添加 backend 微服务架构：Nginx 网关 + user-service 登录注册

2026-04-11 22:42:05 +08:00
parent ae09f32421
commit ebb066b3b0
19 changed files with 1173 additions and 0 deletions
--- a/backend/gateway/nginx/conf.d/default.conf
+++ b/backend/gateway/nginx/conf.d/default.conf
@@ -0,0 +1,84 @@
+# 默认服务器 - 拒绝直接IP访问
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+    
+    return 444;
+}
+
+# HTTP 重定向到 HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name api.example.com;
+    
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+# API 网关主配置
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name api.example.com;
+
+    # SSL 证书配置
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/key.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers off;
+
+    # 客户端请求大小限制
+    client_max_body_size 50M;
+    client_body_buffer_size 16k;
+
+    # 超时配置
+    proxy_connect_timeout 60s;
+    proxy_send_timeout 60s;
+    proxy_read_timeout 60s;
+
+    # 安全响应头
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # 根路径 - 健康检查
+    location / {
+        return 200 '{"status":"ok","service":"api-gateway","timestamp":"$time_iso8601"}\n';
+        add_header Content-Type application/json;
+    }
+
+    # 健康检查端点
+    location /health {
+        access_log off;
+        return 200 '{"status":"healthy","timestamp":"$time_iso8601"}\n';
+        add_header Content-Type application/json;
+    }
+
+    # 包含各服务路由配置
+    include /etc/nginx/conf.d/services/*.conf;
+
+    # 错误处理
+    error_page 404 /404.json;
+    location = /404.json {
+        return 404 '{"error":"Not Found","message":"The requested resource was not found","code":404}\n';
+        add_header Content-Type application/json;
+    }
+
+    error_page 500 502 503 504 /50x.json;
+    location = /50x.json {
+        return 500 '{"error":"Internal Server Error","message":"Something went wrong","code":500}\n';
+        add_header Content-Type application/json;
+    }
+}
--- a/backend/gateway/nginx/conf.d/services/order-service.conf
+++ b/backend/gateway/nginx/conf.d/services/order-service.conf
@@ -0,0 +1,29 @@
+# 订单服务路由
+location /api/v1/orders {
+    limit_req zone=general burst=30 nodelay;
+    limit_conn addr 10;
+    
+    proxy_pass http://order_service;
+    proxy_http_version 1.1;
+    
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Request-ID $request_id;
+}
+
+# 购物车接口
+location /api/v1/cart {
+    limit_req zone=general burst=20 nodelay;
+    limit_conn addr 10;
+    
+    proxy_pass http://order_service;
+    proxy_http_version 1.1;
+    
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Request-ID $request_id;
+}
--- a/backend/gateway/nginx/conf.d/services/payment-service.conf
+++ b/backend/gateway/nginx/conf.d/services/payment-service.conf
@@ -0,0 +1,37 @@
+# 支付服务路由（更严格的限流）
+location /api/v1/payments {
+    limit_req zone=api_strict burst=10 nodelay;
+    limit_conn addr 5;
+    
+    proxy_pass http://payment_service;
+    proxy_http_version 1.1;
+    
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Request-ID $request_id;
+    
+    # 支付接口需要更长的超时时间
+    proxy_read_timeout 120s;
+    proxy_connect_timeout 120s;
+    proxy_send_timeout 120s;
+}
+
+# 支付回调接口（通常由第三方调用）
+location /api/v1/webhooks/payment {
+    # 放宽限流，允许第三方服务调用
+    limit_req zone=general burst=50 nodelay;
+    
+    proxy_pass http://payment_service;
+    proxy_http_version 1.1;
+    
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Request-ID $request_id;
+    
+    # 记录详细的访问日志以便审计
+    access_log /var/log/nginx/payment-webhook.log main;
+}
--- a/backend/gateway/nginx/conf.d/services/user-service.conf
+++ b/backend/gateway/nginx/conf.d/services/user-service.conf
@@ -0,0 +1,39 @@
+# 用户服务路由
+location /api/v1/users {
+    # 限流
+    limit_req zone=general burst=20 nodelay;
+    limit_conn addr 10;
+
+    # 代理设置
+    proxy_pass http://user_service;
+    proxy_http_version 1.1;
+    
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Request-ID $request_id;
+    
+    # WebSocket 支持（如果需要）
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    
+    # 缓存控制
+    proxy_cache_bypass $http_upgrade;
+    proxy_no_cache 1;
+}
+
+# 认证相关接口（严格限流）
+location /api/v1/auth {
+    limit_req zone=api_strict burst=5 nodelay;
+    limit_conn addr 3;
+    
+    proxy_pass http://user_service;
+    proxy_http_version 1.1;
+    
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Request-ID $request_id;
+}