docs: project docs, scripts, deployment configs, and evidence

fix_ssl.sh

@@ -0,0 +1,145 @@
+#!/bin/bash
+# SSL 证书修复和 Nginx 配置脚本
+# 修复 SSL 证书路径问题并配置新的子域名
+
+echo "========================================"
+echo "修复 SSL 证书和 Nginx 配置"
+echo "========================================"
+
+# 1. 检查 SSL 证书状态
+echo "[1/5] 检查 SSL 证书状态..."
+ls -la /etc/letsencrypt/live/ 2>/dev/null || echo "证书目录不存在"
+
+# 2. 重新获取证书
+echo "[2/5] 重新获取 SSL 证书..."
+certbot certonly --webroot -w /var/www/html -d tksea.top -d www.tksea.top -d api.tksea.top -d gitea.tksea.top -d sub.tksea.top --non-interactive --agree-tos --email admin@tksea.top || certbot --nginx -d tksea.top -d www.tksea.top -d api.tksea.top -d gitea.tksea.top -d sub.tksea.top --non-interactive --agree-tos --email admin@tksea.top
+
+# 3. 验证证书
+echo "[3/5] 验证证书..."
+certbot certificates
+
+# 4. 配置 Nginx
+echo "[4/5] 配置 Nginx..."
+cat > /etc/nginx/sites-available/tksea << 'EOF'
+# HTTP 重定向到 HTTPS
+server {
+    listen 80;
+    server_name tksea.top www.tksea.top api.tksea.top gitea.tksea.top sub.tksea.top;
+    location /.well-known/acme-challenge/ { root /var/www/html; }
+    location / { return 301 https://$host$request_uri; }
+}
+
+# HTTPS - 主域名 (Gitea)
+server {
+    listen 443 ssl http2;
+    server_name tksea.top www.tksea.top;
+    ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+
+# HTTPS - api 子域名 (Sub2API)
+server {
+    listen 443 ssl http2;
+    server_name api.tksea.top;
+    ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    underscores_in_headers on;
+    
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# HTTPS - gitea 子域名 (Gitea)
+server {
+    listen 443 ssl http2;
+    server_name gitea.tksea.top;
+    ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+
+# HTTPS - sub 子域名 (Sub2API)
+server {
+    listen 443 ssl http2;
+    server_name sub.tksea.top;
+    ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    underscores_in_headers on;
+    
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+EOF
+
+# 5. 测试并重载 Nginx
+echo "[5/5] 测试并重载 Nginx..."
+nginx -t && systemctl reload nginx
+
+echo ""
+echo "========================================"
+echo "修复完成!"
+echo "========================================"
+echo ""
+echo "现在可以访问:"
+echo "  - https://tksea.top (Gitea)"
+echo "  - https://gitea.tksea.top (Gitea)"
+echo "  - https://api.tksea.top (Sub2API)"
+echo "  - https://sub.tksea.top (Sub2API)"
+echo ""
+echo "检查服务状态:"
+echo "  docker ps"
+echo "  systemctl status nginx"
+echo "========================================"