From c31fc1c985c60512d7b6e74ddb4fbd9d9aaca632 Mon Sep 17 00:00:00 2001 From: shenlan Date: Tue, 28 Oct 2025 17:07:02 +0800 Subject: [PATCH] feat: point account service to dedicated domain (#598) --- README.md | 4 +- account/config/account-agent.yaml | 2 +- account/config/account-server.yaml | 4 +- account/config/account.yaml | 4 +- dashboard/config/runtime-service-config.yaml | 6 +-- dashboard/lib/serviceConfig.ts | 2 +- deploy/nginx/servers/xcontrol-idp.conf | 2 +- ...t.svc.plus.conf => accounts.svc.plus.conf} | 4 +- docs/account-svc-plus.md | 6 +-- docs/account-xstream-desktop-integration.md | 2 +- example/prod/nginx/accounts.svc.plus.conf | 46 +++++++++++++++++++ example/sit/nginx/accounts-dev.svc.plus.conf | 34 ++++++++++++++ rag-server/config/config_test.go | 2 +- rag-server/config/server.yaml | 2 +- 14 files changed, 100 insertions(+), 20 deletions(-) rename deploy/openresty/{account.svc.plus.conf => accounts.svc.plus.conf} (94%) create mode 100644 example/prod/nginx/accounts.svc.plus.conf create mode 100644 example/sit/nginx/accounts-dev.svc.plus.conf diff --git a/README.md b/README.md index 110ad93..db7c4e7 100644 --- a/README.md +++ b/README.md @@ -60,11 +60,11 @@ make init-db # initialize database (optional) The Next.js dashboard now resolves service endpoints through `dashboard/config/runtime-service-config.yaml`. The runtime configuration selects values based on `NEXT_PUBLIC_RUNTIME_ENV` (falling back to `NODE_ENV` and the file's `defaultEnvironment`). Use `NEXT_PUBLIC_ACCOUNT_SERVICE_URL` for ad-hoc overrides, otherwise adjust the YAML file to specify -environment-specific URLs such as `http://localhost:8080` for development/test and `https://account.svc.plus` for production. +environment-specific URLs such as `http://localhost:8080` for development/test and `https://accounts.svc.plus` for production. ## Account service configuration -`account/config/account.yaml` now accepts a `server.publicUrl` value such as `https://account.svc.plus:8443`. The account service +`account/config/account.yaml` now accepts a `server.publicUrl` value such as `https://accounts.svc.plus:8443`. The account service uses this URL to derive a default CORS origin and to document the externally reachable host. Set `server.allowedOrigins` when you need to expose additional browser clients; omit it to fall back to the public URL or the local development origins (`http://localhost:3001` and `http://127.0.0.1:3001`). diff --git a/account/config/account-agent.yaml b/account/config/account-agent.yaml index ad58b64..9890b62 100644 --- a/account/config/account-agent.yaml +++ b/account/config/account-agent.yaml @@ -5,7 +5,7 @@ log: agent: id: "edge-node-1" - controllerUrl: "https://account.svc.plus" + controllerUrl: "https://accounts.svc.plus" apiToken: "replace-with-agent-token" httpTimeout: 15s statusInterval: 1m diff --git a/account/config/account-server.yaml b/account/config/account-server.yaml index f0a8ea5..4f0647d 100644 --- a/account/config/account-server.yaml +++ b/account/config/account-server.yaml @@ -7,13 +7,13 @@ server: addr: ":8080" readTimeout: 15s writeTimeout: 15s - publicUrl: "http://localhost:8080" + publicUrl: "https://accounts.svc.plus" allowedOrigins: - "https://dev.svc.plus" - "https://dev-homepage.svc.plus" - "https://www.svc.plus" - "https://global-homepage.svc.plus" - - "https://account.svc.plus" + - "https://accounts.svc.plus" - "https://localhost:8443" - "http://localhost:8080" - "http://127.0.0.1:8080" diff --git a/account/config/account.yaml b/account/config/account.yaml index f0a8ea5..4f0647d 100644 --- a/account/config/account.yaml +++ b/account/config/account.yaml @@ -7,13 +7,13 @@ server: addr: ":8080" readTimeout: 15s writeTimeout: 15s - publicUrl: "http://localhost:8080" + publicUrl: "https://accounts.svc.plus" allowedOrigins: - "https://dev.svc.plus" - "https://dev-homepage.svc.plus" - "https://www.svc.plus" - "https://global-homepage.svc.plus" - - "https://account.svc.plus" + - "https://accounts.svc.plus" - "https://localhost:8443" - "http://localhost:8080" - "http://127.0.0.1:8080" diff --git a/dashboard/config/runtime-service-config.yaml b/dashboard/config/runtime-service-config.yaml index fcba047..b5f5cea 100644 --- a/dashboard/config/runtime-service-config.yaml +++ b/dashboard/config/runtime-service-config.yaml @@ -1,7 +1,7 @@ defaultEnvironment: production defaults: accountService: - baseUrl: https://www.svc.plus + baseUrl: https://accounts.svc.plus serverService: baseUrl: https://www.svc.plus environments: @@ -17,11 +17,11 @@ environments: baseUrl: http://localhost:8090 production: accountService: - baseUrl: https://www.svc.plus + baseUrl: https://accounts.svc.plus serverService: baseUrl: https://www.svc.plus production_tls: accountService: - baseUrl: https://www.svc.plus + baseUrl: https://accounts.svc.plus serverService: baseUrl: https://www.svc.plus diff --git a/dashboard/lib/serviceConfig.ts b/dashboard/lib/serviceConfig.ts index 86ec892..10f1eb7 100644 --- a/dashboard/lib/serviceConfig.ts +++ b/dashboard/lib/serviceConfig.ts @@ -67,7 +67,7 @@ const runtimeEnvironments: Record = type ServiceKey = keyof EnvironmentRuntimeConfig -const FALLBACK_ACCOUNT_SERVICE_URL = 'http://localhost:8080' +const FALLBACK_ACCOUNT_SERVICE_URL = 'https://accounts.svc.plus' const FALLBACK_SERVER_SERVICE_URL = 'http://localhost:8090' const FALLBACK_SERVER_SERVICE_INTERNAL_URL = 'http://127.0.0.1:8090' diff --git a/deploy/nginx/servers/xcontrol-idp.conf b/deploy/nginx/servers/xcontrol-idp.conf index 037b4c8..f3b8efd 100644 --- a/deploy/nginx/servers/xcontrol-idp.conf +++ b/deploy/nginx/servers/xcontrol-idp.conf @@ -1,6 +1,6 @@ server { listen 443 ssl; - server_name account.svc.plus; + server_name accounts.svc.plus; ssl_certificate /etc/ssl/svc.plus.pem; ssl_certificate_key /etc/ssl/svc.plus.rsa.key; diff --git a/deploy/openresty/account.svc.plus.conf b/deploy/openresty/accounts.svc.plus.conf similarity index 94% rename from deploy/openresty/account.svc.plus.conf rename to deploy/openresty/accounts.svc.plus.conf index 93c70d2..aab4d0d 100644 --- a/deploy/openresty/account.svc.plus.conf +++ b/deploy/openresty/accounts.svc.plus.conf @@ -1,12 +1,12 @@ server { listen 80; - server_name account.svc.plus; + server_name accounts.svc.plus; return 301 https://$host$request_uri; } server { listen 443 ssl; - server_name account.svc.plus; + server_name accounts.svc.plus; ssl_certificate /etc/ssl/svc.plus.pem; ssl_certificate_key /etc/ssl/svc.plus.rsa.key; diff --git a/docs/account-svc-plus.md b/docs/account-svc-plus.md index b056537..72cf50b 100644 --- a/docs/account-svc-plus.md +++ b/docs/account-svc-plus.md @@ -1,6 +1,6 @@ -# account.svc.plus 设计文档 +# accounts.svc.plus 设计文档 -本文档基于现有项目结构,描述一个轻量级的账号服务 **account.svc.plus** 的设计方案。 +本文档基于现有项目结构,描述一个轻量级的账号服务 **accounts.svc.plus** 的设计方案。 ## 1. 功能概述 @@ -14,7 +14,7 @@ ``` +---------------+ +------------------+ -| LDAP / OIDC / | Auth | account.svc | +| LDAP / OIDC / | Auth | accounts.svc | | SAML IdP +-------->+------------------+-----> PostgreSQL +---------------+ | REST / gRPC | | gin + goroutine| diff --git a/docs/account-xstream-desktop-integration.md b/docs/account-xstream-desktop-integration.md index 99ab726..1525e85 100644 --- a/docs/account-xstream-desktop-integration.md +++ b/docs/account-xstream-desktop-integration.md @@ -1,6 +1,6 @@ # XStream Desktop 同步集成方案(跨项目执行手册) -本手册将 `account` 服务与 XStream Desktop App 的改造步骤拆分为两条执行线,并给出跨项目协作时所需的接口契约、目录定位和数据格式。目标是在托管域名 `account.svc.plus` 以及自建部署中,以最小增量实现安全的 xray-core 配置同步,且在 URL 层不泄露任何敏感字段。 +本手册将 `account` 服务与 XStream Desktop App 的改造步骤拆分为两条执行线,并给出跨项目协作时所需的接口契约、目录定位和数据格式。目标是在托管域名 `accounts.svc.plus` 以及自建部署中,以最小增量实现安全的 xray-core 配置同步,且在 URL 层不泄露任何敏感字段。 ## 1. 账户服务改造(xcontrol/account) diff --git a/example/prod/nginx/accounts.svc.plus.conf b/example/prod/nginx/accounts.svc.plus.conf new file mode 100644 index 0000000..d525bee --- /dev/null +++ b/example/prod/nginx/accounts.svc.plus.conf @@ -0,0 +1,46 @@ +# ========================================== +# Account Service — Production Reverse Proxy +# ========================================== + +server { + listen 80; + server_name accounts.svc.plus; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + server_name accounts.svc.plus; + + ssl_certificate /etc/ssl/svc.plus.pem; + ssl_certificate_key /etc/ssl/svc.plus.rsa.key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + location / { + proxy_pass http://127.0.0.1:8080; + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always; + add_header Access-Control-Allow-Headers "Authorization, Content-Type, Cookie" always; + add_header Access-Control-Allow-Credentials "true" always; + + if ($request_method = OPTIONS) { + return 204; + } + + proxy_cookie_path / "/; Secure; HttpOnly; SameSite=None"; + } +} diff --git a/example/sit/nginx/accounts-dev.svc.plus.conf b/example/sit/nginx/accounts-dev.svc.plus.conf new file mode 100644 index 0000000..f8d7fad --- /dev/null +++ b/example/sit/nginx/accounts-dev.svc.plus.conf @@ -0,0 +1,34 @@ +server { + listen 80; + server_name accounts-dev.svc.plus; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + server_name accounts-dev.svc.plus; + + ssl_certificate /etc/ssl/svc.plus.pem; + ssl_certificate_key /etc/ssl/svc.plus.rsa.key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + location / { + proxy_pass http://127.0.0.1:8080; + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + add_header Access-Control-Allow-Origin $http_origin always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always; + add_header Access-Control-Allow-Headers "Authorization, Content-Type, Cookie" always; + add_header Access-Control-Allow-Credentials "true" always; + + if ($request_method = OPTIONS) { + return 204; + } + } +} diff --git a/rag-server/config/config_test.go b/rag-server/config/config_test.go index 5c277bf..07fb144 100644 --- a/rag-server/config/config_test.go +++ b/rag-server/config/config_test.go @@ -44,7 +44,7 @@ func TestLoad(t *testing.T) { wantOrigins := []string{ "https://www.svc.plus", "https://global-homepage.svc.plus", - "https://account.svc.plus", + "https://accounts.svc.plus", "http://localhost:3000", "http://127.0.0.1:3000", "http://localhost:3001", diff --git a/rag-server/config/server.yaml b/rag-server/config/server.yaml index 93e367c..8ba2c1b 100644 --- a/rag-server/config/server.yaml +++ b/rag-server/config/server.yaml @@ -6,7 +6,7 @@ server: allowedOrigins: - "https://www.svc.plus" - "https://global-homepage.svc.plus" - - "https://account.svc.plus" + - "https://accounts.svc.plus" - "http://localhost:3000" - "http://127.0.0.1:3000" - "http://localhost:3001"