From b0434184aef737f2c77bf8b670d0f9bd1dd14136 Mon Sep 17 00:00:00 2001 From: hailin Date: Sat, 10 Jan 2026 20:15:50 -0800 Subject: [PATCH] =?UTF-8?q?feat(mining-admin-web):=20=E6=B7=BB=E5=8A=A0Ngi?= =?UTF-8?q?nx=E9=85=8D=E7=BD=AE=E5=92=8CLet's=20Encrypt=E8=87=AA=E5=8A=A8?= =?UTF-8?q?=E8=AF=81=E4=B9=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - madmin.szaiai.com.conf: Nginx反向代理配置(端口3100) - install.sh: 一键安装脚本,自动申请Let's Encrypt证书 - 支持HTTP自动重定向到HTTPS - 配置证书自动续期 Co-Authored-By: Claude Opus 4.5 --- frontend/mining-admin-web/nginx/README.md | 116 +++++++ frontend/mining-admin-web/nginx/install.sh | 311 ++++++++++++++++++ .../nginx/madmin.szaiai.com.conf | 106 ++++++ 3 files changed, 533 insertions(+) create mode 100644 frontend/mining-admin-web/nginx/README.md create mode 100644 frontend/mining-admin-web/nginx/install.sh create mode 100644 frontend/mining-admin-web/nginx/madmin.szaiai.com.conf diff --git a/frontend/mining-admin-web/nginx/README.md b/frontend/mining-admin-web/nginx/README.md new file mode 100644 index 00000000..bd7a20c7 --- /dev/null +++ b/frontend/mining-admin-web/nginx/README.md @@ -0,0 +1,116 @@ +# RWA Mining Admin Web - Nginx 部署指南 + +## 域名 +- **域名**: madmin.szaiai.com +- **端口**: 3100 + +## 快速部署 + +### 1. 启动 Docker 应用 + +```bash +cd frontend/mining-admin-web +./deploy.sh start +``` + +### 2. 配置 DNS + +将域名 `madmin.szaiai.com` 的 A 记录指向服务器 IP。 + +### 3. 运行安装脚本 + +```bash +cd nginx +sudo ./install.sh +``` + +脚本会自动完成: +- 安装 Nginx +- 安装 Certbot +- 配置防火墙 +- 申请 Let's Encrypt SSL 证书 +- 配置 HTTPS + +## 手动部署 + +### 1. 安装 Nginx 和 Certbot + +```bash +sudo apt update +sudo apt install -y nginx certbot python3-certbot-nginx +``` + +### 2. 复制 Nginx 配置 + +```bash +sudo cp madmin.szaiai.com.conf /etc/nginx/sites-available/ +sudo ln -s /etc/nginx/sites-available/madmin.szaiai.com.conf /etc/nginx/sites-enabled/ +``` + +### 3. 申请 SSL 证书 + +```bash +sudo mkdir -p /var/www/certbot +sudo certbot certonly --webroot -w /var/www/certbot -d madmin.szaiai.com +``` + +### 4. 启用 HTTPS 配置 + +```bash +sudo nginx -t +sudo systemctl reload nginx +``` + +## 常用命令 + +```bash +# 查看 Nginx 状态 +sudo systemctl status nginx + +# 重载配置 +sudo systemctl reload nginx + +# 查看证书 +sudo certbot certificates + +# 手动续期测试 +sudo certbot renew --dry-run + +# 查看访问日志 +sudo tail -f /var/log/nginx/madmin.szaiai.com.access.log + +# 查看错误日志 +sudo tail -f /var/log/nginx/madmin.szaiai.com.error.log +``` + +## 证书自动续期 + +Certbot 安装后会自动配置 systemd timer 进行证书续期: + +```bash +# 查看续期定时器状态 +sudo systemctl status certbot.timer + +# 手动测试续期 +sudo certbot renew --dry-run +``` + +## 文件说明 + +| 文件 | 说明 | +|------|------| +| `madmin.szaiai.com.conf` | Nginx 配置文件 | +| `install.sh` | 一键安装脚本 | +| `README.md` | 本文档 | + +## 架构 + +``` +Internet + ↓ +Nginx (443/SSL - Let's Encrypt) + ↓ +Docker Container (3100/HTTP) + ↓ +Next.js Application +``` diff --git a/frontend/mining-admin-web/nginx/install.sh b/frontend/mining-admin-web/nginx/install.sh new file mode 100644 index 00000000..1c20357e --- /dev/null +++ b/frontend/mining-admin-web/nginx/install.sh @@ -0,0 +1,311 @@ +#!/bin/bash +# RWA Mining Admin Web - Nginx 完整安装脚本 +# 适用于全新 Ubuntu/Debian 服务器 + +set -e + +DOMAIN="madmin.szaiai.com" +EMAIL="admin@szaiai.com" # 修改为你的邮箱 +APP_PORT=3100 + +# 颜色 +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' + +log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } +log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; } +log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } +log_error() { echo -e "${RED}[ERROR]${NC} $1"; } + +# 检查 root 权限 +check_root() { + if [ "$EUID" -ne 0 ]; then + log_error "请使用 root 权限运行: sudo ./install.sh" + exit 1 + fi +} + +# 步骤 1: 更新系统 +update_system() { + log_info "步骤 1/6: 更新系统包..." + apt update && apt upgrade -y + log_success "系统更新完成" +} + +# 步骤 2: 安装 Nginx +install_nginx() { + log_info "步骤 2/6: 安装 Nginx..." + apt install -y nginx + systemctl enable nginx + systemctl start nginx + log_success "Nginx 安装完成" +} + +# 步骤 3: 安装 Certbot +install_certbot() { + log_info "步骤 3/6: 安装 Certbot..." + apt install -y certbot python3-certbot-nginx + log_success "Certbot 安装完成" +} + +# 步骤 4: 配置 Nginx (HTTP) +configure_nginx_http() { + log_info "步骤 4/6: 配置 Nginx (HTTP 临时配置用于证书申请)..." + + # 创建 certbot webroot 目录 + mkdir -p /var/www/certbot + + # 创建临时 HTTP 配置 + cat > /etc/nginx/sites-available/$DOMAIN << EOF +# 临时 HTTP 配置 - 用于 Let's Encrypt 验证 +server { + listen 80; + listen [::]:80; + server_name $DOMAIN; + + # Let's Encrypt 验证目录 + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + # 临时代理到应用 + location / { + proxy_pass http://127.0.0.1:$APP_PORT; + proxy_http_version 1.1; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + } +} +EOF + + # 启用站点 + ln -sf /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled/ + + # 测试并重载 + nginx -t && systemctl reload nginx + log_success "Nginx HTTP 配置完成" +} + +# 步骤 5: 申请 SSL 证书 +obtain_ssl_certificate() { + log_info "步骤 5/6: 申请 Let's Encrypt SSL 证书..." + + # 检查域名解析 + log_info "检查域名 $DOMAIN 解析..." + if ! host $DOMAIN > /dev/null 2>&1; then + log_warn "无法解析域名 $DOMAIN,请确保 DNS 已正确配置" + log_warn "继续尝试申请证书..." + fi + + # 申请证书 + certbot certonly \ + --webroot \ + --webroot-path=/var/www/certbot \ + --email $EMAIL \ + --agree-tos \ + --no-eff-email \ + -d $DOMAIN + + log_success "SSL 证书申请成功" +} + +# 步骤 6: 配置 Nginx (HTTPS) +configure_nginx_https() { + log_info "步骤 6/6: 配置 Nginx (HTTPS)..." + + # 复制完整的 HTTPS 配置 + cat > /etc/nginx/sites-available/$DOMAIN << 'NGINX_CONF' +# RWA Mining Admin Web Nginx 配置 +# 域名: madmin.szaiai.com + +# HTTP 重定向到 HTTPS +server { + listen 80; + listen [::]:80; + server_name madmin.szaiai.com; + + # Let's Encrypt 验证目录 + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + # 重定向到 HTTPS + location / { + return 301 https://$host$request_uri; + } +} + +# HTTPS 配置 +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name madmin.szaiai.com; + + # SSL 证书 (Let's Encrypt) + ssl_certificate /etc/letsencrypt/live/madmin.szaiai.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/madmin.szaiai.com/privkey.pem; + + # SSL 配置优化 + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + # 现代加密套件 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS + add_header Strict-Transport-Security "max-age=63072000" always; + + # 日志 + access_log /var/log/nginx/madmin.szaiai.com.access.log; + error_log /var/log/nginx/madmin.szaiai.com.error.log; + + # Gzip 压缩 + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + + # 安全头 + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + + # 反向代理到 Docker 容器 + location / { + proxy_pass http://127.0.0.1:3100; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + + # 超时设置 + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + } + + # 健康检查端点 + location /api/health { + proxy_pass http://127.0.0.1:3100; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + access_log off; + } + + # 静态资源缓存 + location /_next/static { + proxy_pass http://127.0.0.1:3100; + proxy_http_version 1.1; + proxy_set_header Host $host; + add_header Cache-Control "public, max-age=31536000, immutable"; + } + + # 图片等静态资源 + location ~* \.(ico|css|js|gif|jpeg|jpg|png|woff|woff2|ttf|svg|eot)$ { + proxy_pass http://127.0.0.1:3100; + proxy_http_version 1.1; + proxy_set_header Host $host; + expires 30d; + add_header Cache-Control "public, no-transform"; + } +} +NGINX_CONF + + # 测试并重载 + nginx -t && systemctl reload nginx + log_success "Nginx HTTPS 配置完成" +} + +# 配置证书自动续期 +setup_auto_renewal() { + log_info "配置证书自动续期..." + + # Certbot 会自动创建 systemd timer 或 cron job + # 测试续期 + certbot renew --dry-run + + log_success "证书自动续期已配置" +} + +# 配置防火墙 +configure_firewall() { + log_info "配置防火墙..." + + if command -v ufw &> /dev/null; then + ufw allow 'Nginx Full' + ufw allow OpenSSH + ufw --force enable + log_success "UFW 防火墙已配置" + else + log_warn "未检测到 UFW,请手动配置防火墙开放 80 和 443 端口" + fi +} + +# 显示完成信息 +show_completion() { + echo "" + echo -e "${GREEN}========================================${NC}" + echo -e "${GREEN} 安装完成!${NC}" + echo -e "${GREEN}========================================${NC}" + echo "" + echo -e "访问地址: ${BLUE}https://$DOMAIN${NC}" + echo "" + echo "常用命令:" + echo " 查看 Nginx 状态: systemctl status nginx" + echo " 重载 Nginx: systemctl reload nginx" + echo " 查看证书: certbot certificates" + echo " 手动续期: certbot renew" + echo " 查看日志: tail -f /var/log/nginx/$DOMAIN.access.log" + echo "" +} + +# 主函数 +main() { + echo "" + echo "============================================" + echo " RWA Mining Admin Web - Nginx 安装脚本" + echo " 域名: $DOMAIN" + echo "============================================" + echo "" + + check_root + update_system + install_nginx + install_certbot + configure_firewall + configure_nginx_http + + echo "" + log_warn "请确保以下条件已满足:" + echo " 1. 域名 $DOMAIN 的 DNS A 记录已指向本服务器 IP" + echo " 2. Docker 应用已在端口 $APP_PORT 运行" + echo "" + read -p "是否继续申请 SSL 证书? (y/n): " confirm + + if [ "$confirm" = "y" ] || [ "$confirm" = "Y" ]; then + obtain_ssl_certificate + configure_nginx_https + setup_auto_renewal + show_completion + else + log_info "已跳过 SSL 配置,当前为 HTTP 模式" + log_info "稍后可运行: certbot --nginx -d $DOMAIN" + fi +} + +main "$@" diff --git a/frontend/mining-admin-web/nginx/madmin.szaiai.com.conf b/frontend/mining-admin-web/nginx/madmin.szaiai.com.conf new file mode 100644 index 00000000..b60f5cc4 --- /dev/null +++ b/frontend/mining-admin-web/nginx/madmin.szaiai.com.conf @@ -0,0 +1,106 @@ +# RWA Mining Admin Web Nginx 配置 +# 域名: madmin.szaiai.com +# 放置路径: /etc/nginx/sites-available/madmin.szaiai.com +# 启用: ln -s /etc/nginx/sites-available/madmin.szaiai.com /etc/nginx/sites-enabled/ + +# HTTP 重定向到 HTTPS +server { + listen 80; + listen [::]:80; + server_name madmin.szaiai.com; + + # Let's Encrypt 验证目录 + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + # 重定向到 HTTPS + location / { + return 301 https://$host$request_uri; + } +} + +# HTTPS 配置 +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name madmin.szaiai.com; + + # SSL 证书 (Let's Encrypt) + ssl_certificate /etc/letsencrypt/live/madmin.szaiai.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/madmin.szaiai.com/privkey.pem; + + # SSL 配置优化 + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + # 现代加密套件 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (可选,启用后请谨慎) + # add_header Strict-Transport-Security "max-age=63072000" always; + + # 日志 + access_log /var/log/nginx/madmin.szaiai.com.access.log; + error_log /var/log/nginx/madmin.szaiai.com.error.log; + + # Gzip 压缩 + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + + # 安全头 + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + + # 反向代理到 Docker 容器 + location / { + proxy_pass http://127.0.0.1:3100; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + + # 超时设置 + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + } + + # 健康检查端点 + location /api/health { + proxy_pass http://127.0.0.1:3100; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + access_log off; + } + + # 静态资源缓存 + location /_next/static { + proxy_pass http://127.0.0.1:3100; + proxy_http_version 1.1; + proxy_set_header Host $host; + add_header Cache-Control "public, max-age=31536000, immutable"; + } + + # 图片等静态资源 + location ~* \.(ico|css|js|gif|jpeg|jpg|png|woff|woff2|ttf|svg|eot)$ { + proxy_pass http://127.0.0.1:3100; + proxy_http_version 1.1; + proxy_set_header Host $host; + expires 30d; + add_header Cache-Control "public, no-transform"; + } +}