From 94c9ba7ad327a123a8e5156de0c4007e70bfb782 Mon Sep 17 00:00:00 2001 From: david_bai Date: Wed, 20 Aug 2025 23:47:32 +0800 Subject: [PATCH] fix:Fix the issue of nginx address occupation during the process of obtaining ssl certificates using certbot --- backend/docker/Dockerfile | 13 ++----------- backend/docker/Nginx/default | 25 +++++-------------------- backend/docker/env_install.sh | 32 +------------------------------- docs/DEPLOYMENT.md | 6 ++++-- docs/DEPLOYMENT.zh-CN.md | 7 ++++--- 5 files changed, 16 insertions(+), 67 deletions(-) diff --git a/backend/docker/Dockerfile b/backend/docker/Dockerfile index 8a20dd0..facba10 100644 --- a/backend/docker/Dockerfile +++ b/backend/docker/Dockerfile @@ -42,17 +42,8 @@ RUN npm install -g pnpm pm2 #echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | tee /etc/apt/sources.list.d/yarn.list #apt update && apt-get install yarn -y -## Install Nginx with HTTP/3 support -RUN apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring && \ - curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ - | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ - gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg && \ - echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \ - | tee /etc/apt/sources.list.d/nginx.list && \ - echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \ - | sudo tee /etc/apt/preferences.d/99nginx && \ - apt update && apt install nginx +## Install Nginx +RUN apt install nginx #clean up RUN apt-get clean autoclean diff --git a/backend/docker/Nginx/default b/backend/docker/Nginx/default index d88305a..b45f3a2 100644 --- a/backend/docker/Nginx/default +++ b/backend/docker/Nginx/default @@ -6,26 +6,11 @@ return 301 https://$server_name$request_uri; server { -# No longer listening on public 443/TCP, change to listening on internal port - -listen 127.0.0.1:4443 ssl http2; # Listen on TCP port 443, supporting HTTP/2 and SSL - -# QUIC/HTTP3 continues to listen on public UDP 443 - -listen 443 quic reuseport; # Listen on UDP port 443 for QUIC and HTTP/3 # 'reuseport' allows multiple worker processes to share the same port, recommended for QUIC - - # Ensure that the SSL protocol includes at least TLSv1.3, as HTTP/3 requires TLSv1.3 - ssl_protocols TLSv1.3 TLSv1.2; # Make sure TLSv1.3 is at the front - - # Add HTTP/3 specific headers to inform the browser that HTTP/3 is available - # Alt-Svc (Alternative Service) header - # h3=":443" indicates that HTTP/3 is available on the current domain and port 443 - # ma=86400 means this information is cached for 24 hours (86400 seconds) - add_header Alt-Svc 'h3=":443"; ma=86400'; - - # (Optional, but recommended) Enable 0-RTT data to further reduce latency - # Requires support from both client and server - ssl_early_data on; + # No longer listening on public 443/TCP, change to listening on internal port + listen 127.0.0.1:4443 ssl; + http2 on; + + ssl_protocols TLSv1.2 TLSv1.3; server_name YourDomain www.YourDomain; diff --git a/backend/docker/env_install.sh b/backend/docker/env_install.sh index 37a8e62..13d2919 100644 --- a/backend/docker/env_install.sh +++ b/backend/docker/env_install.sh @@ -16,37 +16,7 @@ sudo apt-get update sudo apt install -y nodejs sudo npm install -g pnpm pm2 -# Install Nginx (with HTTP/3 support, Ubuntu example) -# Reference: https://nginx.org/en/linux_packages.html#Ubuntu - -# 1. **Install prerequisites:** - -sudo apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring - -# 2. **Import Nginx signing key:** - -curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ - | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null - -# 3. **Verify the key:** - -gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg -# Expected fingerprint: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 - -# 4. **Set up the apt repository for stable Nginx packages:** - -echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ -http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \ - | sudo tee /etc/apt/sources.list.d/nginx.list - -# 5. **Set up repository pinning:** - -echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \ - | sudo tee /etc/apt/preferences.d/99nginx - -# 6. **Install Nginx:** - -sudo apt update +# Install Nginx sudo apt install -y nginx sudo apt-get clean autoclean diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md index e058b62..d47a7bb 100644 --- a/docs/DEPLOYMENT.md +++ b/docs/DEPLOYMENT.md @@ -117,14 +117,16 @@ In production, Nginx will act as the entry point for all traffic, handling SSL t ``` Then, edit `frontend/.env.production` to set `NEXT_PUBLIC_API_URL` to your backend service domain (e.g., `https://privydrop.app`). -2. **Install Nginx:** It's recommended to install a newer version that supports HTTP/3. +2. **Install Nginx:** + ```bash + sudo apt install -y nginx + ``` 3. **Firewall:** Open 'Nginx Full' default ports and 443/udp: ```bash sudo ufw allow 'Nginx Full' - sudo ufw allow 443/udp sudo ufw reload # or ufw enable ``` diff --git a/docs/DEPLOYMENT.zh-CN.md b/docs/DEPLOYMENT.zh-CN.md index 23810eb..6d690b8 100644 --- a/docs/DEPLOYMENT.zh-CN.md +++ b/docs/DEPLOYMENT.zh-CN.md @@ -117,14 +117,15 @@ cd backend && npm run build && cd .. ``` 然后编辑 `frontend/.env.production`,配置 `NEXT_PUBLIC_API_URL` 为您的后端服务域名 (例如 `https://privydrop.app`)。 -2. **安装 Nginx:** 推荐安装支持 HTTP/3 的较新版本。 - +2. **安装 Nginx:** + ```bash + sudo apt install -y nginx + ``` 3. **防火墙:** 打开'Nginx Full'默认端口以及 443/udp ```bash sudo ufw allow 'Nginx Full' - sudo ufw allow 443/udp sudo ufw reload # 或 ufw enable ```