refactor(scripts): simplify modes and harden cert automation
- New modes: lan-http, lan-tls (self-signed), public, full - Add flags: --no-sni443, --enable-web-https (lan-tls), --test-renewal - generate-config: lan-tls HTTPS on 8443 only when explicitly enabled; HSTS only in full; SNI 443 default in full - detect-environment: remove interactive prompt; adjust public description to 'HTTP + TURN' - deploy.sh: pass new flags, add certbot scheduler (systemd timer or cron fallback), add dry-run renewal test - Docs (EN/zh-CN): update quick start, modes overview, LAN TLS guidance, LE auto-issue/renew section
This commit is contained in:
david_bai
+18
-36
@@ -6,10 +6,13 @@ This guide provides a one-click Docker deployment for PrivyDrop. It supports bot
|
||||
|
||||
```bash
|
||||
# Private LAN (no domain/public IP)
|
||||
bash ./deploy.sh --mode private
|
||||
bash ./deploy.sh --mode lan-http
|
||||
|
||||
# Private LAN + TURN (for complex NAT/LAN)
|
||||
bash ./deploy.sh --mode private --with-turn
|
||||
bash ./deploy.sh --mode lan-http --with-turn
|
||||
|
||||
# LAN HTTPS (self-signed; dev/managed env; explicitly enable 8443)
|
||||
bash ./deploy.sh --mode lan-tls --enable-web-https --with-nginx
|
||||
|
||||
# Public IP without domain (with TURN)
|
||||
bash ./deploy.sh --mode public --with-turn
|
||||
@@ -23,10 +26,10 @@ bash ./deploy.sh --mode full --domain your-domain.com --with-nginx --with-turn -
|
||||
|
||||
## Modes Overview
|
||||
|
||||
- basic: Intranet HTTP; auto-detect network environment
|
||||
- private: Intranet HTTP; skip network detection (faster; good for known LAN/CI)
|
||||
- public: Public HTTP; TURN enabled; works without a domain
|
||||
- full: Domain + HTTPS; TURN enabled; optional SNI 443 split
|
||||
- lan-http: Intranet HTTP; fastest to start; no TLS
|
||||
- lan-tls: Intranet HTTPS (self-signed; dev/managed env); 8443 disabled by default; enable via `--enable-web-https`; HSTS disabled; turns:443 not guaranteed
|
||||
- public: Public HTTP + TURN; works without a domain (no HTTPS/turns:443)
|
||||
- full: Domain + HTTPS (Let’s Encrypt auto-issue/renew) + TURN; SNI 443 split enabled by default (use `--no-sni443` to disable)
|
||||
|
||||
## 🎯 Deployment Advantages
|
||||
|
||||
@@ -424,32 +427,15 @@ bash deploy.sh --mode full --with-nginx
|
||||
|
||||
## 🔒 Security Configuration
|
||||
|
||||
### Domain + Self-signed Certificates (full + self-signed)
|
||||
### LAN HTTPS (lan-tls, self-signed, dev/managed env)
|
||||
|
||||
Use when you only need encrypted transport or have your own PKI.
|
||||
|
||||
Steps:
|
||||
|
||||
1) Generate configuration (self-signed + domain)
|
||||
- 8443 is disabled by default; explicitly enable with:
|
||||
|
||||
```bash
|
||||
SSL_MODE=self-signed \
|
||||
bash docker/scripts/generate-config.sh \
|
||||
--mode full --domain your-domain.com --with-nginx --with-turn
|
||||
bash ./deploy.sh --mode lan-tls --enable-web-https --with-nginx
|
||||
```
|
||||
|
||||
2) Start services manually (to avoid auto-provisioning Let’s Encrypt)
|
||||
|
||||
```bash
|
||||
docker compose build
|
||||
docker compose --profile nginx up -d
|
||||
```
|
||||
|
||||
3) Import the CA certificate `docker/ssl/ca-cert.pem` into your browser, or accept the risk on first visit
|
||||
|
||||
Optional: To use `turns:443`, enable SNI 443 split (see “Common Flags” and the generator help).
|
||||
|
||||
Note: For production, prefer Let’s Encrypt to avoid trust/HSTS issues.
|
||||
- For development or managed devices only (internal CA trusted fleet-wide); HSTS disabled; `turns:443` not guaranteed. For restricted networks (443-only), use full (domain + trusted cert + SNI 443).
|
||||
|
||||
### Public Domain Deployment (HTTPS + Nginx) — Quick Test
|
||||
|
||||
@@ -465,17 +451,13 @@ Note: For production, prefer Let’s Encrypt to avoid trust/HSTS issues.
|
||||
|
||||
4) Verify: visit `https://<your-domain>`, `/api/health` returns 200; open `chrome://webrtc-internals` and check for `relay` candidates (TURN)
|
||||
|
||||
### SSL/TLS Configuration
|
||||
### SSL/TLS Automation (Let’s Encrypt)
|
||||
|
||||
1. **Self-signed Certificates** (default):
|
||||
In full mode, certificates are auto-issued and auto-renewed:
|
||||
|
||||
- Automatically generated and configured
|
||||
- Suitable for private networks and testing
|
||||
- Certificate location: `docker/ssl/`
|
||||
|
||||
2. **Let's Encrypt Certificates** (planned):
|
||||
- Automatic application and renewal
|
||||
- Suitable for production with domain names
|
||||
- Initial issuance: webroot (no downtime); system certs live under `/etc/letsencrypt/live/<domain>/`; copied to `docker/ssl/` and 443 is enabled.
|
||||
- Renewal: `certbot.timer` or `/etc/cron.d/certbot` runs daily; the deploy-hook copies new certs to `docker/ssl/` and hot-reloads Nginx/Coturn.
|
||||
- Lineage suffixes (-0001/-0002) are handled automatically.
|
||||
|
||||
### Network Security
|
||||
|
||||
|
||||
@@ -6,10 +6,13 @@
|
||||
|
||||
```bash
|
||||
# 内网(无域名/无公网IP)
|
||||
bash ./deploy.sh --mode private
|
||||
bash ./deploy.sh --mode lan-http
|
||||
|
||||
# 内网 + TURN(推荐用于复杂内网/NAT)
|
||||
bash ./deploy.sh --mode private --with-turn
|
||||
bash ./deploy.sh --mode lan-http --with-turn
|
||||
|
||||
# 内网 HTTPS(自签,开发/受管环境,需显式开启 8443)
|
||||
bash ./deploy.sh --mode lan-tls --enable-web-https --with-nginx
|
||||
|
||||
# 公网IP(无域名),含 TURN
|
||||
bash ./deploy.sh --mode public --with-turn
|
||||
@@ -23,10 +26,10 @@ bash ./deploy.sh --mode full --domain your-domain.com --with-nginx --with-turn -
|
||||
|
||||
## 模式一览
|
||||
|
||||
- basic:内网 HTTP;自动进行网络环境检测
|
||||
- private:内网 HTTP;跳过网络环境检测(更快,适合已知内网/CI 环境)
|
||||
- public:公网 HTTP;开启 TURN;无域名也可使用
|
||||
- full:域名 + HTTPS;开启 TURN;可选启用 SNI 443 分流
|
||||
- lan-http:内网 HTTP;最快上手,默认不启用 TLS
|
||||
- lan-tls:内网 HTTPS(自签,仅开发/受管环境);默认不启 8443,需 `--enable-web-https` 显式开启;禁用 HSTS;不保证 turns:443
|
||||
- public:公网 HTTP;开启 TURN;无域名也可使用(不提供 HTTPS/turns:443)
|
||||
- full:域名 + HTTPS(Let’s Encrypt 自动签发/续期)+ TURN;默认启用 SNI 443 分流(可 `--no-sni443` 关闭)
|
||||
|
||||
## 🎯 部署优势
|
||||
|
||||
@@ -418,32 +421,15 @@ bash deploy.sh --mode full --with-nginx
|
||||
|
||||
## 🔒 HTTPS 与安全
|
||||
|
||||
### 域名 + 自签证书(full + self-signed)
|
||||
### 内网 HTTPS(lan-tls,自签,开发/受管环境)
|
||||
|
||||
适用于仅需加密链路或内网 PKI 的场景。
|
||||
|
||||
步骤:
|
||||
|
||||
1) 生成配置(自签证书 + 域名)
|
||||
- 默认不启 8443;需 `--enable-web-https` 显式开启:
|
||||
|
||||
```bash
|
||||
SSL_MODE=self-signed \
|
||||
bash docker/scripts/generate-config.sh \
|
||||
--mode full --domain your-domain.com --with-nginx --with-turn
|
||||
bash ./deploy.sh --mode lan-tls --enable-web-https --with-nginx
|
||||
```
|
||||
|
||||
2) 启动服务(手动启动,避免自动申请 Let’s Encrypt)
|
||||
|
||||
```bash
|
||||
docker compose build
|
||||
docker compose --profile nginx up -d
|
||||
```
|
||||
|
||||
3) 在浏览器导入 CA 证书 `docker/ssl/ca-cert.pem`,或在首次访问时接受风险提示
|
||||
|
||||
可选:如需 `turns:443`,请启用 SNI 443 分流(参考“常用开关”与生成器帮助)。
|
||||
|
||||
注意:生产环境建议使用 Let’s Encrypt,避免浏览器信任问题与 HSTS 限制。
|
||||
- 仅用于开发或受管终端(全员导入内部 CA);禁用 HSTS;不保证 `turns:443`;受限网络(仅 443 出口)应使用 full(域名 + 受信证书 + SNI 443)。
|
||||
|
||||
### 公网域名部署(HTTPS + Nginx)快速测试
|
||||
|
||||
@@ -463,8 +449,8 @@ docker compose --profile nginx up -d
|
||||
|
||||
full 模式自动申请并续期证书:
|
||||
|
||||
- 首次签发:webroot 模式(无停机),系统证书保存在 `/etc/letsencrypt/live/<domain>/`,脚本复制到 `docker/ssl/` 并启用 443;
|
||||
- 续期:certbot deploy-hook 自动复制至 `docker/ssl/`,并热重载 Nginx 与重载(或重启)coturn;
|
||||
- 首次签发:webroot 模式(无停机),系统证书在 `/etc/letsencrypt/live/<domain>/`,脚本复制到 `docker/ssl/` 并启用 443;
|
||||
- 续期:`certbot.timer` 或 `/etc/cron.d/certbot` 每日尝试 `certbot renew`;deploy-hook 自动复制新证书并热重载 Nginx/Coturn;
|
||||
- 证书谱系(-0001/-0002)已自动适配,无需手动处理。
|
||||
|
||||
### 网络安全
|
||||
|
||||
Reference in New Issue
Block a user