hailin
/
rwadurian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(mpc-system): 优化 Docker 部署配置适配生产环境 

部署位置: 192.168.1.100 (Nginx + MPC 服务器)

主要修改:
- 对外仅暴露端口 4000 (account-service)
- 移除基础设施服务的外部端口暴露
- 默认使用 production 环境
- 添加 MPC_API_KEY 和 ALLOWED_IPS 安全配置
- 新增 .env.example 生产环境配置模板
- 移除 Consul 服务发现 (简化部署)
- 优化 Redis 内存配置

架构说明:
- account-service:4000 为对外 API 入口
- 后端服务器 (192.168.1.111) 的 mpc-service 通过此端口调用

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Developer 2025-12-01 21:59:01 -08:00
parent 01e192ea17
commit c63be04322
2 changed files with 124 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
backend/mpc-system/.env.example Normal file
View File

@ -0,0 +1,52 @@
# MPC-System 环境变量配置
# 部署位置: 192.168.1.100 (Nginx + MPC 服务器)
#
# 使用方法:
# 1. 复制此文件: cp .env.example .env
# 2. 修改为实际生产环境的值
# 3. 启动: docker compose up -d
# ============================================
# 环境标识
# ============================================
ENVIRONMENT=production
# ============================================
# PostgreSQL 数据库
# ============================================
POSTGRES_USER=mpc_user
POSTGRES_PASSWORD=your_secure_postgres_password_here
# ============================================
# Redis 缓存
# ============================================
# 留空表示不需要密码 (内部网络)
REDIS_PASSWORD=
# ============================================
# RabbitMQ 消息队列
# ============================================
RABBITMQ_USER=mpc_user
RABBITMQ_PASSWORD=your_secure_rabbitmq_password_here
# ============================================
# JWT 配置
# ============================================
# JWT 签名密钥 (至少 32 字符)
JWT_SECRET_KEY=your_super_secure_jwt_secret_key_at_least_32_characters
# ============================================
# 加密配置
# ============================================
# 主加密密钥 (64 位十六进制字符 = 256 位密钥)
# 用于加密存储的密钥分片
CRYPTO_MASTER_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
# ============================================
# API 安全配置
# ============================================
# API 认证密钥 (与后端服务器的 mpc-service 配置一致)
MPC_API_KEY=your_very_secure_api_key_at_least_32_characters
# 允许访问的 IP 地址 (后端服务器)
ALLOWED_IPS=192.168.1.111

149
backend/mpc-system/docker-compose.yml
View File

@ -1,4 +1,12 @@
version: '3.8' # MPC-System Docker Compose Configuration
# 部署位置: 192.168.1.100 (Nginx + MPC 服务器)
# 用途: TSS 密钥生成、签名服务
#
# 启动命令:
# 生产环境: docker compose --env-file .env.production up -d
# 开发环境: docker compose up -d
#
# 对外端口: 4000 (Account Service HTTP) - 供 mpc-service (192.168.1.111:3001) 调用
services: services:
# ============================================ # ============================================
@ -11,31 +19,31 @@ services:
container_name: mpc-postgres container_name: mpc-postgres
environment: environment:
POSTGRES_DB: mpc_system POSTGRES_DB: mpc_system
POSTGRES_USER: mpc_user POSTGRES_USER: ${POSTGRES_USER:-mpc_user}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
ports:
- "5432:5432"
volumes: volumes:
- postgres-data:/var/lib/postgresql/data - postgres-data:/var/lib/postgresql/data
- ./migrations:/docker-entrypoint-initdb.d:ro - ./migrations:/docker-entrypoint-initdb.d:ro
healthcheck: healthcheck:
test: ["CMD-SHELL", "pg_isready -U mpc_user -d mpc_system"] test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mpc_user} -d mpc_system"]
interval: 10s interval: 10s
timeout: 5s timeout: 5s
retries: 5 retries: 5
start_period: 30s start_period: 30s
networks: networks:
- mpc-network - mpc-network
restart: unless-stopped
# 生产环境不暴露端口到主机,仅内部网络可访问
# ports:
# - "5432:5432"
# Redis Cache # Redis Cache
redis: redis:
image: redis:7-alpine image: redis:7-alpine
container_name: mpc-redis container_name: mpc-redis
ports: command: redis-server --appendonly yes --maxmemory 512mb --maxmemory-policy allkeys-lru ${REDIS_PASSWORD:+--requirepass $REDIS_PASSWORD}
- "6379:6379"
volumes: volumes:
- redis-data:/data - redis-data:/data
command: redis-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru
healthcheck: healthcheck:
test: ["CMD", "redis-cli", "ping"] test: ["CMD", "redis-cli", "ping"]
interval: 10s interval: 10s
@ -43,16 +51,14 @@ services:
retries: 5 retries: 5
networks: networks:
- mpc-network - mpc-network
restart: unless-stopped
# RabbitMQ Message Broker # RabbitMQ Message Broker
rabbitmq: rabbitmq:
image: rabbitmq:3-management-alpine image: rabbitmq:3-management-alpine
container_name: mpc-rabbitmq container_name: mpc-rabbitmq
ports:
- "5672:5672"
- "15672:15672"
environment: environment:
RABBITMQ_DEFAULT_USER: mpc_user RABBITMQ_DEFAULT_USER: ${RABBITMQ_USER:-mpc_user}
RABBITMQ_DEFAULT_PASS: ${RABBITMQ_PASSWORD:-mpc_rabbit_password} RABBITMQ_DEFAULT_PASS: ${RABBITMQ_PASSWORD:-mpc_rabbit_password}
RABBITMQ_DEFAULT_VHOST: / RABBITMQ_DEFAULT_VHOST: /
volumes: volumes:
@ -65,57 +71,39 @@ services:
start_period: 30s start_period: 30s
networks: networks:
- mpc-network - mpc-network
restart: unless-stopped
# Consul Service Discovery # 生产环境管理界面仅开发时使用
consul: # ports:
image: consul:1.16 # - "15672:15672"
container_name: mpc-consul
ports:
- "8500:8500"
- "8600:8600/udp"
command: agent -server -ui -bootstrap-expect=1 -client=0.0.0.0
volumes:
- consul-data:/consul/data
healthcheck:
test: ["CMD", "consul", "members"]
interval: 10s
timeout: 5s
retries: 5
networks:
- mpc-network
# ============================================ # ============================================
# MPC Services # MPC Core Services
# ============================================ # ============================================
# Session Coordinator Service # Session Coordinator Service - 会话协调器
session-coordinator: session-coordinator:
build: build:
context: . context: .
dockerfile: services/session-coordinator/Dockerfile dockerfile: services/session-coordinator/Dockerfile
container_name: mpc-session-coordinator container_name: mpc-session-coordinator
ports:
- "50051:50051" # gRPC
- "8080:8080" # HTTP
environment: environment:
MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_GRPC_PORT: 50051
MPC_SERVER_HTTP_PORT: 8080 MPC_SERVER_HTTP_PORT: 8080
MPC_SERVER_ENVIRONMENT: development MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
MPC_DATABASE_HOST: postgres MPC_DATABASE_HOST: postgres
MPC_DATABASE_PORT: 5432 MPC_DATABASE_PORT: 5432
MPC_DATABASE_USER: mpc_user MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_DBNAME: mpc_system
MPC_DATABASE_SSLMODE: disable MPC_DATABASE_SSLMODE: disable
MPC_REDIS_HOST: redis MPC_REDIS_HOST: redis
MPC_REDIS_PORT: 6379 MPC_REDIS_PORT: 6379
MPC_REDIS_PASSWORD: ${REDIS_PASSWORD:-}
MPC_RABBITMQ_HOST: rabbitmq MPC_RABBITMQ_HOST: rabbitmq
MPC_RABBITMQ_PORT: 5672 MPC_RABBITMQ_PORT: 5672
MPC_RABBITMQ_USER: mpc_user MPC_RABBITMQ_USER: ${RABBITMQ_USER:-mpc_user}
MPC_RABBITMQ_PASSWORD: ${RABBITMQ_PASSWORD:-mpc_rabbit_password} MPC_RABBITMQ_PASSWORD: ${RABBITMQ_PASSWORD:-mpc_rabbit_password}
MPC_CONSUL_HOST: consul MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY}
MPC_CONSUL_PORT: 8500
MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY:-super_secret_jwt_key_change_in_production}
MPC_JWT_ISSUER: mpc-system MPC_JWT_ISSUER: mpc-system
depends_on: depends_on:
postgres: postgres:
@ -134,28 +122,25 @@ services:
- mpc-network - mpc-network
restart: unless-stopped restart: unless-stopped
# Message Router Service # Message Router Service - 消息路由
message-router: message-router:
build: build:
context: . context: .
dockerfile: services/message-router/Dockerfile dockerfile: services/message-router/Dockerfile
container_name: mpc-message-router container_name: mpc-message-router
ports:
- "50052:50051" # gRPC
- "8081:8080" # HTTP
environment: environment:
MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_GRPC_PORT: 50051
MPC_SERVER_HTTP_PORT: 8080 MPC_SERVER_HTTP_PORT: 8080
MPC_SERVER_ENVIRONMENT: development MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
MPC_DATABASE_HOST: postgres MPC_DATABASE_HOST: postgres
MPC_DATABASE_PORT: 5432 MPC_DATABASE_PORT: 5432
MPC_DATABASE_USER: mpc_user MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_DBNAME: mpc_system
MPC_DATABASE_SSLMODE: disable MPC_DATABASE_SSLMODE: disable
MPC_RABBITMQ_HOST: rabbitmq MPC_RABBITMQ_HOST: rabbitmq
MPC_RABBITMQ_PORT: 5672 MPC_RABBITMQ_PORT: 5672
MPC_RABBITMQ_USER: mpc_user MPC_RABBITMQ_USER: ${RABBITMQ_USER:-mpc_user}
MPC_RABBITMQ_PASSWORD: ${RABBITMQ_PASSWORD:-mpc_rabbit_password} MPC_RABBITMQ_PASSWORD: ${RABBITMQ_PASSWORD:-mpc_rabbit_password}
depends_on: depends_on:
postgres: postgres:
@ -172,28 +157,30 @@ services:
- mpc-network - mpc-network
restart: unless-stopped restart: unless-stopped
# Server Party Service - Party 1 # ============================================
# Server Party Services - TSS 参与方
# 2-of-3 阈值签名: 至少 2 个 party 参与才能完成签名
# ============================================
# Server Party 1
server-party-1: server-party-1:
build: build:
context: . context: .
dockerfile: services/server-party/Dockerfile dockerfile: services/server-party/Dockerfile
container_name: mpc-server-party-1 container_name: mpc-server-party-1
ports:
- "50053:50051" # gRPC
- "8082:8080" # HTTP
environment: environment:
MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_GRPC_PORT: 50051
MPC_SERVER_HTTP_PORT: 8080 MPC_SERVER_HTTP_PORT: 8080
MPC_SERVER_ENVIRONMENT: development MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
MPC_DATABASE_HOST: postgres MPC_DATABASE_HOST: postgres
MPC_DATABASE_PORT: 5432 MPC_DATABASE_PORT: 5432
MPC_DATABASE_USER: mpc_user MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_DBNAME: mpc_system
MPC_DATABASE_SSLMODE: disable MPC_DATABASE_SSLMODE: disable
SESSION_COORDINATOR_ADDR: session-coordinator:50051 SESSION_COORDINATOR_ADDR: session-coordinator:50051
MESSAGE_ROUTER_ADDR: message-router:50051 MESSAGE_ROUTER_ADDR: message-router:50051
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef} MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY}
PARTY_ID: server-party-1 PARTY_ID: server-party-1
depends_on: depends_on:
postgres: postgres:
@ -212,28 +199,25 @@ services:
- mpc-network - mpc-network
restart: unless-stopped restart: unless-stopped
# Server Party Service - Party 2 # Server Party 2
server-party-2: server-party-2:
build: build:
context: . context: .
dockerfile: services/server-party/Dockerfile dockerfile: services/server-party/Dockerfile
container_name: mpc-server-party-2 container_name: mpc-server-party-2
ports:
- "50055:50051" # gRPC
- "8084:8080" # HTTP
environment: environment:
MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_GRPC_PORT: 50051
MPC_SERVER_HTTP_PORT: 8080 MPC_SERVER_HTTP_PORT: 8080
MPC_SERVER_ENVIRONMENT: development MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
MPC_DATABASE_HOST: postgres MPC_DATABASE_HOST: postgres
MPC_DATABASE_PORT: 5432 MPC_DATABASE_PORT: 5432
MPC_DATABASE_USER: mpc_user MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_DBNAME: mpc_system
MPC_DATABASE_SSLMODE: disable MPC_DATABASE_SSLMODE: disable
SESSION_COORDINATOR_ADDR: session-coordinator:50051 SESSION_COORDINATOR_ADDR: session-coordinator:50051
MESSAGE_ROUTER_ADDR: message-router:50051 MESSAGE_ROUTER_ADDR: message-router:50051
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef} MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY}
PARTY_ID: server-party-2 PARTY_ID: server-party-2
depends_on: depends_on:
postgres: postgres:
@ -252,28 +236,25 @@ services:
- mpc-network - mpc-network
restart: unless-stopped restart: unless-stopped
# Server Party Service - Party 3 # Server Party 3
server-party-3: server-party-3:
build: build:
context: . context: .
dockerfile: services/server-party/Dockerfile dockerfile: services/server-party/Dockerfile
container_name: mpc-server-party-3 container_name: mpc-server-party-3
ports:
- "50056:50051" # gRPC
- "8085:8080" # HTTP
environment: environment:
MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_GRPC_PORT: 50051
MPC_SERVER_HTTP_PORT: 8080 MPC_SERVER_HTTP_PORT: 8080
MPC_SERVER_ENVIRONMENT: development MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
MPC_DATABASE_HOST: postgres MPC_DATABASE_HOST: postgres
MPC_DATABASE_PORT: 5432 MPC_DATABASE_PORT: 5432
MPC_DATABASE_USER: mpc_user MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_DBNAME: mpc_system
MPC_DATABASE_SSLMODE: disable MPC_DATABASE_SSLMODE: disable
SESSION_COORDINATOR_ADDR: session-coordinator:50051 SESSION_COORDINATOR_ADDR: session-coordinator:50051
MESSAGE_ROUTER_ADDR: message-router:50051 MESSAGE_ROUTER_ADDR: message-router:50051
MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY:-0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef} MPC_CRYPTO_MASTER_KEY: ${CRYPTO_MASTER_KEY}
PARTY_ID: server-party-3 PARTY_ID: server-party-3
depends_on: depends_on:
postgres: postgres:
@ -292,30 +273,42 @@ services:
- mpc-network - mpc-network
restart: unless-stopped restart: unless-stopped
# Account Service # ============================================
# Account Service - 对外 API 入口
# 端口 4000: 供 mpc-service (192.168.1.111:3001) 调用
# ============================================
account-service: account-service:
build: build:
context: . context: .
dockerfile: services/account/Dockerfile dockerfile: services/account/Dockerfile
container_name: mpc-account-service container_name: mpc-account-service
ports: ports:
- "50054:50051" # gRPC # 对外暴露端口 4000供后端服务器 (192.168.1.111) 的 mpc-service 调用
- "8083:8080" # HTTP - "4000:8080"
environment: environment:
MPC_SERVER_GRPC_PORT: 50051 MPC_SERVER_GRPC_PORT: 50051
MPC_SERVER_HTTP_PORT: 8080 MPC_SERVER_HTTP_PORT: 8080
MPC_SERVER_ENVIRONMENT: development MPC_SERVER_ENVIRONMENT: ${ENVIRONMENT:-production}
MPC_DATABASE_HOST: postgres MPC_DATABASE_HOST: postgres
MPC_DATABASE_PORT: 5432 MPC_DATABASE_PORT: 5432
MPC_DATABASE_USER: mpc_user MPC_DATABASE_USER: ${POSTGRES_USER:-mpc_user}
MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password} MPC_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-mpc_secret_password}
MPC_DATABASE_DBNAME: mpc_system MPC_DATABASE_DBNAME: mpc_system
MPC_DATABASE_SSLMODE: disable MPC_DATABASE_SSLMODE: disable
MPC_REDIS_HOST: redis
MPC_REDIS_PORT: 6379
MPC_REDIS_PASSWORD: ${REDIS_PASSWORD:-}
MPC_COORDINATOR_URL: session-coordinator:50051 MPC_COORDINATOR_URL: session-coordinator:50051
MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY:-super_secret_jwt_key_change_in_production} MPC_JWT_SECRET_KEY: ${JWT_SECRET_KEY}
# API 认证密钥 (与 mpc-service 配置的 MPC_API_KEY 一致)
MPC_API_KEY: ${MPC_API_KEY}
# 允许的来源 IP (后端服务器)
ALLOWED_IPS: ${ALLOWED_IPS:-192.168.1.111}
depends_on: depends_on:
postgres: postgres:
condition: service_healthy condition: service_healthy
redis:
condition: service_healthy
session-coordinator: session-coordinator:
condition: service_healthy condition: service_healthy
healthcheck: healthcheck:
@ -336,10 +329,12 @@ networks:
driver: bridge driver: bridge
# ============================================ # ============================================
# Volumes # Volumes - 持久化存储
# ============================================ # ============================================
volumes: volumes:
postgres-data: postgres-data:
driver: local
redis-data: redis-data:
driver: local
rabbitmq-data: rabbitmq-data:
consul-data: driver: local