feat: point account service to dedicated domain (#598)

2025-10-28 17:07:02 +08:00 · 2025-10-28 17:07:02 +08:00 · c31fc1c985
commit c31fc1c985
parent afe6383124
14 changed files with 100 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -60,11 +60,11 @@ make init-db   # initialize database (optional)
 The Next.js dashboard now resolves service endpoints through `dashboard/config/runtime-service-config.yaml`. The runtime
 configuration selects values based on `NEXT_PUBLIC_RUNTIME_ENV` (falling back to `NODE_ENV` and the file's
 `defaultEnvironment`). Use `NEXT_PUBLIC_ACCOUNT_SERVICE_URL` for ad-hoc overrides, otherwise adjust the YAML file to specify
-environment-specific URLs such as `http://localhost:8080` for development/test and `https://account.svc.plus` for production.
+environment-specific URLs such as `http://localhost:8080` for development/test and `https://accounts.svc.plus` for production.

 ## Account service configuration

-`account/config/account.yaml` now accepts a `server.publicUrl` value such as `https://account.svc.plus:8443`. The account service
+`account/config/account.yaml` now accepts a `server.publicUrl` value such as `https://accounts.svc.plus:8443`. The account service
 uses this URL to derive a default CORS origin and to document the externally reachable host. Set `server.allowedOrigins` when you
 need to expose additional browser clients; omit it to fall back to the public URL or the local development origins
 (`http://localhost:3001` and `http://127.0.0.1:3001`).
--- a/account/config/account-agent.yaml
+++ b/account/config/account-agent.yaml
@ -5,7 +5,7 @@ log:

 agent:
  id: "edge-node-1"
-  controllerUrl: "https://account.svc.plus"
+  controllerUrl: "https://accounts.svc.plus"
  apiToken: "replace-with-agent-token"
  httpTimeout: 15s
  statusInterval: 1m
--- a/account/config/account-server.yaml
+++ b/account/config/account-server.yaml
@ -7,13 +7,13 @@ server:
  addr: ":8080"
  readTimeout: 15s
  writeTimeout: 15s
-  publicUrl: "http://localhost:8080"
+  publicUrl: "https://accounts.svc.plus"
  allowedOrigins:
    - "https://dev.svc.plus"
    - "https://dev-homepage.svc.plus"
    - "https://www.svc.plus"
    - "https://global-homepage.svc.plus"
-    - "https://account.svc.plus"
+    - "https://accounts.svc.plus"
    - "https://localhost:8443"
    - "http://localhost:8080"
    - "http://127.0.0.1:8080"
--- a/account/config/account.yaml
+++ b/account/config/account.yaml
@ -7,13 +7,13 @@ server:
  addr: ":8080"
  readTimeout: 15s
  writeTimeout: 15s
-  publicUrl: "http://localhost:8080"
+  publicUrl: "https://accounts.svc.plus"
  allowedOrigins:
    - "https://dev.svc.plus"
    - "https://dev-homepage.svc.plus"
    - "https://www.svc.plus"
    - "https://global-homepage.svc.plus"
-    - "https://account.svc.plus"
+    - "https://accounts.svc.plus"
    - "https://localhost:8443"
    - "http://localhost:8080"
    - "http://127.0.0.1:8080"
--- a/dashboard/config/runtime-service-config.yaml
+++ b/dashboard/config/runtime-service-config.yaml
@ -1,7 +1,7 @@
 defaultEnvironment: production
 defaults:
  accountService:
-    baseUrl: https://www.svc.plus
+    baseUrl: https://accounts.svc.plus
  serverService:
    baseUrl: https://www.svc.plus
 environments:
@ -17,11 +17,11 @@ environments:
      baseUrl: http://localhost:8090
  production:
    accountService:
-      baseUrl: https://www.svc.plus
+      baseUrl: https://accounts.svc.plus
    serverService:
      baseUrl: https://www.svc.plus
  production_tls:
    accountService:
-      baseUrl: https://www.svc.plus
+      baseUrl: https://accounts.svc.plus
    serverService:
      baseUrl: https://www.svc.plus
--- a/dashboard/lib/serviceConfig.ts
+++ b/dashboard/lib/serviceConfig.ts
@ -67,7 +67,7 @@ const runtimeEnvironments: Record<string, EnvironmentRuntimeConfig> =

 type ServiceKey = keyof EnvironmentRuntimeConfig

-const FALLBACK_ACCOUNT_SERVICE_URL = 'http://localhost:8080'
+const FALLBACK_ACCOUNT_SERVICE_URL = 'https://accounts.svc.plus'
 const FALLBACK_SERVER_SERVICE_URL = 'http://localhost:8090'
 const FALLBACK_SERVER_SERVICE_INTERNAL_URL = 'http://127.0.0.1:8090'

--- a/deploy/nginx/servers/xcontrol-idp.conf
+++ b/deploy/nginx/servers/xcontrol-idp.conf
@ -1,6 +1,6 @@
 server {
    listen 443 ssl;
-    server_name account.svc.plus;
+    server_name accounts.svc.plus;

    ssl_certificate /etc/ssl/svc.plus.pem;
    ssl_certificate_key /etc/ssl/svc.plus.rsa.key;
--- a/deploy/openresty/accounts.svc.plus.conf
+++ b/deploy/openresty/accounts.svc.plus.conf
@ -1,12 +1,12 @@
 server {
  listen 80;
-  server_name account.svc.plus;
+  server_name accounts.svc.plus;
  return 301 https://$host$request_uri;
 }

 server {
  listen 443 ssl;
-  server_name account.svc.plus;
+  server_name accounts.svc.plus;

  ssl_certificate     /etc/ssl/svc.plus.pem;
  ssl_certificate_key /etc/ssl/svc.plus.rsa.key;
--- a/docs/account-svc-plus.md
+++ b/docs/account-svc-plus.md
@ -1,6 +1,6 @@
-# account.svc.plus 设计文档
+# accounts.svc.plus 设计文档

-本文档基于现有项目结构，描述一个轻量级的账号服务 **account.svc.plus** 的设计方案。
+本文档基于现有项目结构，描述一个轻量级的账号服务 **accounts.svc.plus** 的设计方案。

 ## 1. 功能概述

@ -14,7 +14,7 @@

 ```
 +---------------+         +------------------+
-| LDAP / OIDC / |  Auth   |   account.svc    |
+| LDAP / OIDC / |  Auth   |  accounts.svc    |
 |    SAML IdP   +-------->+------------------+-----> PostgreSQL
 +---------------+         |   REST / gRPC    |
                           |   gin + goroutine|
--- a/docs/account-xstream-desktop-integration.md
+++ b/docs/account-xstream-desktop-integration.md
@ -1,6 +1,6 @@
 # XStream Desktop 同步集成方案（跨项目执行手册）

-本手册将 `account` 服务与 XStream Desktop App 的改造步骤拆分为两条执行线，并给出跨项目协作时所需的接口契约、目录定位和数据格式。目标是在托管域名 `account.svc.plus` 以及自建部署中，以最小增量实现安全的 xray-core 配置同步，且在 URL 层不泄露任何敏感字段。
+本手册将 `account` 服务与 XStream Desktop App 的改造步骤拆分为两条执行线，并给出跨项目协作时所需的接口契约、目录定位和数据格式。目标是在托管域名 `accounts.svc.plus` 以及自建部署中，以最小增量实现安全的 xray-core 配置同步，且在 URL 层不泄露任何敏感字段。

 ## 1. 账户服务改造（xcontrol/account）

--- a/example/prod/nginx/accounts.svc.plus.conf
+++ b/example/prod/nginx/accounts.svc.plus.conf
@ -0,0 +1,46 @@
+# ==========================================
+# Account Service — Production Reverse Proxy
+# ==========================================
+
+server {
+  listen 80;
+  server_name accounts.svc.plus;
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443 ssl http2;
+  server_name accounts.svc.plus;
+
+  ssl_certificate     /etc/ssl/svc.plus.pem;
+  ssl_certificate_key /etc/ssl/svc.plus.rsa.key;
+  ssl_protocols       TLSv1.2 TLSv1.3;
+  ssl_ciphers         HIGH:!aNULL:!MD5;
+  ssl_prefer_server_ciphers on;
+
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header X-Frame-Options "SAMEORIGIN";
+  add_header X-Content-Type-Options "nosniff";
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+  location / {
+    proxy_pass http://127.0.0.1:8080;
+    proxy_http_version 1.1;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    add_header Access-Control-Allow-Origin $http_origin always;
+    add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
+    add_header Access-Control-Allow-Headers "Authorization, Content-Type, Cookie" always;
+    add_header Access-Control-Allow-Credentials "true" always;
+
+    if ($request_method = OPTIONS) {
+      return 204;
+    }
+
+    proxy_cookie_path / "/; Secure; HttpOnly; SameSite=None";
+  }
+}
--- a/example/sit/nginx/accounts-dev.svc.plus.conf
+++ b/example/sit/nginx/accounts-dev.svc.plus.conf
@ -0,0 +1,34 @@
+server {
+  listen 80;
+  server_name accounts-dev.svc.plus;
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443 ssl http2;
+  server_name accounts-dev.svc.plus;
+
+  ssl_certificate     /etc/ssl/svc.plus.pem;
+  ssl_certificate_key /etc/ssl/svc.plus.rsa.key;
+  ssl_protocols       TLSv1.2 TLSv1.3;
+  ssl_ciphers         HIGH:!aNULL:!MD5;
+
+  location / {
+    proxy_pass http://127.0.0.1:8080;
+    proxy_http_version 1.1;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    add_header Access-Control-Allow-Origin $http_origin always;
+    add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
+    add_header Access-Control-Allow-Headers "Authorization, Content-Type, Cookie" always;
+    add_header Access-Control-Allow-Credentials "true" always;
+
+    if ($request_method = OPTIONS) {
+      return 204;
+    }
+  }
+}
--- a/rag-server/config/config_test.go
+++ b/rag-server/config/config_test.go
@ -44,7 +44,7 @@ func TestLoad(t *testing.T) {
 	wantOrigins := []string{
 		"https://www.svc.plus",
 		"https://global-homepage.svc.plus",
-		"https://account.svc.plus",
+                "https://accounts.svc.plus",
 		"http://localhost:3000",
 		"http://127.0.0.1:3000",
 		"http://localhost:3001",
--- a/rag-server/config/server.yaml
+++ b/rag-server/config/server.yaml
@ -6,7 +6,7 @@ server:
  allowedOrigins:
    - "https://www.svc.plus"
    - "https://global-homepage.svc.plus"
-    - "https://account.svc.plus"
+    - "https://accounts.svc.plus"
    - "http://localhost:3000"
    - "http://127.0.0.1:3000"
    - "http://localhost:3001"