diff --git a/modify.md b/modify.md index cbd1a2ab..916fef96 100644 --- a/modify.md +++ b/modify.md @@ -1,3 +1,44 @@ +## 2025-01-XX - HTTPS 部署配置:为 CentOS 部署创建 docker-compose-https.yml + +### 修改内容 +- **创建 docker-compose-https.yml**: + - 配置 marketing-site 服务,使用独立网络不直接暴露端口 + - 配置 nginx 反向代理服务,监听 80 和 443 端口 + - 挂载外部 SSL 证书路径:`/home/owen/ssl_key/smartsensiguard.cn.pem` 和 `/home/owen/ssl_key/smartsensiguard.cn.key` + - 配置容器名称:`marketing-site-https` 和 `nginx-https` 避免冲突 + - 使用 Docker 网络 `marketing-network` 实现服务间通信 + - 添加 nginx 日志卷持久化 + +- **创建 nginx/nginx.conf**: + - 配置 HTTP 服务器(端口 80),自动重定向所有请求到 HTTPS + - 配置 HTTPS 服务器(端口 443),使用 TLSv1.2 和 TLSv1.3 + - 配置域名:`smartsensiguard.cn` 和 `www.smartsensiguard.cn` + - 配置 SSL 安全设置(加密套件、会话缓存、安全头等) + - 配置反向代理到 marketing-site 服务的 3000 端口 + - 配置静态文件缓存优化 + - 添加安全响应头(HSTS、X-Frame-Options、X-Content-Type-Options 等) + +### 修改的文件 +- `site/docker-compose-https.yml` - HTTPS 部署配置文件(新建) +- `site/nginx/nginx.conf` - Nginx 反向代理和 SSL 配置(新建) + +### 使用说明 +1. **部署前准备**: + - 确保 SSL 证书文件存在于 `/home/owen/ssl_key/` 目录 + - 如果本地 nginx 正在运行,需要先停止本地 nginx 服务(或修改 docker-compose-https.yml 中的端口映射为 8080:80 和 8443:443) + +2. **启动服务**: + ```bash + cd site + docker-compose -f docker-compose-https.yml up -d + ``` + +3. **访问服务**: + - HTTP: http://smartsensiguard.cn(自动重定向到 HTTPS) + - HTTPS: https://smartsensiguard.cn + +变更原因:用户需要在 CentOS 服务器上部署 HTTPS 版本,SSL 证书位于外部路径 `/home/owen/ssl_key/`,需要避免与本地已安装的 nginx 冲突。 + ## 2025-11-21 - HTTPS 部署配置:创建 Docker Compose HTTPS 部署结构 ### 修改内容 diff --git a/site/docker-compose-https.yml b/site/docker-compose-https.yml new file mode 100644 index 00000000..606c4794 --- /dev/null +++ b/site/docker-compose-https.yml @@ -0,0 +1,48 @@ +version: '3.8' + +services: + # Next.js 应用服务 + marketing-site: + build: + context: . + dockerfile: Dockerfile + environment: + - NODE_ENV=production + restart: unless-stopped + container_name: marketing-site-https + networks: + - marketing-network + # 不直接暴露端口,通过 nginx 反向代理访问 + + # Nginx 反向代理服务 + nginx: + image: nginx:alpine + container_name: nginx-https + restart: unless-stopped + ports: + # 使用标准端口 80 和 443 + # 如果本地 nginx 正在运行,需要先停止本地 nginx 服务 + # 或者将以下端口改为其他端口(如 "8080:80" "8443:443") + - "80:80" + - "443:443" + volumes: + # Nginx 配置文件 + - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro + # 挂载外部 SSL 证书 + - /home/owen/ssl_key/smartsensiguard.cn.pem:/etc/nginx/ssl/smartsensiguard.cn.pem:ro + - /home/owen/ssl_key/smartsensiguard.cn.key:/etc/nginx/ssl/smartsensiguard.cn.key:ro + # Nginx 日志 + - nginx-logs:/var/log/nginx + depends_on: + - marketing-site + networks: + - marketing-network + +networks: + marketing-network: + driver: bridge + +volumes: + nginx-logs: + driver: local + diff --git a/site/nginx/nginx.conf b/site/nginx/nginx.conf new file mode 100644 index 00000000..5d8974d2 --- /dev/null +++ b/site/nginx/nginx.conf @@ -0,0 +1,100 @@ +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 20M; + + # Gzip 压缩 + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; + + # HTTP 服务器 - 重定向到 HTTPS + server { + listen 80; + server_name smartsensiguard.cn www.smartsensiguard.cn; + + # 允许 Let's Encrypt 验证 + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + # 重定向所有 HTTP 请求到 HTTPS + location / { + return 301 https://$host$request_uri; + } + } + + # HTTPS 服务器 + server { + listen 443 ssl http2; + server_name smartsensiguard.cn www.smartsensiguard.cn; + + # SSL 证书配置 + ssl_certificate /etc/nginx/ssl/smartsensiguard.cn.pem; + ssl_certificate_key /etc/nginx/ssl/smartsensiguard.cn.key; + + # SSL 安全配置 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + # 安全头 + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + # 反向代理到 Next.js 应用 + location / { + proxy_pass http://marketing-site:3000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + + # 超时设置 + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + } + + # 静态文件缓存 + location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ { + proxy_pass http://marketing-site:3000; + proxy_cache_valid 200 1d; + expires 1d; + add_header Cache-Control "public, immutable"; + } + } +} +