From c63be043229487e1b0cc0ef6839afe50e566a38e Mon Sep 17 00:00:00 2001 From: Developer Date: Mon, 1 Dec 2025 21:59:01 -0800 Subject: [PATCH] =?UTF-8?q?feat(mpc-system):=20=E4=BC=98=E5=8C=96=20Docker?= =?UTF-8?q?=20=E9=83=A8=E7=BD=B2=E9=85=8D=E7=BD=AE=E9=80=82=E9=85=8D?= =?UTF-8?q?=E7=94=9F=E4=BA=A7=E7=8E=AF=E5=A2=83?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 部署位置: 192.168.1.100 (Nginx + MPC 服务器) 主要修改: - 对外仅暴露端口 4000 (account-service) - 移除基础设施服务的外部端口暴露 - 默认使用 production 环境 - 添加 MPC_API_KEY 和 ALLOWED_IPS 安全配置 - 新增 .env.example 生产环境配置模板 - 移除 Consul 服务发现 (简化部署) - 优化 Redis 内存配置 架构说明: - account-service:4000 为对外 API 入口 - 后端服务器 (192.168.1.111) 的 mpc-service 通过此端口调用 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- backend/mpc-system/.env.example | 52 +++++++++ backend/mpc-system/docker-compose.yml | 149 +++++++++++++------------- 2 files changed, 124 insertions(+), 77 deletions(-) create mode 100644 backend/mpc-system/.env.example diff --git a/backend/mpc-system/.env.example b/backend/mpc-system/.env.example new file mode 100644 index 00000000..f7b22dec --- /dev/null +++ b/backend/mpc-system/.env.example @@ -0,0 +1,52 @@ +# MPC-System 环境变量配置 +# 部署位置: 192.168.1.100 (Nginx + MPC 服务器) +# +# 使用方法: +# 1. 复制此文件: cp .env.example .env +# 2. 修改为实际生产环境的值 +# 3. 启动: docker compose up -d + +# ============================================ +# 环境标识 +# ============================================ +ENVIRONMENT=production + +# ============================================ +# PostgreSQL 数据库 +# ============================================ +POSTGRES_USER=mpc_user +POSTGRES_PASSWORD=your_secure_postgres_password_here + +# ============================================ +# Redis 缓存 +# ============================================ +# 留空表示不需要密码 (内部网络) +REDIS_PASSWORD= + +# ============================================ +# RabbitMQ 消息队列 +# ============================================ +RABBITMQ_USER=mpc_user +RABBITMQ_PASSWORD=your_secure_rabbitmq_password_here + +# ============================================ +# JWT 配置 +# ============================================ +# JWT 签名密钥 (至少 32 字符) +JWT_SECRET_KEY=your_super_secure_jwt_secret_key_at_least_32_characters + +# ============================================ +# 加密配置 +# ============================================ +# 主加密密钥 (64 位十六进制字符 = 256 位密钥) +# 用于加密存储的密钥分片 +CRYPTO_MASTER_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + +# ============================================ +# API 安全配置 +# ============================================ +# API 认证密钥 (与后端服务器的 mpc-service 配置一致) +MPC_API_KEY=your_very_secure_api_key_at_least_32_characters + +# 允许访问的 IP 地址 (后端服务器) +ALLOWED_IPS=192.168.1.111 diff --git a/backend/mpc-system/docker-compose.yml b/backend/mpc-system/docker-compose.yml index c0113528..922a2cd3 100644 --- a/backend/mpc-system/docker-compose.yml +++ b/backend/mpc-system/docker-compose.yml @@ -1,4 +1,12 @@ -version: '3.8' +# MPC-System Docker Compose Configuration +# 部署位置: 192.168.1.100 (Nginx + MPC 服务器) +# 用途: TSS 密钥生成、签名服务 +# +# 启动命令: +# 生产环境: docker compose --env-file .env.production up -d +# 开发环境: docker compose up -d +# +# 对外端口: 4000 (Account Service HTTP) - 供 mpc-service (192.168.1.111:3001) 调用 services: # ============================================ @@ -11,31 +19,31 @@ services: container_name: mpc-postgres environment: POSTGRES_DB: mpc_system - POSTGRES_USER: mpc_user + POSTGRES_USER: ${POSTGRES_USER:-mpc_user} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} - ports: - - "5432:5432" volumes: - postgres-data:/var/lib/postgresql/data - ./migrations:/docker-entrypoint-initdb.d:ro healthcheck: - test: ["CMD-SHELL", "pg_isready -U mpc_user -d mpc_system"] + test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mpc_user} -d mpc_system"] interval: 10s timeout: 5s retries: 5 start_period: 30s networks: - mpc-network + restart: unless-stopped + # 生产环境不暴露端口到主机,仅内部网络可访问 + # ports: + # - "5432:5432" # Redis Cache redis: image: redis:7-alpine container_name: mpc-redis - ports: - - "6379:6379" + command: redis-server --appendonly yes --maxmemory 512mb --maxmemory-policy allkeys-lru ${REDIS_PASSWORD:+--requirepass $REDIS_PASSWORD} volumes: - redis-data:/data - command: redis-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 10s @@ -43,16 +51,14 @@ services: retries: 5 networks: - mpc-network + restart: unless-stopped # RabbitMQ Message Broker rabbitmq: image: rabbitmq:3-management-alpine container_name: mpc-rabbitmq - ports: - - "5672:5672" - - "15672:15672" environment: - RABBITMQ_DEFAULT_USER: mpc_user + RABBITMQ_DEFAULT_USER: ${RABBITMQ_USER:-mpc_user} RABBITMQ_DEFAULT_PASS: ${RABBITMQ_PASSWORD:-mpc_rabbit_password} RABBITMQ_DEFAULT_VHOST: / volumes: @@ -65,57 +71,39 @@ services: start_period: 30s networks: - mpc-network - - # Consul Service Discovery - consul: - image: consul:1.16 - container_name: mpc-consul - ports: - - "8500:8500" - - "8600:8600/udp" - command: agent -server -ui -bootstrap-expect=1 -client=0.0.0.0 - volumes: - - consul-data:/consul/data - healthcheck: - test: ["CMD", "consul", "members"] - interval: 10s - timeout: 5s - retries: 5 - networks: - - mpc-network + restart: unless-stopped + # 生产环境管理界面仅开发时使用 + # ports: + # - "15672:15672" # ============================================ - # MPC Services + # MPC Core Services # ============================================ - # Session Coordinator Service + # Session Coordinator Service - 会话协调器 session-coordinator: build: context: . dockerfile: services/session-coordinator/Dockerfile container_name: mpc-session-coordinator - ports: - - "50051:50051" # gRPC - - "8080:8080" # HTTP environment: MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_HTTP_PORT: 8080 - MPC_SERVER_ENVIRONMENT: development + MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production} MPC_DATABASE_HOST: postgres MPC_DATABASE_PORT: 5432 - MPC_DATABASE_USER: mpc_user + MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_SSLMODE: disable MPC_REDIS_HOST: redis MPC_REDIS_PORT: 6379 + MPC_REDIS_PASSWORD: ${REDIS_PASSWORD:-} MPC_RABBITMQ_HOST: rabbitmq MPC_RABBITMQ_PORT: 5672 - MPC_RABBITMQ_USER: mpc_user + MPC_RABBITMQ_USER: ${RABBITMQ_USER:-mpc_user} MPC_RABBITMQ_PASSWORD: ${RABBITMQ_PASSWORD:-mpc_rabbit_password} - MPC_CONSUL_HOST: consul - MPC_CONSUL_PORT: 8500 - MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY:-super_secret_jwt_key_change_in_production} + MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY} MPC_JWT_ISSUER: mpc-system depends_on: postgres: @@ -134,28 +122,25 @@ services: - mpc-network restart: unless-stopped - # Message Router Service + # Message Router Service - 消息路由 message-router: build: context: . dockerfile: services/message-router/Dockerfile container_name: mpc-message-router - ports: - - "50052:50051" # gRPC - - "8081:8080" # HTTP environment: MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_HTTP_PORT: 8080 - MPC_SERVER_ENVIRONMENT: development + MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production} MPC_DATABASE_HOST: postgres MPC_DATABASE_PORT: 5432 - MPC_DATABASE_USER: mpc_user + MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_SSLMODE: disable MPC_RABBITMQ_HOST: rabbitmq MPC_RABBITMQ_PORT: 5672 - MPC_RABBITMQ_USER: mpc_user + MPC_RABBITMQ_USER: ${RABBITMQ_USER:-mpc_user} MPC_RABBITMQ_PASSWORD: ${RABBITMQ_PASSWORD:-mpc_rabbit_password} depends_on: postgres: @@ -172,28 +157,30 @@ services: - mpc-network restart: unless-stopped - # Server Party Service - Party 1 + # ============================================ + # Server Party Services - TSS 参与方 + # 2-of-3 阈值签名: 至少 2 个 party 参与才能完成签名 + # ============================================ + + # Server Party 1 server-party-1: build: context: . dockerfile: services/server-party/Dockerfile container_name: mpc-server-party-1 - ports: - - "50053:50051" # gRPC - - "8082:8080" # HTTP environment: MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_HTTP_PORT: 8080 - MPC_SERVER_ENVIRONMENT: development + MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production} MPC_DATABASE_HOST: postgres MPC_DATABASE_PORT: 5432 - MPC_DATABASE_USER: mpc_user + MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_SSLMODE: disable SESSION_COORDINATOR_ADDR: session-coordinator:50051 MESSAGE_ROUTER_ADDR: message-router:50051 - MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef} + MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY} PARTY_ID: server-party-1 depends_on: postgres: @@ -212,28 +199,25 @@ services: - mpc-network restart: unless-stopped - # Server Party Service - Party 2 + # Server Party 2 server-party-2: build: context: . dockerfile: services/server-party/Dockerfile container_name: mpc-server-party-2 - ports: - - "50055:50051" # gRPC - - "8084:8080" # HTTP environment: MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_HTTP_PORT: 8080 - MPC_SERVER_ENVIRONMENT: development + MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production} MPC_DATABASE_HOST: postgres MPC_DATABASE_PORT: 5432 - MPC_DATABASE_USER: mpc_user + MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_SSLMODE: disable SESSION_COORDINATOR_ADDR: session-coordinator:50051 MESSAGE_ROUTER_ADDR: message-router:50051 - MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef} + MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY} PARTY_ID: server-party-2 depends_on: postgres: @@ -252,28 +236,25 @@ services: - mpc-network restart: unless-stopped - # Server Party Service - Party 3 + # Server Party 3 server-party-3: build: context: . dockerfile: services/server-party/Dockerfile container_name: mpc-server-party-3 - ports: - - "50056:50051" # gRPC - - "8085:8080" # HTTP environment: MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_HTTP_PORT: 8080 - MPC_SERVER_ENVIRONMENT: development + MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production} MPC_DATABASE_HOST: postgres MPC_DATABASE_PORT: 5432 - MPC_DATABASE_USER: mpc_user + MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_SSLMODE: disable SESSION_COORDINATOR_ADDR: session-coordinator:50051 MESSAGE_ROUTER_ADDR: message-router:50051 - MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef} + MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY} PARTY_ID: server-party-3 depends_on: postgres: @@ -292,30 +273,42 @@ services: - mpc-network restart: unless-stopped - # Account Service + # ============================================ + # Account Service - 对外 API 入口 + # 端口 4000: 供 mpc-service (192.168.1.111:3001) 调用 + # ============================================ account-service: build: context: . dockerfile: services/account/Dockerfile container_name: mpc-account-service ports: - - "50054:50051" # gRPC - - "8083:8080" # HTTP + # 对外暴露端口 4000,供后端服务器 (192.168.1.111) 的 mpc-service 调用 + - "4000:8080" environment: MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_HTTP_PORT: 8080 - MPC_SERVER_ENVIRONMENT: development + MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production} MPC_DATABASE_HOST: postgres MPC_DATABASE_PORT: 5432 - MPC_DATABASE_USER: mpc_user + MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_SSLMODE: disable + MPC_REDIS_HOST: redis + MPC_REDIS_PORT: 6379 + MPC_REDIS_PASSWORD: ${REDIS_PASSWORD:-} MPC_COORDINATOR_URL: session-coordinator:50051 - MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY:-super_secret_jwt_key_change_in_production} + MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY} + # API 认证密钥 (与 mpc-service 配置的 MPC_API_KEY 一致) + MPC_API_KEY: ${MPC_API_KEY} + # 允许的来源 IP (后端服务器) + ALLOWED_IPS: ${ALLOWED_IPS:-192.168.1.111} depends_on: postgres: condition: service_healthy + redis: + condition: service_healthy session-coordinator: condition: service_healthy healthcheck: @@ -336,10 +329,12 @@ networks: driver: bridge # ============================================ -# Volumes +# Volumes - 持久化存储 # ============================================ volumes: postgres-data: + driver: local redis-data: + driver: local rabbitmq-data: - consul-data: + driver: local