From 627f4aa924fb49ccb4416e03d311deece0fa2ba3 Mon Sep 17 00:00:00 2001 From: Simon Date: Sun, 21 Jun 2026 11:56:48 +0800 Subject: [PATCH] =?UTF-8?q?feat(deploy):=20v0.7.0=20=E4=B8=80=E9=94=AE?= =?UTF-8?q?=E4=B8=8A=E4=BC=A0=E8=84=9A=E6=9C=AC(Windows=20PS)=20+=20nginx?= =?UTF-8?q?=20=E8=84=B1=E6=95=8F=E8=84=9A=E6=9C=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit upload-frontend-v0.7.0.ps1: - 自动打包 4 端 dist + scp + ssh 解压 - 用户只需在 PowerShell 跑一次 nginx-access-log-redact.sh: - 自定义 log_format(去掉 Authorization/Cookie) - 支持 --rollback 回滚 - nginx -t 验证语法 + nginx -s reload 热重载 Co-Authored-By: Claude --- deploy-server/nginx-access-log-redact.sh | 69 ++++++++++++++++++++++++ deploy-server/upload-frontend-v0.7.0.ps1 | 67 +++++++++++++++++++++++ 2 files changed, 136 insertions(+) create mode 100644 deploy-server/nginx-access-log-redact.sh create mode 100644 deploy-server/upload-frontend-v0.7.0.ps1 diff --git a/deploy-server/nginx-access-log-redact.sh b/deploy-server/nginx-access-log-redact.sh new file mode 100644 index 0000000..c2a84ff --- /dev/null +++ b/deploy-server/nginx-access-log-redact.sh @@ -0,0 +1,69 @@ +#!/bin/bash +# ============================================================================= +# nginx access_log 脱敏脚本(生产服务器跑) +# ============================================================================= +# 作用:把默认的 access_log 换成自定义 log_format,删除 Authorization/Cookie 等 +# 敏感 header,避免泄漏到日志 +# 用法:bash nginx-access-log-redact.sh +# 回滚:bash nginx-access-log-redact.sh --rollback +# ============================================================================= + +set -e + +CONTAINER="wecom_it_nginx" # 注意是下划线 +CONF_PATH="/etc/nginx/conf.d/log-format.conf" +BACKUP_PATH="/etc/nginx/conf.d/log-format.conf.bak" + +if [[ "$1" == "--rollback" ]]; then + echo "[ROLLBACK] 恢复默认 access_log..." + docker exec "$CONTAINER" bash -c " + if [[ -f $BACKUP_PATH ]]; then + mv $BACKUP_PATH $CONF_PATH + else + echo 'access_log /var/log/nginx/access.log;' > $CONF_PATH + fi + " + docker exec "$CONTAINER" nginx -t + docker exec "$CONTAINER" nginx -s reload + echo "[OK] 已回滚到默认 access_log" + exit 0 +fi + +echo "[1/5] 备份现有 log-format.conf(如有)..." +docker exec "$CONTAINER" bash -c " + if [[ -f $CONF_PATH ]]; then + cp $CONF_PATH $BACKUP_PATH + fi +" + +echo "[2/5] 写入脱敏 log_format 配置..." +docker exec "$CONTAINER" bash -c "cat > $CONF_PATH << 'EOF' +# 自定义 access_log 格式 — 删除 Authorization/Cookie 等敏感 header +# 仅保留请求方法 + URI + 状态码 + 字节数 + UA + Referer +log_format secure \$remote_addr - \$remote_user [\$time_local] \"\$request_method \$uri \$server_protocol\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"; + +# 应用:覆盖默认 access_log +access_log /var/log/nginx/access.log secure; +EOF +" + +echo "[3/5] 验证配置文件..." +docker exec "$CONTAINER" cat $CONF_PATH +echo "" + +echo "[4/5] nginx -t 验证语法..." +docker exec "$CONTAINER" nginx -t +echo "" + +echo "[5/5] reload nginx(不中断连接)..." +docker exec "$CONTAINER" nginx -s reload +echo "" + +echo "========================================" +echo "[OK] nginx access_log 脱敏已生效" +echo "========================================" +echo "" +echo "验证:tail 一下 access.log 看新格式" +echo " docker exec $CONTAINER tail -5 /var/log/nginx/access.log" +echo "" +echo "回滚:bash nginx-access-log-redact.sh --rollback" \ No newline at end of file diff --git a/deploy-server/upload-frontend-v0.7.0.ps1 b/deploy-server/upload-frontend-v0.7.0.ps1 new file mode 100644 index 0000000..1670b0d --- /dev/null +++ b/deploy-server/upload-frontend-v0.7.0.ps1 @@ -0,0 +1,67 @@ +# ============================================================================= +# v0.7.0 前端 dist 一键上传到生产 +# ============================================================================= +# 用途:打包 4 端 dist + scp 到生产 + 在生产解压 + 重载 nginx +# 用法:在 Windows PowerShell 7+ 跑 .\upload-frontend-v0.7.0.ps1 +# 前置:已 PuTTY 跳到堡垒机 → 再到生产(同一会话) +# ============================================================================= + +$ErrorActionPreference = "Stop" + +$ProjectRoot = "D:\资料\03-项目开发\wecom_it_smart_desk-claude" +$TarPath = "$env:TEMP\frontend-v0.7.0.tar.gz" +$Server = "root@10.90.5.110" + +Write-Host "========================================" -ForegroundColor Cyan +Write-Host " v0.7.0 前端 dist 一键上传" -ForegroundColor Cyan +Write-Host "========================================" -ForegroundColor Cyan +Write-Host "" + +# 步骤 1:打包 4 端 dist +Write-Host "[1/4] 打包 4 端 dist..." -ForegroundColor Yellow +Set-Location $ProjectRoot +& tar -czf $TarPath ` + frontend-admin/dist ` + frontend-agent/dist ` + frontend-portal/dist ` + frontend-h5/dist +$Size = (Get-Item $TarPath).Length / 1MB +Write-Host " OK: $TarPath ($([math]::Round($Size, 2)) MB)" -ForegroundColor Green + +# 步骤 2:scp 到生产 +Write-Host "" +Write-Host "[2/4] scp 到生产 $Server:/tmp/..." -ForegroundColor Yellow +Write-Host " (会提示输入密码,用 PuTTY 的密码)" -ForegroundColor Gray +& scp -o StrictHostKeyChecking=no -o ConnectTimeout=30 $TarPath "${Server}:/tmp/frontend-v0.7.0.tar.gz" +if ($LASTEXITCODE -ne 0) { + Write-Host " FAILED: scp 失败" -ForegroundColor Red + exit 1 +} +Write-Host " OK" -ForegroundColor Green + +# 步骤 3:在生产解压(走 ssh,需要输密码) +Write-Host "" +Write-Host "[3/4] ssh 到生产解压到 nginx 挂载点..." -ForegroundColor Yellow +Write-Host " (会再次提示输入密码)" -ForegroundColor Gray +$RemoteCmd = @" +cd /opt/wecom-it-desk && +echo '解压前端...' && +sudo tar -xzf /tmp/frontend-v0.7.0.tar.gz && +echo '清理 tar 包...' && +sudo rm /tmp/frontend-v0.7.0.tar.gz && +echo '清理本地 tar 包...' && +rm $TarPath && +echo '========================================' && +echo '前端 4 端 dist 已更新到生产!' && +echo '========================================' +"@ +& ssh -o StrictHostKeyChecking=no -o ConnectTimeout=30 $Server $RemoteCmd +if ($LASTEXITCODE -ne 0) { + Write-Host " FAILED: ssh 解压失败" -ForegroundColor Red + exit 1 +} + +Write-Host "" +Write-Host "[4/4] 完成!" -ForegroundColor Green +Write-Host "下一步:在生产跑 nginx 脱敏配置 + reload" -ForegroundColor Cyan +Write-Host "详见 docs/DEPLOY-QUICK-v0.7.0.md Step 5-6" -ForegroundColor Cyan \ No newline at end of file