feat(mining-admin-web): 添加Nginx配置和Let's Encrypt自动证书

- madmin.szaiai.com.conf: Nginx反向代理配置（端口3100） - install.sh: 一键安装脚本，自动申请Let's Encrypt证书 - 支持HTTP自动重定向到HTTPS - 配置证书自动续期 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 20:15:50 -08:00 · 2026-01-10 20:15:50 -08:00 · b0434184ae
parent 3f79361fde
commit b0434184ae
3 changed files with 533 additions and 0 deletions
--- a/frontend/mining-admin-web/nginx/README.md
+++ b/frontend/mining-admin-web/nginx/README.md
@ -0,0 +1,116 @@
+# RWA Mining Admin Web - Nginx 部署指南
+
+## 域名
+- **域名**: madmin.szaiai.com
+- **端口**: 3100
+
+## 快速部署
+
+### 1. 启动 Docker 应用
+
+```bash
+cd frontend/mining-admin-web
+./deploy.sh start
+```
+
+### 2. 配置 DNS
+
+将域名 `madmin.szaiai.com` 的 A 记录指向服务器 IP。
+
+### 3. 运行安装脚本
+
+```bash
+cd nginx
+sudo ./install.sh
+```
+
+脚本会自动完成：
+- 安装 Nginx
+- 安装 Certbot
+- 配置防火墙
+- 申请 Let's Encrypt SSL 证书
+- 配置 HTTPS
+
+## 手动部署
+
+### 1. 安装 Nginx 和 Certbot
+
+```bash
+sudo apt update
+sudo apt install -y nginx certbot python3-certbot-nginx
+```
+
+### 2. 复制 Nginx 配置
+
+```bash
+sudo cp madmin.szaiai.com.conf /etc/nginx/sites-available/
+sudo ln -s /etc/nginx/sites-available/madmin.szaiai.com.conf /etc/nginx/sites-enabled/
+```
+
+### 3. 申请 SSL 证书
+
+```bash
+sudo mkdir -p /var/www/certbot
+sudo certbot certonly --webroot -w /var/www/certbot -d madmin.szaiai.com
+```
+
+### 4. 启用 HTTPS 配置
+
+```bash
+sudo nginx -t
+sudo systemctl reload nginx
+```
+
+## 常用命令
+
+```bash
+# 查看 Nginx 状态
+sudo systemctl status nginx
+
+# 重载配置
+sudo systemctl reload nginx
+
+# 查看证书
+sudo certbot certificates
+
+# 手动续期测试
+sudo certbot renew --dry-run
+
+# 查看访问日志
+sudo tail -f /var/log/nginx/madmin.szaiai.com.access.log
+
+# 查看错误日志
+sudo tail -f /var/log/nginx/madmin.szaiai.com.error.log
+```
+
+## 证书自动续期
+
+Certbot 安装后会自动配置 systemd timer 进行证书续期：
+
+```bash
+# 查看续期定时器状态
+sudo systemctl status certbot.timer
+
+# 手动测试续期
+sudo certbot renew --dry-run
+```
+
+## 文件说明
+
+| 文件 | 说明 |
+|------|------|
+| `madmin.szaiai.com.conf` | Nginx 配置文件 |
+| `install.sh` | 一键安装脚本 |
+| `README.md` | 本文档 |
+
+## 架构
+
+```
+Internet
+    ↓
+Nginx (443/SSL - Let's Encrypt)
+    ↓
+Docker Container (3100/HTTP)
+    ↓
+Next.js Application
+```
--- a/frontend/mining-admin-web/nginx/install.sh
+++ b/frontend/mining-admin-web/nginx/install.sh
@ -0,0 +1,311 @@
+#!/bin/bash
+# RWA Mining Admin Web - Nginx 完整安装脚本
+# 适用于全新 Ubuntu/Debian 服务器
+
+set -e
+
+DOMAIN="madmin.szaiai.com"
+EMAIL="admin@szaiai.com"  # 修改为你的邮箱
+APP_PORT=3100
+
+# 颜色
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
+log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
+log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
+
+# 检查 root 权限
+check_root() {
+    if [ "$EUID" -ne 0 ]; then
+        log_error "请使用 root 权限运行: sudo ./install.sh"
+        exit 1
+    fi
+}
+
+# 步骤 1: 更新系统
+update_system() {
+    log_info "步骤 1/6: 更新系统包..."
+    apt update && apt upgrade -y
+    log_success "系统更新完成"
+}
+
+# 步骤 2: 安装 Nginx
+install_nginx() {
+    log_info "步骤 2/6: 安装 Nginx..."
+    apt install -y nginx
+    systemctl enable nginx
+    systemctl start nginx
+    log_success "Nginx 安装完成"
+}
+
+# 步骤 3: 安装 Certbot
+install_certbot() {
+    log_info "步骤 3/6: 安装 Certbot..."
+    apt install -y certbot python3-certbot-nginx
+    log_success "Certbot 安装完成"
+}
+
+# 步骤 4: 配置 Nginx (HTTP)
+configure_nginx_http() {
+    log_info "步骤 4/6: 配置 Nginx (HTTP 临时配置用于证书申请)..."
+
+    # 创建 certbot webroot 目录
+    mkdir -p /var/www/certbot
+
+    # 创建临时 HTTP 配置
+    cat > /etc/nginx/sites-available/$DOMAIN << EOF
+# 临时 HTTP 配置 - 用于 Let's Encrypt 验证
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $DOMAIN;
+
+    # Let's Encrypt 验证目录
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # 临时代理到应用
+    location / {
+        proxy_pass http://127.0.0.1:$APP_PORT;
+        proxy_http_version 1.1;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+}
+EOF
+
+    # 启用站点
+    ln -sf /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled/
+
+    # 测试并重载
+    nginx -t && systemctl reload nginx
+    log_success "Nginx HTTP 配置完成"
+}
+
+# 步骤 5: 申请 SSL 证书
+obtain_ssl_certificate() {
+    log_info "步骤 5/6: 申请 Let's Encrypt SSL 证书..."
+
+    # 检查域名解析
+    log_info "检查域名 $DOMAIN 解析..."
+    if ! host $DOMAIN > /dev/null 2>&1; then
+        log_warn "无法解析域名 $DOMAIN，请确保 DNS 已正确配置"
+        log_warn "继续尝试申请证书..."
+    fi
+
+    # 申请证书
+    certbot certonly \
+        --webroot \
+        --webroot-path=/var/www/certbot \
+        --email $EMAIL \
+        --agree-tos \
+        --no-eff-email \
+        -d $DOMAIN
+
+    log_success "SSL 证书申请成功"
+}
+
+# 步骤 6: 配置 Nginx (HTTPS)
+configure_nginx_https() {
+    log_info "步骤 6/6: 配置 Nginx (HTTPS)..."
+
+    # 复制完整的 HTTPS 配置
+    cat > /etc/nginx/sites-available/$DOMAIN << 'NGINX_CONF'
+# RWA Mining Admin Web Nginx 配置
+# 域名: madmin.szaiai.com
+
+# HTTP 重定向到 HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name madmin.szaiai.com;
+
+    # Let's Encrypt 验证目录
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # 重定向到 HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# HTTPS 配置
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name madmin.szaiai.com;
+
+    # SSL 证书 (Let's Encrypt)
+    ssl_certificate /etc/letsencrypt/live/madmin.szaiai.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/madmin.szaiai.com/privkey.pem;
+
+    # SSL 配置优化
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    # 现代加密套件
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # 日志
+    access_log /var/log/nginx/madmin.szaiai.com.access.log;
+    error_log /var/log/nginx/madmin.szaiai.com.error.log;
+
+    # Gzip 压缩
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+    # 安全头
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # 反向代理到 Docker 容器
+    location / {
+        proxy_pass http://127.0.0.1:3100;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # 超时设置
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+
+    # 健康检查端点
+    location /api/health {
+        proxy_pass http://127.0.0.1:3100;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        access_log off;
+    }
+
+    # 静态资源缓存
+    location /_next/static {
+        proxy_pass http://127.0.0.1:3100;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        add_header Cache-Control "public, max-age=31536000, immutable";
+    }
+
+    # 图片等静态资源
+    location ~* \.(ico|css|js|gif|jpeg|jpg|png|woff|woff2|ttf|svg|eot)$ {
+        proxy_pass http://127.0.0.1:3100;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        expires 30d;
+        add_header Cache-Control "public, no-transform";
+    }
+}
+NGINX_CONF
+
+    # 测试并重载
+    nginx -t && systemctl reload nginx
+    log_success "Nginx HTTPS 配置完成"
+}
+
+# 配置证书自动续期
+setup_auto_renewal() {
+    log_info "配置证书自动续期..."
+
+    # Certbot 会自动创建 systemd timer 或 cron job
+    # 测试续期
+    certbot renew --dry-run
+
+    log_success "证书自动续期已配置"
+}
+
+# 配置防火墙
+configure_firewall() {
+    log_info "配置防火墙..."
+
+    if command -v ufw &> /dev/null; then
+        ufw allow 'Nginx Full'
+        ufw allow OpenSSH
+        ufw --force enable
+        log_success "UFW 防火墙已配置"
+    else
+        log_warn "未检测到 UFW，请手动配置防火墙开放 80 和 443 端口"
+    fi
+}
+
+# 显示完成信息
+show_completion() {
+    echo ""
+    echo -e "${GREEN}========================================${NC}"
+    echo -e "${GREEN}   安装完成!${NC}"
+    echo -e "${GREEN}========================================${NC}"
+    echo ""
+    echo -e "访问地址: ${BLUE}https://$DOMAIN${NC}"
+    echo ""
+    echo "常用命令:"
+    echo "  查看 Nginx 状态:  systemctl status nginx"
+    echo "  重载 Nginx:       systemctl reload nginx"
+    echo "  查看证书:         certbot certificates"
+    echo "  手动续期:         certbot renew"
+    echo "  查看日志:         tail -f /var/log/nginx/$DOMAIN.access.log"
+    echo ""
+}
+
+# 主函数
+main() {
+    echo ""
+    echo "============================================"
+    echo "  RWA Mining Admin Web - Nginx 安装脚本"
+    echo "  域名: $DOMAIN"
+    echo "============================================"
+    echo ""
+
+    check_root
+    update_system
+    install_nginx
+    install_certbot
+    configure_firewall
+    configure_nginx_http
+
+    echo ""
+    log_warn "请确保以下条件已满足:"
+    echo "  1. 域名 $DOMAIN 的 DNS A 记录已指向本服务器 IP"
+    echo "  2. Docker 应用已在端口 $APP_PORT 运行"
+    echo ""
+    read -p "是否继续申请 SSL 证书? (y/n): " confirm
+
+    if [ "$confirm" = "y" ] || [ "$confirm" = "Y" ]; then
+        obtain_ssl_certificate
+        configure_nginx_https
+        setup_auto_renewal
+        show_completion
+    else
+        log_info "已跳过 SSL 配置，当前为 HTTP 模式"
+        log_info "稍后可运行: certbot --nginx -d $DOMAIN"
+    fi
+}
+
+main "$@"
--- a/frontend/mining-admin-web/nginx/madmin.szaiai.com.conf
+++ b/frontend/mining-admin-web/nginx/madmin.szaiai.com.conf
@ -0,0 +1,106 @@
+# RWA Mining Admin Web Nginx 配置
+# 域名: madmin.szaiai.com
+# 放置路径: /etc/nginx/sites-available/madmin.szaiai.com
+# 启用: ln -s /etc/nginx/sites-available/madmin.szaiai.com /etc/nginx/sites-enabled/
+
+# HTTP 重定向到 HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name madmin.szaiai.com;
+
+    # Let's Encrypt 验证目录
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # 重定向到 HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# HTTPS 配置
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name madmin.szaiai.com;
+
+    # SSL 证书 (Let's Encrypt)
+    ssl_certificate /etc/letsencrypt/live/madmin.szaiai.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/madmin.szaiai.com/privkey.pem;
+
+    # SSL 配置优化
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    # 现代加密套件
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (可选，启用后请谨慎)
+    # add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # 日志
+    access_log /var/log/nginx/madmin.szaiai.com.access.log;
+    error_log /var/log/nginx/madmin.szaiai.com.error.log;
+
+    # Gzip 压缩
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+    # 安全头
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # 反向代理到 Docker 容器
+    location / {
+        proxy_pass http://127.0.0.1:3100;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # 超时设置
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+
+    # 健康检查端点
+    location /api/health {
+        proxy_pass http://127.0.0.1:3100;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        access_log off;
+    }
+
+    # 静态资源缓存
+    location /_next/static {
+        proxy_pass http://127.0.0.1:3100;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        add_header Cache-Control "public, max-age=31536000, immutable";
+    }
+
+    # 图片等静态资源
+    location ~* \.(ico|css|js|gif|jpeg|jpg|png|woff|woff2|ttf|svg|eot)$ {
+        proxy_pass http://127.0.0.1:3100;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        expires 30d;
+        add_header Cache-Control "public, no-transform";
+    }
+}