fish/asset_helper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

提交代码

Browse Source
This commit is contained in:
fish
2026-04-25 21:36:56 +08:00
parent 189df47fcc
commit ce36fff9ef
32 changed files with 2238 additions and 569 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
gateway/.dockerignore Normal file
View File

@@ -0,0 +1,5 @@
logs/
ssl/*.pem
ssl/*.key
*.log
.DS_Store

27
gateway/Dockerfile Normal file
View File

@@ -0,0 +1,27 @@
FROM nginx:1.25-alpine
# 安装必要工具
RUN apk add --no-cache curl ca-certificates
# 创建日志目录
RUN mkdir -p /var/log/nginx /var/www/certbot
# 复制配置
COPY nginx/nginx.conf /etc/nginx/nginx.conf
COPY nginx/conf.d/ /etc/nginx/conf.d/
# 创建自签名证书(仅用于开发,生产环境应挂载真实证书)
RUN apk add --no-cache openssl && \
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/key.pem \
-out /etc/nginx/ssl/cert.pem \
-subj "/CN=api.example.com" && \
apk del openssl
# 健康检查
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f http://localhost/health || exit 1
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]

84
gateway/nginx/conf.d/default.conf Normal file
View File

@@ -0,0 +1,84 @@
# 默认服务器 - 拒绝直接IP访问
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
# HTTP 重定向到 HTTPS
server {
listen 80;
listen [::]:80;
server_name api.example.com;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$server_name$request_uri;
}
}
# API 网关主配置
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name api.example.com;
# SSL 证书配置
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers off;
# 客户端请求大小限制
client_max_body_size 50M;
client_body_buffer_size 16k;
# 超时配置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 安全响应头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 根路径 - 健康检查
location / {
return 200 '{"status":"ok","service":"api-gateway","timestamp":"$time_iso8601"}\n';
add_header Content-Type application/json;
}
# 健康检查端点
location /health {
access_log off;
return 200 '{"status":"healthy","timestamp":"$time_iso8601"}\n';
add_header Content-Type application/json;
}
# 包含各服务路由配置
include /etc/nginx/conf.d/services/*.conf;
# 错误处理
error_page 404 /404.json;
location = /404.json {
return 404 '{"error":"Not Found","message":"The requested resource was not found","code":404}\n';
add_header Content-Type application/json;
}
error_page 500 502 503 504 /50x.json;
location = /50x.json {
return 500 '{"error":"Internal Server Error","message":"Something went wrong","code":500}\n';
add_header Content-Type application/json;
}
}

29
gateway/nginx/conf.d/services/order-service.conf Normal file
View File

@@ -0,0 +1,29 @@
# 订单服务路由
location /api/v1/orders {
limit_req zone=general burst=30 nodelay;
limit_conn addr 10;
proxy_pass http://order_service;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-ID $request_id;
}
# 购物车接口
location /api/v1/cart {
limit_req zone=general burst=20 nodelay;
limit_conn addr 10;
proxy_pass http://order_service;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-ID $request_id;
}

37
gateway/nginx/conf.d/services/payment-service.conf Normal file
View File

@@ -0,0 +1,37 @@
# 支付服务路由(更严格的限流)
location /api/v1/payments {
limit_req zone=api_strict burst=10 nodelay;
limit_conn addr 5;
proxy_pass http://payment_service;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-ID $request_id;
# 支付接口需要更长的超时时间
proxy_read_timeout 120s;
proxy_connect_timeout 120s;
proxy_send_timeout 120s;
}
# 支付回调接口(通常由第三方调用)
location /api/v1/webhooks/payment {
# 放宽限流,允许第三方服务调用
limit_req zone=general burst=50 nodelay;
proxy_pass http://payment_service;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-ID $request_id;
# 记录详细的访问日志以便审计
access_log /var/log/nginx/payment-webhook.log main;
}

39
gateway/nginx/conf.d/services/user-service.conf Normal file
View File

@@ -0,0 +1,39 @@
# 用户服务路由
location /api/v1/users {
# 限流
limit_req zone=general burst=20 nodelay;
limit_conn addr 10;
# 代理设置
proxy_pass http://user_service;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-ID $request_id;
# WebSocket 支持(如果需要)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 缓存控制
proxy_cache_bypass $http_upgrade;
proxy_no_cache 1;
}
# 认证相关接口(严格限流)
location /api/v1/auth {
limit_req zone=api_strict burst=5 nodelay;
limit_conn addr 3;
proxy_pass http://user_service;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-ID $request_id;
}

68
gateway/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,68 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 4096;
use epoll;
multi_accept on;
}
http {
# 基础配置
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
access_log /var/log/nginx/access.log main;
# 性能优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# 压缩
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# 限流配置
limit_req_zone $binary_remote_addr zone=general:10m rate=100r/s;
limit_req_zone $binary_remote_addr zone=api_strict:10m rate=10r/s;
# 连接限制
limit_conn_zone $binary_remote_addr zone=addr:10m;
# 上游服务
upstream user_service {
least_conn;
server user-service:8080 max_fails=3 fail_timeout=30s;
keepalive 32;
}
upstream order_service {
least_conn;
server order-service:8080 max_fails=3 fail_timeout=30s;
keepalive 32;
}
upstream payment_service {
least_conn;
server payment-service:8080 max_fails=3 fail_timeout=30s;
keepalive 32;
}
# 包含子配置
include /etc/nginx/conf.d/*.conf;
}