From a55121aa050df1e72aefd56e3521743e0afe325f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BE=90=E5=8B=A4=E6=B0=91?= Date: Wed, 20 May 2026 16:13:04 +0800 Subject: [PATCH] =?UTF-8?q?feat(nginx):=20=E5=86=85=E7=BD=AE=E8=B7=AF?= =?UTF-8?q?=E7=94=B1=20nginx=20=E4=BD=9C=E4=B8=BA=E7=BB=9F=E4=B8=80?= =?UTF-8?q?=E5=85=A5=E5=8F=A3=EF=BC=8C=E5=AE=BF=E4=B8=BB=E6=9C=BA=20nginx?= =?UTF-8?q?=20=E5=8F=AA=E9=9C=80=E4=B8=80=E6=9D=A1=20proxy=5Fpass?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 将 nginx 容器从可选 profile 改为 base 必启服务,绑定 127.0.0.1:11223。 新增 config/nginx/conf.d/xuqm.conf 按 Docker 服务名路由所有内部请求。 部署完成提示从多条 location 精简为单条 proxy_pass http://127.0.0.1:11223。 Co-Authored-By: Claude Sonnet 4.6 --- config/nginx/conf.d/xuqm.conf | 99 +++++++++++++++++++++++++++++++++++ docker-compose.yml | 11 ++-- docs/runbook.md | 53 +++++++------------ scripts/deploy.sh | 43 ++++----------- 4 files changed, 134 insertions(+), 72 deletions(-) create mode 100644 config/nginx/conf.d/xuqm.conf diff --git a/config/nginx/conf.d/xuqm.conf b/config/nginx/conf.d/xuqm.conf new file mode 100644 index 0000000..0fdbf58 --- /dev/null +++ b/config/nginx/conf.d/xuqm.conf @@ -0,0 +1,99 @@ +server { + listen 80; + server_name _; + + charset utf-8; + client_max_body_size 100m; + + # 健康检查(宿主机 nginx 探活用) + location /health { + return 200 "ok\n"; + add_header Content-Type text/plain; + } + + # 版本管理 — 必须在通用 /api/ 之前 + location /api/v1/updates/ { + proxy_pass http://update-service:8084/api/v1/updates/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 60s; + } + + location /api/v1/rn/ { + proxy_pass http://update-service:8084/api/v1/rn/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 120s; + } + + # IM HTTP — 必须在通用 /api/ 之前 + location /api/im/ { + proxy_pass http://im-service:8082/api/im/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 60s; + } + + # IM WebSocket + location /ws/im { + proxy_pass http://im-service:8082/ws/im; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_read_timeout 3600s; + } + + # License — 必须在通用 /api/ 之前 + location /api/license/ { + proxy_pass http://license-service:8085/api/license/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 60s; + } + + # 文件上传下载 + location /file/ { + proxy_pass http://file-service:8086/file/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + client_max_body_size 500m; + proxy_read_timeout 300s; + proxy_send_timeout 300s; + } + + # 核心 API(兜底,在所有具体 /api/xxx/ 之后) + location /api/ { + proxy_pass http://tenant-service:9001/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 60s; + } + + location /actuator/ { + proxy_pass http://tenant-service:9001/actuator/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + # 运营后台 + location /ops { + proxy_pass http://ops-web:80; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + # 控制台前端(兜底路由,必须最后) + location / { + proxy_pass http://tenant-web:80; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } +} diff --git a/docker-compose.yml b/docker-compose.yml index 2e28b08..bcd422d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -83,16 +83,15 @@ services: restart: unless-stopped # --------------------------------------------------------------------------- - # Nginx 反向代理(可选,profile: nginx-bundled) - # 默认不启动 — 用户通常用宿主机自己的 nginx 代理到各服务端口。 - # 需要内置 nginx 时:COMPOSE_PROFILES=...,nginx-bundled + # 内置路由 nginx(必须) + # 统一处理所有内部路由,对外只暴露 127.0.0.1:11223。 + # 宿主机 nginx 只需一条 proxy_pass http://127.0.0.1:11223 即可。 # --------------------------------------------------------------------------- nginx: image: nginx:1.27-alpine - profiles: ["nginx-bundled"] + profiles: ["base"] ports: - - "80:80" - - "443:443" + - "127.0.0.1:11223:80" volumes: - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - ./config/nginx/conf.d:/etc/nginx/conf.d:ro diff --git a/docs/runbook.md b/docs/runbook.md index 508e965..501db3d 100644 --- a/docs/runbook.md +++ b/docs/runbook.md @@ -20,52 +20,37 @@ curl -fsSL https://xuqinmin.com/xuqmGroup/XuqmGroup-PrivateDeploy/raw/branch/mai ## Nginx 配置 -部署完成后,将以下 location 块加入宿主机 nginx 的 server 配置: +部署内置了一个 nginx 容器处理所有内部路由,对外只暴露 `127.0.0.1:11223`。 + +宿主机 nginx 的 server 块内只需加一条: ```nginx -charset utf-8; -client_max_body_size 100m; - -location /api/v1/updates/ { proxy_pass http://127.0.0.1:11229/api/v1/updates/; } -location /api/v1/rn/ { proxy_pass http://127.0.0.1:11229/api/v1/rn/; } -location /api/im/ { proxy_pass http://127.0.0.1:11228/api/im/; } -location /ws/im { - proxy_pass http://127.0.0.1:11228/ws/im; +location / { + proxy_pass http://127.0.0.1:11223; proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_read_timeout 3600s; } -location /api/license/ { proxy_pass http://127.0.0.1:11231/api/license/; } -location /file/ { - proxy_pass http://127.0.0.1:11225/file/; - client_max_body_size 500m; - proxy_read_timeout 300s; -} -location /api/ { proxy_pass http://127.0.0.1:11224/api/; } -location /actuator/ { proxy_pass http://127.0.0.1:11224/actuator/; } -location /ops { proxy_pass http://127.0.0.1:11227; } -location / { proxy_pass http://127.0.0.1:11226; } ``` -> location 顺序不可颠倒:精确路径(`/api/im/`、`/api/v1/`、`/api/license/`)必须在通用路径(`/api/`)前面。 +> `proxy_http_version 1.1` 和 `Upgrade`/`Connection` 头是 WebSocket(IM)必需的,不能省略。 + +内置 nginx 路由配置在 `config/nginx/conf.d/xuqm.conf`,使用 Docker 服务名路由到各容器,无需关心具体端口。 --- -## 端口对照表 +## 端口说明 -| 宿主机端口 | 服务 | 容器内端口 | 说明 | -|-----------|------|-----------|------| -| 11224 | tenant-service | 9001 | 核心 API | -| 11225 | file-service | 8086 | 文件上传下载 | -| 11226 | tenant-web | 80 | 控制台前端 | -| 11227 | ops-web | 80 | 运营后台前端 | -| 11228 | im-service | 8082 | IM HTTP + WebSocket | -| 11229 | update-service | 8084 | 版本管理 + RN 热更新 | -| 11230 | license-service | 8085 | License 校验 | -| 11231 | push-service | 8083 | 厂商推送 | +| 宿主机端口 | 说明 | +|-----------|------| +| **11223** | 内置 nginx 入口(宿主机 nginx 指向此端口) | +| 11224–11231 | 各业务容器(绑定 127.0.0.1,调试用) | -所有端口绑定 `127.0.0.1`,外部不可直接访问。 +各业务容器端口仅用于直接调试,正常流量全部走 11223。 --- diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 660b34d..3f10f6b 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -248,7 +248,7 @@ REGISTRY_USER=${REGISTRY_USER} REGISTRY_PASSWORD=${REGISTRY_PASSWORD} IMAGE_TAG=${IMAGE_TAG} -# 启用全量服务(nginx 容器默认不启动,用户自行配置宿主机 nginx) +# 启用全量服务(含内置路由 nginx,宿主机 nginx 只需一条 proxy_pass 到 11223) COMPOSE_PROFILES=base,infra-mysql,infra-redis,im,push,update,license # MySQL(managed 模式,Docker 容器托管) @@ -918,43 +918,22 @@ if [ "$DEPLOY_MODE" = "new" ]; then else printf ' 密码: 同生产平台密码(原样迁移,未重置)\n' fi -printf '\n \033[1m容器端口(请在您的 nginx 中配置代理):\033[0m\n' -printf ' 控制台前端 127.0.0.1:11226 → 代理 /\n' -printf ' 运营后台 127.0.0.1:11227 → 代理 /ops\n' -printf ' 核心 API 127.0.0.1:11224 → 代理 /api/ /actuator/\n' -printf ' 文件服务 127.0.0.1:11225 → 代理 /file/ /api/file/\n' -printf ' IM 服务 127.0.0.1:11228 → 代理 /api/im/ /ws/im\n' -printf ' 版本管理 127.0.0.1:11230 → 代理 /api/v1/updates/ /api/v1/rn/\n' -printf ' License 服务 127.0.0.1:11231 → 代理 /api/license/\n' -printf ' 推送服务 127.0.0.1:11229 (厂商回调,按需代理)\n' -printf '\n \033[1mNginx 配置参考(复制到您的 nginx server 块):\033[0m\n' +printf '\n \033[1m宿主机 nginx 配置(server 块内加入以下内容即可):\033[0m\n' printf '\033[0;37m' cat <<'NGINX_REF' - charset utf-8; - client_max_body_size 100m; - - location /api/v1/updates/ { proxy_pass http://127.0.0.1:11230/api/v1/updates/; } - location /api/v1/rn/ { proxy_pass http://127.0.0.1:11230/api/v1/rn/; } - location /api/im/ { proxy_pass http://127.0.0.1:11228/api/im/; } - location /ws/im { - proxy_pass http://127.0.0.1:11228/ws/im; + location / { + proxy_pass http://127.0.0.1:11223; proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_read_timeout 3600s; } - location /api/license/ { proxy_pass http://127.0.0.1:11231/api/license/; } - location /file/ { - proxy_pass http://127.0.0.1:11225/file/; - client_max_body_size 500m; - proxy_read_timeout 300s; - } - location /api/ { proxy_pass http://127.0.0.1:11224/api/; } - location /actuator/ { proxy_pass http://127.0.0.1:11224/actuator/; } - location /ops { proxy_pass http://127.0.0.1:11227; } - location / { proxy_pass http://127.0.0.1:11226; } NGINX_REF printf '\033[0m' +printf ' 内置 nginx 已处理全部路由,无需再配置各服务端口。\n' printf '\n \033[1m部署目录:\033[0m %s\n' "$ROOT_DIR" printf ' \033[1m审计日志:\033[0m %s/logs/audit.log\n' "$ROOT_DIR" -printf '\n\033[1;32m 部署成功!配置好 nginx 后即可访问:%s\033[0m\n\n' "${CONSOLE_BASE}" +printf '\n\033[1;32m 部署成功!在宿主机 nginx 加上以上配置后即可访问:%s\033[0m\n\n' "${CONSOLE_BASE}"