hailin
/
rwadurian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(api-gateway): 添加 Kong API 网关和 Nginx 配置 

- 添加 Kong 声明式配置 (kong.yml),定义所有微服务路由
- 更新 docker-compose.yml 添加 Kong 服务 (kong-db, kong-migrations, kong)
- 添加 rwaapi.szaiai.com Nginx 配置 (SSL + 反向代理到 Kong)
- 添加 nginx/install.sh 一键安装脚本
- 添加 API Gateway README 文档

架构: 用户 → Nginx (SSL) → Kong (API Gateway) → 各微服务

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Developer 2025-12-03 00:33:22 -08:00
parent 4e0033474f
commit 7d9d5eeffe
5 changed files with 771 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
backend/api-gateway/README.md Normal file
View File

@ -0,0 +1,151 @@
# API Gateway - Kong
RWADurian 项目的 API 网关,基于 Kong 实现。
## 架构
```
用户请求
Nginx (SSL/负载均衡)
↓ rwaapi.szaiai.com:443
Kong API Gateway
↓ :8000
各微服务
├── identity-service :3000
├── wallet-service :3001
├── backup-service :3002
├── planting-service :3003
├── referral-service :3004
├── reward-service :3005
├── mpc-service :3006
├── leaderboard-service:3007
├── reporting-service :3008
├── authorization-service:3009
├── admin-service :3010
└── presence-service :3011
```
## 文件结构
```
api-gateway/
├── kong.yml # Kong 声明式配置
├── README.md # 本文档
└── nginx/
├── rwaapi.szaiai.com.conf # Nginx 配置
└── install.sh # 一键安装脚本
```
## API 路由
| 路径 | 服务 | 说明 |
|------|------|------|
| `/api/v1/auth/*` | identity-service | 认证相关 |
| `/api/v1/users/*` | identity-service | 用户管理 |
| `/api/v1/wallets/*` | wallet-service | 钱包管理 |
| `/api/v1/backups/*` | backup-service | 备份服务 |
| `/api/v1/plantings/*` | planting-service | 种植管理 |
| `/api/v1/trees/*` | planting-service | 树木管理 |
| `/api/v1/referrals/*` | referral-service | 推荐系统 |
| `/api/v1/rewards/*` | reward-service | 奖励系统 |
| `/api/v1/mpc/*` | mpc-service | 多方计算 |
| `/api/v1/leaderboard/*` | leaderboard-service | 排行榜 |
| `/api/v1/reports/*` | reporting-service | 报表统计 |
| `/api/v1/statistics/*` | reporting-service | 数据统计 |
| `/api/v1/authorization/*` | authorization-service | 授权管理 |
| `/api/v1/permissions/*` | authorization-service | 权限管理 |
| `/api/v1/roles/*` | authorization-service | 角色管理 |
| `/api/v1/versions/*` | admin-service | 版本管理 |
| `/api/v1/admin/*` | admin-service | 后台管理 |
| `/api/v1/presence/*` | presence-service | 在线状态 |
## 部署
### 1. 启动 Kong (包含在 services 的 docker-compose.yml 中)
```bash
cd backend/services
./deploy.sh up
```
### 2. 配置 Nginx + SSL
```bash
cd backend/api-gateway/nginx
sudo chmod +x install.sh
sudo ./install.sh
```
### 3. 验证
```bash
# 检查 Kong 状态
curl http://localhost:8001/status
# 测试 API 路由
curl https://rwaapi.szaiai.com/api/v1/versions
```
## Kong 管理
### 查看配置
```bash
# 查看所有服务
curl http://localhost:8001/services
# 查看所有路由
curl http://localhost:8001/routes
# 查看所有插件
curl http://localhost:8001/plugins
```
### 重新加载配置
```bash
# 进入 Kong 容器
docker exec -it rwa-kong sh
# 重载配置
kong reload
```
## 插件
已启用的全局插件:
| 插件 | 功能 |
|------|------|
| cors | 跨域支持 |
| rate-limiting | 请求限流 (100/分钟, 5000/小时) |
| file-log | 请求日志 |
| request-size-limiting | 请求大小限制 (50MB) |
## 故障排除
### 1. Kong 无法连接数据库
```bash
# 检查 kong-db 状态
docker logs rwa-kong-db
# 手动运行迁移
docker exec -it rwa-kong kong migrations bootstrap
```
### 2. 路由不生效
```bash
# 检查 kong.yml 语法
docker exec -it rwa-kong kong config parse /etc/kong/kong.yml
# 重启 Kong
docker restart rwa-kong
```
### 3. 502 Bad Gateway
- 检查目标服务是否运行: `docker ps`
- 检查服务网络连通性: `docker exec rwa-kong curl http://admin-service:3010/api/v1/health`

221
backend/api-gateway/kong.yml
View File

@ -0,0 +1,221 @@
# =============================================================================
# Kong API Gateway - ðMn
# =============================================================================
# (¹Õ:
# 1. /¨ Kong: docker compose up -d kong kong-db
# 2. Mnꨠ}
#
# ‡c: https://docs.konghq.com/gateway/latest/
# =============================================================================
_format_version: "3.0"
_transform: true
# =============================================================================
# Services - ï® ¡šI
# =============================================================================
services:
# ---------------------------------------------------------------------------
# Identity Service - «ý¤Á ¡
# ---------------------------------------------------------------------------
- name: identity-service
url: http://identity-service:3000
routes:
- name: identity-auth
paths:
- /api/v1/auth
strip_path: false
- name: identity-users
paths:
- /api/v1/users
strip_path: false
- name: identity-health
paths:
- /api/v1/identity/health
strip_path: true
# ---------------------------------------------------------------------------
# Wallet Service - ± ¡
# ---------------------------------------------------------------------------
- name: wallet-service
url: http://wallet-service:3001
routes:
- name: wallet-api
paths:
- /api/v1/wallets
strip_path: false
- name: wallet-health
paths:
- /api/v1/wallet/health
strip_path: true
# ---------------------------------------------------------------------------
# Backup Service - ý ¡
# ---------------------------------------------------------------------------
- name: backup-service
url: http://backup-service:3002
routes:
- name: backup-api
paths:
- /api/v1/backups
strip_path: false
# ---------------------------------------------------------------------------
# Planting Service - Í ¡
# ---------------------------------------------------------------------------
- name: planting-service
url: http://planting-service:3003
routes:
- name: planting-api
paths:
- /api/v1/plantings
- /api/v1/trees
strip_path: false
# ---------------------------------------------------------------------------
# Referral Service - ¨P ¡
# ---------------------------------------------------------------------------
- name: referral-service
url: http://referral-service:3004
routes:
- name: referral-api
paths:
- /api/v1/referrals
strip_path: false
# ---------------------------------------------------------------------------
# Reward Service - V± ¡
# ---------------------------------------------------------------------------
- name: reward-service
url: http://reward-service:3005
routes:
- name: reward-api
paths:
- /api/v1/rewards
strip_path: false
# ---------------------------------------------------------------------------
# MPC Service - ¹¡— ¡
# ---------------------------------------------------------------------------
- name: mpc-service
url: http://mpc-service:3006
routes:
- name: mpc-api
paths:
- /api/v1/mpc
strip_path: false
# ---------------------------------------------------------------------------
# Leaderboard Service - ¡
# ---------------------------------------------------------------------------
- name: leaderboard-service
url: http://leaderboard-service:3007
routes:
- name: leaderboard-api
paths:
- /api/v1/leaderboard
strip_path: false
# ---------------------------------------------------------------------------
# Reporting Service - ¥h ¡
# ---------------------------------------------------------------------------
- name: reporting-service
url: http://reporting-service:3008
routes:
- name: reporting-api
paths:
- /api/v1/reports
- /api/v1/statistics
strip_path: false
# ---------------------------------------------------------------------------
# Authorization Service - ˆC ¡
# ---------------------------------------------------------------------------
- name: authorization-service
url: http://authorization-service:3009
routes:
- name: authorization-api
paths:
- /api/v1/authorization
- /api/v1/permissions
- /api/v1/roles
strip_path: false
# ---------------------------------------------------------------------------
# Admin Service - ¡ ¡ (+H,¡)
# ---------------------------------------------------------------------------
- name: admin-service
url: http://admin-service:3010
routes:
- name: admin-versions
paths:
- /api/v1/versions
strip_path: false
- name: admin-api
paths:
- /api/v1/admin
strip_path: false
# ---------------------------------------------------------------------------
# Presence Service - (¿¶ ¡
# ---------------------------------------------------------------------------
- name: presence-service
url: http://presence-service:3011
routes:
- name: presence-api
paths:
- /api/v1/presence
strip_path: false
# =============================================================================
# Plugins - h@ÒöMn
# =============================================================================
plugins:
# CORS èßMn
- name: cors
config:
origins:
- "https://rwaadmin.szaiai.com"
- "https://update.szaiai.com"
- "https://app.rwadurian.com"
- "http://localhost:3000"
- "http://localhost:3020"
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Content-Length
- Content-MD5
- Content-Type
- Date
- Authorization
- X-Auth-Token
exposed_headers:
- X-Auth-Token
credentials: true
max_age: 3600
# ÷BPA
- name: rate-limiting
config:
minute: 100
hour: 5000
policy: local
# ÷Bå×
- name: file-log
config:
path: /tmp/kong-access.log
reopen: true
# ÷B/Í”'P6
- name: request-size-limiting
config:
allowed_payload_size: 50
size_unit: megabytes

208
backend/api-gateway/nginx/install.sh Normal file
View File

@ -0,0 +1,208 @@
#!/bin/bash
# RWADurian API Gateway - Nginx 完整安装脚本
# 适用于全新 Ubuntu/Debian 服务器
set -e
DOMAIN="rwaapi.szaiai.com"
EMAIL="admin@szaiai.com" # 修改为你的邮箱
KONG_PORT=8000
# 颜色
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
# 检查 root 权限
check_root() {
if [ "$EUID" -ne 0 ]; then
log_error "请使用 root 权限运行: sudo ./install.sh"
exit 1
fi
}
# 步骤 1: 更新系统
update_system() {
log_info "步骤 1/6: 更新系统包..."
apt update && apt upgrade -y
log_success "系统更新完成"
}
# 步骤 2: 安装 Nginx
install_nginx() {
log_info "步骤 2/6: 安装 Nginx..."
apt install -y nginx
systemctl enable nginx
systemctl start nginx
log_success "Nginx 安装完成"
}
# 步骤 3: 安装 Certbot
install_certbot() {
log_info "步骤 3/6: 安装 Certbot..."
apt install -y certbot python3-certbot-nginx
log_success "Certbot 安装完成"
}
# 步骤 4: 配置 Nginx (HTTP)
configure_nginx_http() {
log_info "步骤 4/6: 配置 Nginx (HTTP 临时配置用于证书申请)..."
# 创建 certbot webroot 目录
mkdir -p /var/www/certbot
# 创建临时 HTTP 配置
cat > /etc/nginx/sites-available/$DOMAIN << EOF
# 临时 HTTP 配置 - 用于 Let's Encrypt 验证
server {
listen 80;
listen [::]:80;
server_name $DOMAIN;
# Let's Encrypt 验证目录
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# 临时代理到 Kong
location / {
proxy_pass http://127.0.0.1:$KONG_PORT;
proxy_http_version 1.1;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
}
}
EOF
# 启用站点
ln -sf /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled/
# 测试并重载
nginx -t && systemctl reload nginx
log_success "Nginx HTTP 配置完成"
}
# 步骤 5: 申请 SSL 证书
obtain_ssl_certificate() {
log_info "步骤 5/6: 申请 Let's Encrypt SSL 证书..."
# 检查域名解析
log_info "检查域名 $DOMAIN 解析..."
if ! host $DOMAIN > /dev/null 2>&1; then
log_warn "无法解析域名 $DOMAIN,请确保 DNS 已正确配置"
log_warn "继续尝试申请证书..."
fi
# 申请证书
certbot certonly \
--webroot \
--webroot-path=/var/www/certbot \
--email $EMAIL \
--agree-tos \
--no-eff-email \
-d $DOMAIN
log_success "SSL 证书申请成功"
}
# 步骤 6: 配置 Nginx (HTTPS)
configure_nginx_https() {
log_info "步骤 6/6: 配置 Nginx (HTTPS)..."
# 获取脚本所在目录
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# 复制完整配置
cp "$SCRIPT_DIR/rwaapi.szaiai.com.conf" /etc/nginx/sites-available/$DOMAIN
# 测试并重载
nginx -t && systemctl reload nginx
log_success "Nginx HTTPS 配置完成"
}
# 配置证书自动续期
setup_auto_renewal() {
log_info "配置证书自动续期..."
certbot renew --dry-run
log_success "证书自动续期已配置"
}
# 配置防火墙
configure_firewall() {
log_info "配置防火墙..."
if command -v ufw &> /dev/null; then
ufw allow 'Nginx Full'
ufw allow OpenSSH
ufw --force enable
log_success "UFW 防火墙已配置"
else
log_warn "未检测到 UFW请手动配置防火墙开放 80 和 443 端口"
fi
}
# 显示完成信息
show_completion() {
echo ""
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN} 安装完成!${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
echo -e "API 网关地址: ${BLUE}https://$DOMAIN${NC}"
echo ""
echo "架构:"
echo " 用户请求 → Nginx (SSL) → Kong (API Gateway) → 微服务"
echo ""
echo "常用命令:"
echo " 查看 Nginx 状态: systemctl status nginx"
echo " 重载 Nginx: systemctl reload nginx"
echo " 查看证书: certbot certificates"
echo " 手动续期: certbot renew"
echo " 查看日志: tail -f /var/log/nginx/$DOMAIN.access.log"
echo ""
}
# 主函数
main() {
echo ""
echo "============================================"
echo " RWADurian API Gateway - Nginx 安装脚本"
echo " 域名: $DOMAIN"
echo "============================================"
echo ""
check_root
update_system
install_nginx
install_certbot
configure_firewall
configure_nginx_http
echo ""
log_warn "请确保以下条件已满足:"
echo " 1. 域名 $DOMAIN 的 DNS A 记录已指向本服务器 IP"
echo " 2. Kong API Gateway 已在端口 $KONG_PORT 运行"
echo ""
read -p "是否继续申请 SSL 证书? (y/n): " confirm
if [ "$confirm" = "y" ] || [ "$confirm" = "Y" ]; then
obtain_ssl_certificate
configure_nginx_https
setup_auto_renewal
show_completion
else
log_info "已跳过 SSL 配置,当前为 HTTP 模式"
log_info "稍后可运行: certbot --nginx -d $DOMAIN"
fi
}
main "$@"

112
backend/api-gateway/nginx/rwaapi.szaiai.com.conf Normal file
View File

@ -0,0 +1,112 @@
# RWADurian API Gateway Nginx 配置
# 域名: rwaapi.szaiai.com
# 后端: Kong API Gateway (端口 8000)
# 放置路径: /etc/nginx/sites-available/rwaapi.szaiai.com
# 启用: ln -s /etc/nginx/sites-available/rwaapi.szaiai.com /etc/nginx/sites-enabled/
# HTTP 重定向到 HTTPS
server {
listen 80;
listen [::]:80;
server_name rwaapi.szaiai.com;
# Let's Encrypt 验证目录
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# 重定向到 HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS 配置
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name rwaapi.szaiai.com;
# SSL 证书 (Let's Encrypt)
ssl_certificate /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rwaapi.szaiai.com/privkey.pem;
# SSL 配置优化
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# 现代加密套件
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
# 日志
access_log /var/log/nginx/rwaapi.szaiai.com.access.log;
error_log /var/log/nginx/rwaapi.szaiai.com.error.log;
# Gzip 压缩
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# 安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 客户端请求大小限制 (用于文件上传)
client_max_body_size 100M;
# 反向代理到 Kong API Gateway
location / {
proxy_pass http://127.0.0.1:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_cache_bypass $http_upgrade;
# 超时设置 (适配大文件上传)
proxy_connect_timeout 60s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
# Kong Admin API (可选,仅内网访问)
# location /kong-admin/ {
# allow 127.0.0.1;
# allow 10.0.0.0/8;
# allow 172.16.0.0/12;
# allow 192.168.0.0/16;
# deny all;
# proxy_pass http://127.0.0.1:8001/;
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# }
# 健康检查端点 (直接返回)
location = /health {
access_log off;
return 200 '{"status":"ok","service":"rwaapi-nginx"}';
add_header Content-Type application/json;
}
}

79
backend/services/docker-compose.yml
View File

@ -93,6 +93,83 @@ services:
networks:
- rwa-network
# ===========================================================================
# API Gateway - Kong
# ===========================================================================
kong-db:
image: postgres:16-alpine
container_name: rwa-kong-db
environment:
POSTGRES_USER: kong
POSTGRES_PASSWORD: ${KONG_PG_PASSWORD:-kong_password}
POSTGRES_DB: kong
volumes:
- kong_db_data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U kong"]
interval: 5s
timeout: 5s
retries: 10
restart: unless-stopped
networks:
- rwa-network
kong-migrations:
image: kong:3.5-alpine
container_name: rwa-kong-migrations
command: kong migrations bootstrap
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-db
KONG_PG_USER: kong
KONG_PG_PASSWORD: ${KONG_PG_PASSWORD:-kong_password}
KONG_PG_DATABASE: kong
depends_on:
kong-db:
condition: service_healthy
restart: on-failure
networks:
- rwa-network
kong:
image: kong:3.5-alpine
container_name: rwa-kong
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-db
KONG_PG_USER: kong
KONG_PG_PASSWORD: ${KONG_PG_PASSWORD:-kong_password}
KONG_PG_DATABASE: kong
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_ADMIN_LISTEN: 0.0.0.0:8001
KONG_ADMIN_GUI_URL: http://localhost:8002
KONG_DECLARATIVE_CONFIG: /etc/kong/kong.yml
ports:
- "8000:8000" # Proxy HTTP
- "8443:8443" # Proxy HTTPS
- "8001:8001" # Admin API
- "8002:8002" # Admin GUI
volumes:
- ../api-gateway/kong.yml:/etc/kong/kong.yml:ro
depends_on:
kong-db:
condition: service_healthy
kong-migrations:
condition: service_completed_successfully
healthcheck:
test: ["CMD", "kong", "health"]
interval: 30s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
networks:
- rwa-network
# ===========================================================================
# Application Services
# ===========================================================================
@ -542,6 +619,8 @@ volumes:
driver: local
redis_data:
driver: local
kong_db_data:
driver: local
# ===========================================================================
# Networks