sudo ln -sf "$nginx_available/iconsulting.conf" "$nginx_enabled/iconsulting.conf" 2>/dev/null
+            log_success "配置已写入 $nginx_available/iconsulting.conf"
+        else
+            log_warning "无法写入nginx配置，请手动配置或使用sudo运行"
+            return 1
+        fi
+    elif [ -d "$nginx_conf_d" ]; then
+        # CentOS/RHEL 风格
+        echo "$proxy_conf" | sudo tee "$nginx_conf_d/iconsulting.conf" > /dev/null 2>&1
+        if [ $? -eq 0 ]; then
+            log_success "配置已写入 $nginx_conf_d/iconsulting.conf"
+        else
+            log_warning "无法写入nginx配置，请手动配置或使用sudo运行"
+            return 1
+        fi
+    else
+        log_warning "未找到nginx配置目录，请手动配置"
+        return 1
+    fi
+
+    # 测试nginx配置
+    log_info "测试 nginx 配置..."
+    if sudo nginx -t 2>/dev/null; then
+        log_success "nginx 配置测试通过"
+
+        # 重载nginx
+        log_info "重载 nginx..."
+        sudo systemctl reload nginx 2>/dev/null || sudo nginx -s reload 2>/dev/null
+        log_success "系统 nginx 已重载"
+
+        echo ""
+        log_success "反向代理配置完成！"
+        echo -e "${CYAN}现在可以通过以下地址访问:${NC}"
+        echo "  http://$DOMAIN"
+        echo ""
+        echo -e "${YELLOW}如需配置 HTTPS，请执行:${NC}"
+        echo "  sudo certbot --nginx -d $DOMAIN"
+    else
+        log_error "nginx 配置测试失败，请检查配置"
+        return 1
+    fi
 }
 
 # 启动所有服务

docker-compose.yml

@@ -275,8 +275,8 @@ services:
     depends_on:
       - kong
     ports:
-      - "80:80"
-      - "443:443"
+      - "8080:80"
+      - "8443:443"
     volumes:
       - ./packages/web-client/dist:/usr/share/nginx/html/web:ro
       - ./packages/admin-client/dist:/usr/share/nginx/html/admin:ro

nginx/system-nginx-proxy.conf

@@ -0,0 +1,94 @@
+# =============================================================================
+# iConsulting 系统 Nginx 反向代理配置
+#
+# 使用方法:
+#   1. 复制此文件到系统nginx配置目录:
+#      sudo cp nginx/system-nginx-proxy.conf /etc/nginx/sites-available/iconsulting.conf
+#   2. 创建软链接启用:
+#      sudo ln -s /etc/nginx/sites-available/iconsulting.conf /etc/nginx/sites-enabled/
+#   3. 测试配置:
+#      sudo nginx -t
+#   4. 重载nginx:
+#      sudo systemctl reload nginx
+# =============================================================================
+
+# HTTP -> HTTPS 重定向
+server {
+    listen 80;
+    listen [::]:80;
+    server_name iconsulting.szaiai.com;
+
+    # Let's Encrypt 验证
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    # 重定向到 HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+# HTTPS 主配置
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name iconsulting.szaiai.com;
+
+    # SSL 证书 (使用系统nginx的证书，或Let's Encrypt证书)
+    ssl_certificate /etc/letsencrypt/live/iconsulting.szaiai.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/iconsulting.szaiai.com/privkey.pem;
+
+    # SSL 安全配置
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # 日志
+    access_log /var/log/nginx/iconsulting.access.log;
+    error_log /var/log/nginx/iconsulting.error.log;
+
+    # 反向代理到 iConsulting Docker Nginx (8080端口)
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_http_version 1.1;
+
+        # WebSocket 支持
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # 传递原始请求信息
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+
+        # 超时设置
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # 缓冲设置
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
+    }
+
+    # API 请求直接转发到 Kong (可选，如果需要绕过Docker Nginx)
+    # location /api/ {
+    #     proxy_pass http://127.0.0.1:8000/;
+    #     proxy_http_version 1.1;
+    #     proxy_set_header Host $host;
+    #     proxy_set_header X-Real-IP $remote_addr;
+    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+    # }
+}