#!/bin/bash # RWADurian API Gateway - Nginx 完整安装脚本 # 适用于全新 Ubuntu/Debian 服务器 set -e DOMAIN="rwaapi.szaiai.com" EMAIL="admin@szaiai.com" # 修改为你的邮箱 KONG_PORT=8000 # 颜色 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; } log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } log_error() { echo -e "${RED}[ERROR]${NC} $1"; } # 检查 root 权限 check_root() { if [ "$EUID" -ne 0 ]; then log_error "请使用 root 权限运行: sudo ./install.sh" exit 1 fi } # 步骤 1: 更新系统 update_system() { log_info "步骤 1/6: 更新系统包..." apt update && apt upgrade -y log_success "系统更新完成" } # 步骤 2: 安装 Nginx install_nginx() { log_info "步骤 2/6: 安装 Nginx..." apt install -y nginx systemctl enable nginx systemctl start nginx log_success "Nginx 安装完成" } # 步骤 3: 安装 Certbot install_certbot() { log_info "步骤 3/6: 安装 Certbot..." apt install -y certbot python3-certbot-nginx log_success "Certbot 安装完成" } # 步骤 4: 配置 Nginx (HTTP) configure_nginx_http() { log_info "步骤 4/6: 配置 Nginx (HTTP 临时配置用于证书申请)..." # 创建 certbot webroot 目录 mkdir -p /var/www/certbot # 创建临时 HTTP 配置 cat > /etc/nginx/sites-available/$DOMAIN << EOF # 临时 HTTP 配置 - 用于 Let's Encrypt 验证 server { listen 80; listen [::]:80; server_name $DOMAIN; # Let's Encrypt 验证目录 location /.well-known/acme-challenge/ { root /var/www/certbot; } # 临时代理到 Kong location / { proxy_pass http://127.0.0.1:$KONG_PORT; proxy_http_version 1.1; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; } } EOF # 启用站点 ln -sf /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled/ # 测试并重载 nginx -t && systemctl reload nginx log_success "Nginx HTTP 配置完成" } # 步骤 5: 申请 SSL 证书 obtain_ssl_certificate() { log_info "步骤 5/6: 申请 Let's Encrypt SSL 证书..." # 检查域名解析 log_info "检查域名 $DOMAIN 解析..." if ! host $DOMAIN > /dev/null 2>&1; then log_warn "无法解析域名 $DOMAIN,请确保 DNS 已正确配置" log_warn "继续尝试申请证书..." fi # 申请证书 certbot certonly \ --webroot \ --webroot-path=/var/www/certbot \ --email $EMAIL \ --agree-tos \ --no-eff-email \ -d $DOMAIN log_success "SSL 证书申请成功" } # 步骤 6: 配置 Nginx (HTTPS) configure_nginx_https() { log_info "步骤 6/6: 配置 Nginx (HTTPS)..." # 获取脚本所在目录 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # 复制完整配置 cp "$SCRIPT_DIR/rwaapi.szaiai.com.conf" /etc/nginx/sites-available/$DOMAIN # 测试并重载 nginx -t && systemctl reload nginx log_success "Nginx HTTPS 配置完成" } # 配置证书自动续期 setup_auto_renewal() { log_info "配置证书自动续期..." certbot renew --dry-run log_success "证书自动续期已配置" } # 配置防火墙 configure_firewall() { log_info "配置防火墙..." if command -v ufw &> /dev/null; then ufw allow 'Nginx Full' ufw allow OpenSSH ufw --force enable log_success "UFW 防火墙已配置" else log_warn "未检测到 UFW,请手动配置防火墙开放 80 和 443 端口" fi } # 显示完成信息 show_completion() { echo "" echo -e "${GREEN}========================================${NC}" echo -e "${GREEN} 安装完成!${NC}" echo -e "${GREEN}========================================${NC}" echo "" echo -e "API 网关地址: ${BLUE}https://$DOMAIN${NC}" echo "" echo "架构:" echo " 用户请求 → Nginx (SSL) → Kong (API Gateway) → 微服务" echo "" echo "常用命令:" echo " 查看 Nginx 状态: systemctl status nginx" echo " 重载 Nginx: systemctl reload nginx" echo " 查看证书: certbot certificates" echo " 手动续期: certbot renew" echo " 查看日志: tail -f /var/log/nginx/$DOMAIN.access.log" echo "" } # 主函数 main() { echo "" echo "============================================" echo " RWADurian API Gateway - Nginx 安装脚本" echo " 域名: $DOMAIN" echo "============================================" echo "" check_root update_system install_nginx install_certbot configure_firewall configure_nginx_http echo "" log_warn "请确保以下条件已满足:" echo " 1. 域名 $DOMAIN 的 DNS A 记录已指向本服务器 IP" echo " 2. Kong API Gateway 已在端口 $KONG_PORT 运行" echo "" read -p "是否继续申请 SSL 证书? (y/n): " confirm if [ "$confirm" = "y" ] || [ "$confirm" = "Y" ]; then obtain_ssl_certificate configure_nginx_https setup_auto_renewal show_completion else log_info "已跳过 SSL 配置,当前为 HTTP 模式" log_info "稍后可运行: certbot --nginx -d $DOMAIN" fi } main "$@"