diff --git a/deploy.sh b/deploy.sh index bf709c5..f4e8269 100755 --- a/deploy.sh +++ b/deploy.sh @@ -71,7 +71,7 @@ declare -A SERVICE_PORTS=( ["postgres"]=5432 ["redis"]=6379 ["neo4j"]=7474 - ["nginx"]=80 + ["nginx"]=8080 ) # 服务目录映射 @@ -437,10 +437,108 @@ start_all_backend() { # 启动 Nginx (静态文件服务) start_nginx() { - log_step "启动 Nginx..." + log_step "启动 iConsulting Nginx..." $DOCKER_COMPOSE up -d nginx - wait_for_service localhost 80 "Nginx" - log_success "Nginx 启动完成" + wait_for_service localhost 8080 "Nginx" + log_success "iConsulting Nginx 启动完成 (端口 8080)" + + # 自动配置系统nginx反向代理 + setup_system_nginx_proxy +} + +# 自动配置系统nginx反向代理 (傻瓜式) +setup_system_nginx_proxy() { + log_step "配置系统 Nginx 反向代理..." + + # 检查系统nginx是否存在 + if ! command -v nginx &> /dev/null; then + log_warning "系统未安装 nginx,跳过反向代理配置" + log_info "您可以通过 http://服务器IP:8080 直接访问" + return 0 + fi + + # 检查nginx配置目录 + local nginx_available="/etc/nginx/sites-available" + local nginx_enabled="/etc/nginx/sites-enabled" + local nginx_conf_d="/etc/nginx/conf.d" + + # 生成配置文件内容 + local proxy_conf="# iConsulting 反向代理配置 (自动生成) +# 生成时间: $(date) + +server { + listen 80; + listen [::]:80; + server_name $DOMAIN; + + # Let's Encrypt 验证 + location /.well-known/acme-challenge/ { + root /var/www/html; + } + + # 反向代理到 iConsulting Docker Nginx + location / { + proxy_pass http://127.0.0.1:8080; + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection \"upgrade\"; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + } +} +" + + # 尝试写入配置 (需要sudo权限) + if [ -d "$nginx_available" ]; then + # Debian/Ubuntu 风格 + echo "$proxy_conf" | sudo tee "$nginx_available/iconsulting.conf" > /dev/null 2>&1 + if [ $? -eq 0 ]; then + sudo ln -sf "$nginx_available/iconsulting.conf" "$nginx_enabled/iconsulting.conf" 2>/dev/null + log_success "配置已写入 $nginx_available/iconsulting.conf" + else + log_warning "无法写入nginx配置,请手动配置或使用sudo运行" + return 1 + fi + elif [ -d "$nginx_conf_d" ]; then + # CentOS/RHEL 风格 + echo "$proxy_conf" | sudo tee "$nginx_conf_d/iconsulting.conf" > /dev/null 2>&1 + if [ $? -eq 0 ]; then + log_success "配置已写入 $nginx_conf_d/iconsulting.conf" + else + log_warning "无法写入nginx配置,请手动配置或使用sudo运行" + return 1 + fi + else + log_warning "未找到nginx配置目录,请手动配置" + return 1 + fi + + # 测试nginx配置 + log_info "测试 nginx 配置..." + if sudo nginx -t 2>/dev/null; then + log_success "nginx 配置测试通过" + + # 重载nginx + log_info "重载 nginx..." + sudo systemctl reload nginx 2>/dev/null || sudo nginx -s reload 2>/dev/null + log_success "系统 nginx 已重载" + + echo "" + log_success "反向代理配置完成!" + echo -e "${CYAN}现在可以通过以下地址访问:${NC}" + echo " http://$DOMAIN" + echo "" + echo -e "${YELLOW}如需配置 HTTPS,请执行:${NC}" + echo " sudo certbot --nginx -d $DOMAIN" + else + log_error "nginx 配置测试失败,请检查配置" + return 1 + fi } # 启动所有服务 diff --git a/docker-compose.yml b/docker-compose.yml index 48b8da9..64cf3c2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -275,8 +275,8 @@ services: depends_on: - kong ports: - - "80:80" - - "443:443" + - "8080:80" + - "8443:443" volumes: - ./packages/web-client/dist:/usr/share/nginx/html/web:ro - ./packages/admin-client/dist:/usr/share/nginx/html/admin:ro diff --git a/nginx/system-nginx-proxy.conf b/nginx/system-nginx-proxy.conf new file mode 100644 index 0000000..91713c2 --- /dev/null +++ b/nginx/system-nginx-proxy.conf @@ -0,0 +1,94 @@ +# ============================================================================= +# iConsulting 系统 Nginx 反向代理配置 +# +# 使用方法: +# 1. 复制此文件到系统nginx配置目录: +# sudo cp nginx/system-nginx-proxy.conf /etc/nginx/sites-available/iconsulting.conf +# 2. 创建软链接启用: +# sudo ln -s /etc/nginx/sites-available/iconsulting.conf /etc/nginx/sites-enabled/ +# 3. 测试配置: +# sudo nginx -t +# 4. 重载nginx: +# sudo systemctl reload nginx +# ============================================================================= + +# HTTP -> HTTPS 重定向 +server { + listen 80; + listen [::]:80; + server_name iconsulting.szaiai.com; + + # Let's Encrypt 验证 + location /.well-known/acme-challenge/ { + root /var/www/html; + } + + # 重定向到 HTTPS + location / { + return 301 https://$server_name$request_uri; + } +} + +# HTTPS 主配置 +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name iconsulting.szaiai.com; + + # SSL 证书 (使用系统nginx的证书,或Let's Encrypt证书) + ssl_certificate /etc/letsencrypt/live/iconsulting.szaiai.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/iconsulting.szaiai.com/privkey.pem; + + # SSL 安全配置 + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS + add_header Strict-Transport-Security "max-age=63072000" always; + + # 日志 + access_log /var/log/nginx/iconsulting.access.log; + error_log /var/log/nginx/iconsulting.error.log; + + # 反向代理到 iConsulting Docker Nginx (8080端口) + location / { + proxy_pass http://127.0.0.1:8080; + proxy_http_version 1.1; + + # WebSocket 支持 + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # 传递原始请求信息 + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # 超时设置 + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # 缓冲设置 + proxy_buffering on; + proxy_buffer_size 4k; + proxy_buffers 8 4k; + } + + # API 请求直接转发到 Kong (可选,如果需要绕过Docker Nginx) + # location /api/ { + # proxy_pass http://127.0.0.1:8000/; + # proxy_http_version 1.1; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # } +}