增加docke部署

2026-04-10 16:44:13 +08:00
parent e2f8054794
commit cd4ddb606d
5076 changed files with 701092 additions and 0 deletions
--- a/codes/agent/game-docker/docker/nginx/default.conf.template
+++ b/codes/agent/game-docker/docker/nginx/default.conf.template
@@ -0,0 +1,130 @@
+upstream api_service {
+    server api:80;
+}
+
+upstream dlweb_service {
+    server dlweb:80;
+}
+
+upstream wxserver_service {
+    server wxserver:3000;
+}
+
+# =============================================
+# 域名路由模式 + SSL（Let's Encrypt 自动证书）
+#
+# 域名由 .env 文件中的 API_DOMAIN / DLWEB_DOMAIN / WX_DOMAIN 自动注入
+# 修改域名只需编辑 .env 然后 docker compose restart nginx
+#
+# ================== 微信域名配置指南 ==================
+#
+# .env 中配置的 3 个域名对应:
+#   ${API_DOMAIN}    → 网站1: game-docker/api
+#   ${DLWEB_DOMAIN}  → 网站2: game-docker/dlweb/api
+#   ${WX_DOMAIN}     → 网站3: game-docker/wxserver_daoqi
+#
+# 【微信小程序后台】(mp.weixin.qq.com → 开发管理 → 开发设置)
+#   - request 合法域名:    https://${WX_DOMAIN}
+#   - 业务域名:            ${WX_DOMAIN}
+#     (验证文件放到 wxserver_daoqi/public/MP_verify_xxx.txt)
+#
+# 【微信公众号后台】(mp.weixin.qq.com → 设置与开发 → 公众号设置)
+#   - 业务域名:            ${API_DOMAIN}
+#     (验证文件在 api/ 根目录)
+#   - JS接口安全域名:       ${API_DOMAIN}
+#   - 网页授权域名:         ${WX_DOMAIN}
+#
+# 【微信支付后台】(pay.weixin.qq.com)
+#   - 支付授权目录:  https://${DLWEB_DOMAIN}/
+#   - 支付回调通知:  由代码中 notify_url 指定
+#
+# =============================================
+
+# =============================================
+# SSL 通用配置（被各 server 块 include）
+# =============================================
+# 注意: ssl-params.conf 由 init-ssl.sh 生成到
+# /etc/nginx/snippets/ssl-params.conf
+
+# ===== HTTP → HTTPS 统一重定向 + ACME 验证 =====
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    # Let's Encrypt 域名验证 (必须保留)
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # 健康检查（供内部/负载均衡器使用，不重定向）
+    location /health {
+        return 200 'OK';
+        add_header Content-Type text/plain;
+    }
+
+    # 其余全部 301 重定向到 HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# ===== 网站1: 游戏核心 API (公众号后台) =====
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${API_DOMAIN};
+
+    ssl_certificate     /etc/letsencrypt/live/${API_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${API_DOMAIN}/privkey.pem;
+    include /etc/nginx/snippets/ssl-params.conf;
+
+    location / {
+        proxy_pass http://api_service;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# ===== 网站2: 代理管理后台 (微信支付) =====
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${DLWEB_DOMAIN};
+
+    ssl_certificate     /etc/letsencrypt/live/${DLWEB_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${DLWEB_DOMAIN}/privkey.pem;
+    include /etc/nginx/snippets/ssl-params.conf;
+
+    location / {
+        proxy_pass http://dlweb_service;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# ===== 网站3: 微信小程序后端 =====
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${WX_DOMAIN};
+
+    ssl_certificate     /etc/letsencrypt/live/${WX_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${WX_DOMAIN}/privkey.pem;
+    include /etc/nginx/snippets/ssl-params.conf;
+
+    location / {
+        proxy_pass http://wxserver_service;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
--- a/codes/agent/game-docker/docker/nginx/ssl-params.conf
+++ b/codes/agent/game-docker/docker/nginx/ssl-params.conf
@@ -0,0 +1,23 @@
+# SSL 安全参数 (适用于 Let's Encrypt 证书)
+# 此文件被 init-ssl.sh 复制到容器内 /etc/nginx/snippets/ssl-params.conf
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# HSTS (取消注释以启用，请确认所有子域都支持 HTTPS 后再启用)
+# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+
+# OCSP Stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+
+# SSL session 优化
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 1d;
+ssl_session_tickets off;
+
+# DH 参数 (如果生成了 dhparam.pem)
+# ssl_dhparam /etc/nginx/ssl/dhparam.pem;