Nginx 与网络配置¶
适用于所有环境。完成 服务器基础设施初始化 后执行。
域名规划¶
| 服务 | Beta(当前使用正式域名) | Staging | Prod(待上线) |
|---|---|---|---|
| UserPortal | turingfocus.cn | user-staging.turingfocus.cn | turingfocus.cn |
| AdminPortal | admin.turingfocus.cn | admin-staging.turingfocus.cn | admin.turingfocus.cn |
| Infisical | secret.turingfocus.cn | secret-staging.turingfocus.cn | secret.turingfocus.cn |
| VictoriaMetrics | metrics.turingfocus.cn | metrics-staging.turingfocus.cn | metrics.turingfocus.cn |
| K8s 集群 | enaic.turingfocus.cn | staging.turingfocus.cn | 待定 |
| Grafana | grafana.enaic.turingfocus.cn | grafana.staging.turingfocus.cn | 待定 |
| Jaeger | jaeger.enaic.turingfocus.cn | jaeger.staging.turingfocus.cn | 待定 |
注意: Prod 上线后,正式域名将从 Beta 迁移到 Prod,Beta 将切换为
*-beta.turingfocus.cn域名。
端口映射¶
所有服务端口绑定 127.0.0.1,仅通过 Nginx 反向代理对外暴露。
| 端口 | 服务 | 说明 |
|---|---|---|
| 80 / 443 | Nginx | 对外入口(0.0.0.0) |
| 3000 | UserPortal | Next.js 前端 |
| 3001 | AdminPortal | Next.js 前端 |
| 8080 | user-service | Go 后端 API |
| 8081 | admin-service | Go 后端 API(容器内 0.0.0.0) |
| 5432 | PostgreSQL | 数据库 |
| 6379 | Redis | 缓存 |
| 8428 | VictoriaMetrics | 时序数据库 |
| 8443 | Infisical | 密钥管理 |
1. 上传 SSL 证书¶
证书存放在项目仓库 certs/{env}/ 目录下(已 gitignore),按域名子目录组织。
# 本地打包
tar czf /tmp/certs.tar.gz -C certs/{env} .
# 通过 SSH MCP 上传到服务器
# upload /tmp/certs.tar.gz → /tmp/certs.tar.gz
# 服务器上解压
mkdir -p /etc/nginx/ssl
tar xzf /tmp/certs.tar.gz -C /etc/nginx/ssl/
rm -f /tmp/certs.tar.gz
证书目录结构(以 staging 为例):
/etc/nginx/ssl/
├── user-staging.turingfocus.cn_other/
│ ├── user-staging.turingfocus.cn_bundle.crt
│ └── user-staging.turingfocus.cn.key
├── admin-staging.turingfocus.cn_other/
├── secret-staging.turingfocus.cn_other/
├── metrics-staging.turingfocus.cn_other/
├── grafana.staging.turingfocus.cn_other/
└── jaeger.staging.turingfocus.cn_other/
2. Nginx 配置¶
每个域名一个独立配置文件,放在 /etc/nginx/conf.d/ 下。
2.1 UserPortal¶
# {domain} → UserPortal (Next.js :3000)
server {
listen 80;
server_name {domain};
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
http2 on;
server_name {domain};
ssl_certificate /etc/nginx/ssl/{cert_dir}/{domain}_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/{cert_dir}/{domain}.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
# Streaming API:数字员工部署进度(长连接,禁用缓冲)
location ~ ^/api/v1/digital-employees/\d+/deploy-progress$ {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}
2.2 AdminPortal¶
与 UserPortal 相同结构,额外包含:
- 密钥分发 API:
/api/v1/secret/直接代理到 admin-service (:8081),绕过 Next.js BFF - Streaming API:集群初始化进度
/api/v1/admin/clusters/\d+/init-progress
2.3 Infisical¶
简单反向代理到 :8443,支持 WebSocket。
2.4 VictoriaMetrics¶
仅开放 /api/v1/write 端点(POST),使用 auth_basic 认证。
依赖: 需要
/run/secrets/vm-htpasswd文件存在,否则 Nginx 启动失败。后端服务未部署时应将配置重命名为.disabled后缀。
# 禁用(后端未就绪时)
mv /etc/nginx/conf.d/metrics-*.conf /etc/nginx/conf.d/metrics-*.conf.disabled
# 启用(后端部署后)
mv /etc/nginx/conf.d/metrics-*.conf.disabled /etc/nginx/conf.d/metrics-*.conf
nginx -t && nginx -s reload
3. 验证¶
# 检查配置语法
nginx -t
# 重载配置
nginx -s reload
# 验证 HTTPS 证书
curl -sv https://{domain}/ 2>&1 | grep "SSL certificate verify"
# 验证各域名(服务未启动时返回 502 是正常的,说明 Nginx 配置正确)
for domain in user-staging admin-staging secret-staging; do
code=$(curl -sk -o /dev/null -w "%{http_code}" https://${domain}.turingfocus.cn/)
echo "${domain}: ${code}"
done
完成后进入下一步:基础设施部署。