diff --git a/backend/services/identity-service/AUTOMATED_TESTS_README.md b/backend/services/identity-service/docs/AUTOMATED_TESTS_README.md similarity index 100% rename from backend/services/identity-service/AUTOMATED_TESTS_README.md rename to backend/services/identity-service/docs/AUTOMATED_TESTS_README.md diff --git a/backend/services/identity-service/DEPLOYMENT.md b/backend/services/identity-service/docs/DEPLOYMENT.md similarity index 100% rename from backend/services/identity-service/DEPLOYMENT.md rename to backend/services/identity-service/docs/DEPLOYMENT.md diff --git a/backend/services/identity-service/DEPLOYMENT_GUIDE.md b/backend/services/identity-service/docs/DEPLOYMENT_GUIDE.md similarity index 90% rename from backend/services/identity-service/DEPLOYMENT_GUIDE.md rename to backend/services/identity-service/docs/DEPLOYMENT_GUIDE.md index 0f85c984..a9cc50d8 100644 --- a/backend/services/identity-service/DEPLOYMENT_GUIDE.md +++ b/backend/services/identity-service/docs/DEPLOYMENT_GUIDE.md @@ -118,19 +118,28 @@ ### 3.1 目录结构 -在 Nginx 服务器上创建以下目录结构: +在 Nginx 服务器上使用 `sites-available` / `sites-enabled` 标准结构: ``` /etc/nginx/ -├── nginx.conf # 主配置文件 -├── conf.d/ -│ ├── rwaapi.conf # API 网关配置 -│ └── proxy_params.conf # 代理参数配置 +├── nginx.conf # 主配置文件 +├── sites-available/ # 可用站点配置 +│ └── rwaapi.szaiai.com.conf # API 网关配置 +├── sites-enabled/ # 已启用站点 (软链接) +│ └── rwaapi.szaiai.com.conf → ../sites-available/rwaapi.szaiai.com.conf +├── snippets/ # 可复用配置片段 +│ ├── proxy-params.conf # 代理参数 +│ └── ssl-params.conf # SSL 安全参数 └── ssl/ - ├── rwaapi.szaiai.com.pem # SSL 证书 - └── rwaapi.szaiai.com.key # SSL 私钥 + ├── rwaapi.szaiai.com.pem # SSL 证书 + └── rwaapi.szaiai.com.key # SSL 私钥 ``` +**使用 `sites-available/sites-enabled` 的优势:** +- 快速启用/禁用站点:`ln -s` / `rm` 软链接 +- 保留配置历史,方便回滚 +- 多站点管理更清晰 + ### 3.2 主配置文件 `/etc/nginx/nginx.conf` ```nginx @@ -176,11 +185,12 @@ http { limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=conn_limit:10m; - include /etc/nginx/conf.d/*.conf; + # 加载已启用的站点配置 + include /etc/nginx/sites-enabled/*.conf; } ``` -### 3.3 代理参数配置 `/etc/nginx/conf.d/proxy_params.conf` +### 3.3 代理参数配置 `/etc/nginx/snippets/proxy-params.conf` ```nginx proxy_http_version 1.1; @@ -200,7 +210,24 @@ proxy_buffers 8 4k; proxy_busy_buffers_size 8k; ``` -### 3.4 API 网关配置 `/etc/nginx/conf.d/rwaapi.conf` +### 3.4 SSL 安全参数 `/etc/nginx/snippets/ssl-params.conf` + +```nginx +# SSL 会话配置 +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +# 现代 SSL 协议配置 +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# HSTS +add_header Strict-Transport-Security "max-age=63072000" always; +``` + +### 3.5 API 网关配置 `/etc/nginx/sites-available/rwaapi.szaiai.com.conf` ```nginx # ============================================ @@ -257,20 +284,12 @@ server { listen 443 ssl http2; server_name rwaapi.szaiai.com; - # SSL 证书配置 + # SSL 证书 ssl_certificate /etc/nginx/ssl/rwaapi.szaiai.com.pem; ssl_certificate_key /etc/nginx/ssl/rwaapi.szaiai.com.key; - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - ssl_session_tickets off; - # 现代 SSL 配置 - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - # HSTS - add_header Strict-Transport-Security "max-age=63072000" always; + # 引入 SSL 安全参数 + include snippets/ssl-params.conf; # 安全头 add_header X-Frame-Options "SAMEORIGIN" always; @@ -315,12 +334,12 @@ server { # ============================================ location /api/v1/user { proxy_pass http://identity_service/api/v1/user; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } location /api/v1/auth { proxy_pass http://identity_service/api/v1/auth; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } # ============================================ @@ -330,19 +349,19 @@ server { # ============================================ location /api/v1/wallet { proxy_pass http://wallet_service/api/v1/wallet; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } # Trading - 交易 location /api/v1/trading { proxy_pass http://wallet_service/api/v1/trading; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } # Deposit - 充值 location /api/v1/deposit { proxy_pass http://wallet_service/api/v1/deposit; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } # ============================================ @@ -352,7 +371,7 @@ server { # ============================================ location /api/v1/planting { proxy_pass http://planting_service/api/v1/planting; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } # ============================================ @@ -362,12 +381,12 @@ server { # ============================================ location /api/v1/referral { proxy_pass http://referral_service/api/v1/referral; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } location /api/v1/community { proxy_pass http://referral_service/api/v1/community; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } # ============================================ @@ -378,12 +397,12 @@ server { # ============================================ location /api/v1/mining { proxy_pass http://reward_service/api/v1/mining; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } location /api/v1/reward { proxy_pass http://reward_service/api/v1/reward; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } # ============================================ @@ -393,12 +412,12 @@ server { # ============================================ location /api/v1/ranking { proxy_pass http://leaderboard_service/api/ranking; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } location /api/v1/leaderboard { proxy_pass http://leaderboard_service/api/leaderboard; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } # ============================================ @@ -409,12 +428,12 @@ server { # ============================================ location /api/v1/telemetry { proxy_pass http://reporting_service/api/v1/telemetry; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } location /api/v1/report { proxy_pass http://reporting_service/api/v1/report; - include /etc/nginx/conf.d/proxy_params.conf; + include snippets/proxy-params.conf; } # ============================================ @@ -910,22 +929,43 @@ WALLET_ENCRYPTION_SALT=your_wallet_encryption_salt # 1. 安装 Nginx apt update && apt install -y nginx -# 2. 创建配置目录 +# 2. 创建目录结构 +mkdir -p /etc/nginx/sites-available +mkdir -p /etc/nginx/sites-enabled +mkdir -p /etc/nginx/snippets mkdir -p /etc/nginx/ssl # 3. 复制配置文件 -# 将上面的 nginx.conf, proxy_params.conf, rwaapi.conf 复制到对应目录 +# 将上面的配置文件复制到对应目录: +# - nginx.conf → /etc/nginx/nginx.conf +# - proxy-params.conf → /etc/nginx/snippets/proxy-params.conf +# - ssl-params.conf → /etc/nginx/snippets/ssl-params.conf +# - rwaapi.szaiai.com.conf → /etc/nginx/sites-available/rwaapi.szaiai.com.conf -# 4. 安装 SSL 证书 (Let's Encrypt 示例) +# 4. 启用站点 (创建软链接) +ln -s /etc/nginx/sites-available/rwaapi.szaiai.com.conf /etc/nginx/sites-enabled/ + +# 5. 禁用默认站点 (如果存在) +rm -f /etc/nginx/sites-enabled/default + +# 6. 安装 SSL 证书 (Let's Encrypt) apt install -y certbot python3-certbot-nginx -certbot --nginx -d rwaapi.szaiai.com +certbot certonly --nginx -d rwaapi.szaiai.com +# 证书会自动保存到 /etc/letsencrypt/live/rwaapi.szaiai.com/ +# 然后创建软链接到 /etc/nginx/ssl/: +ln -s /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem /etc/nginx/ssl/rwaapi.szaiai.com.pem +ln -s /etc/letsencrypt/live/rwaapi.szaiai.com/privkey.pem /etc/nginx/ssl/rwaapi.szaiai.com.key -# 5. 测试配置 +# 7. 测试配置 nginx -t -# 6. 重启 Nginx +# 8. 重启 Nginx systemctl restart nginx systemctl enable nginx + +# 9. 站点管理命令 +# 禁用站点: rm /etc/nginx/sites-enabled/rwaapi.szaiai.com.conf && nginx -s reload +# 启用站点: ln -s /etc/nginx/sites-available/rwaapi.szaiai.com.conf /etc/nginx/sites-enabled/ && nginx -s reload ``` ### 6.2 后端服务器 (192.168.1.111) 配置 diff --git a/backend/services/identity-service/E2E_TEST_SETUP.md b/backend/services/identity-service/docs/E2E_TEST_SETUP.md similarity index 100% rename from backend/services/identity-service/E2E_TEST_SETUP.md rename to backend/services/identity-service/docs/E2E_TEST_SETUP.md diff --git a/backend/services/identity-service/FIXES_APPLIED.md b/backend/services/identity-service/docs/FIXES_APPLIED.md similarity index 100% rename from backend/services/identity-service/FIXES_APPLIED.md rename to backend/services/identity-service/docs/FIXES_APPLIED.md diff --git a/backend/services/identity-service/docs/README.md b/backend/services/identity-service/docs/README.md new file mode 100644 index 00000000..c7cedf6e --- /dev/null +++ b/backend/services/identity-service/docs/README.md @@ -0,0 +1,54 @@ +# Identity Service 文档 + +本目录包含 Identity Service 及整个 RWA Durian 系统的相关文档。 + +## 文档索引 + +### 部署相关 + +| 文档 | 说明 | +|------|------| +| [DEPLOYMENT_GUIDE.md](./DEPLOYMENT_GUIDE.md) | **完整部署指南** - Nginx、MPC-System、微服务部署 | +| [DEPLOYMENT.md](./DEPLOYMENT.md) | Identity Service 单服务部署 | + +### 测试相关 + +| 文档 | 说明 | +|------|------| +| [TESTING_GUIDE.md](./TESTING_GUIDE.md) | 测试指南 | +| [TESTING_STRATEGY.md](./TESTING_STRATEGY.md) | 测试策略 | +| [TEST-STRATEGY.md](./TEST-STRATEGY.md) | 测试策略补充 | +| [TEST_AUTOMATION_GUIDE.md](./TEST_AUTOMATION_GUIDE.md) | 自动化测试指南 | +| [AUTOMATED_TESTS_README.md](./AUTOMATED_TESTS_README.md) | 自动化测试说明 | +| [E2E_TEST_SETUP.md](./E2E_TEST_SETUP.md) | E2E 测试环境配置 | +| [测试完成总结.md](./测试完成总结.md) | 测试完成报告 | + +### 其他 + +| 文档 | 说明 | +|------|------| +| [FIXES_APPLIED.md](./FIXES_APPLIED.md) | 已修复问题记录 | +| [REMAINING_STEPS.md](./REMAINING_STEPS.md) | 待完成步骤 | + +## 快速开始 + +1. **本地开发**: 参考根目录 `README.md` +2. **生产部署**: 参考 [DEPLOYMENT_GUIDE.md](./DEPLOYMENT_GUIDE.md) +3. **运行测试**: 参考 [TESTING_GUIDE.md](./TESTING_GUIDE.md) + +## 系统架构 + +``` +192.168.1.100 (公网) 192.168.1.111 (内网) +┌─────────────────┐ ┌─────────────────────────┐ +│ Nginx (80/443) │ │ Identity Service :3000 │ +│ MPC-System:4000 │◄────────►│ MPC Service :3001 │ +└─────────────────┘ │ Wallet Service :3002 │ + │ ... 其他微服务 │ + │ PostgreSQL/Redis/Kafka │ + └─────────────────────────┘ +``` + +## 维护者 + +RWA Team diff --git a/backend/services/identity-service/REMAINING_STEPS.md b/backend/services/identity-service/docs/REMAINING_STEPS.md similarity index 100% rename from backend/services/identity-service/REMAINING_STEPS.md rename to backend/services/identity-service/docs/REMAINING_STEPS.md diff --git a/backend/services/identity-service/TEST-STRATEGY.md b/backend/services/identity-service/docs/TEST-STRATEGY.md similarity index 100% rename from backend/services/identity-service/TEST-STRATEGY.md rename to backend/services/identity-service/docs/TEST-STRATEGY.md diff --git a/backend/services/identity-service/TESTING_GUIDE.md b/backend/services/identity-service/docs/TESTING_GUIDE.md similarity index 100% rename from backend/services/identity-service/TESTING_GUIDE.md rename to backend/services/identity-service/docs/TESTING_GUIDE.md diff --git a/backend/services/identity-service/TESTING_STRATEGY.md b/backend/services/identity-service/docs/TESTING_STRATEGY.md similarity index 100% rename from backend/services/identity-service/TESTING_STRATEGY.md rename to backend/services/identity-service/docs/TESTING_STRATEGY.md diff --git a/backend/services/identity-service/TEST_AUTOMATION_GUIDE.md b/backend/services/identity-service/docs/TEST_AUTOMATION_GUIDE.md similarity index 100% rename from backend/services/identity-service/TEST_AUTOMATION_GUIDE.md rename to backend/services/identity-service/docs/TEST_AUTOMATION_GUIDE.md diff --git a/backend/services/identity-service/测试完成总结.md b/backend/services/identity-service/docs/测试完成总结.md similarity index 100% rename from backend/services/identity-service/测试完成总结.md rename to backend/services/identity-service/docs/测试完成总结.md