diff --git a/Dockerfile b/Dockerfile index 2de6833d9d7bd55cf2387ce5f3ba637cca1d8d98..556ab0e587bb0b68c6c16b4fa63ca7cc7ade5b45 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,33 @@ -FROM node:18.18.2-alpine as Builder +FROM node:22.14.0-alpine +WORKDIR /opt -RUN mkdir -p /opt/eulerCopilot-web -WORKDIR /opt/eulerCopilot-web COPY . . - +# ENV HTTPS_PROXY= +ENV ELECTRON_MIRROR="https://npmmirror.com/mirrors/electron/" RUN npm install pnpm -g --registry=https://registry.npmmirror.com && \ - pnpm install --registry=https://registry.npmmirror.com && \ - pnpm run build + pnpm install --registry=https://registry.npmmirror.com && \ + pnpm run build + + +FROM hub.oepkgs.net/openeuler/openeuler:24.03-lts-sp2 -FROM nginx:1.21.5 +ENV TZ Asia/Shanghai +RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ + echo $TZ > /etc/timezone -COPY --from=Builder /opt/eulerCopilot-web/dist /usr/share/nginx/html -RUN chmod -R 755 /usr/share/nginx/html -COPY --from=Builder /opt/eulerCopilot-web/deploy/dev/euler_copilot.conf /etc/nginx/conf.d/ +RUN sed -i 's|repo.openeuler.org|repo.huaweicloud.com/openeuler|g' /etc/yum.repos.d/openEuler.repo && \ + sed -i '/metalink/d' /etc/yum.repos.d/openEuler.repo && \ + sed -i '/metadata_expire/d' /etc/yum.repos.d/openEuler.repo && \ + yum update -y && \ + yum install -y nginx shadow-utils passwd gettext && \ + yum clean all -ENV RUN_USER nginx -ENV RUN_GROUP nginx +COPY --from=0 /opt/dist /usr/share/nginx/html +COPY --from=0 /opt/public /usr/share/nginx/html +COPY --from=0 /opt/deploy/nginx.conf.tmpl /opt/nginx.conf.tmpl +COPY --from=0 /opt/deploy/start.sh /opt/start.sh EXPOSE 8080 +WORKDIR /opt -ENTRYPOINT [ "nginx", "-g", "daemon off;" ] \ No newline at end of file +ENTRYPOINT [ "bash", "./start.sh" ] diff --git a/deploy/.env.example b/deploy/.env.example new file mode 100644 index 0000000000000000000000000000000000000000..77ee97d6c39589b448a1685dd17108739e70e745 --- /dev/null +++ b/deploy/.env.example @@ -0,0 +1,2 @@ +RAG_WEB_URL= +FRAMEWORK_URL= \ No newline at end of file diff --git a/deploy/dev/euler_copilot.conf b/deploy/dev/euler_copilot.conf deleted file mode 100644 index 60e428ad965e9cbd6a1579085ee12245c67fbf37..0000000000000000000000000000000000000000 --- a/deploy/dev/euler_copilot.conf +++ /dev/null @@ -1,77 +0,0 @@ -server { - listen 8080; - server_name localhost; - charset utf-8; - - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "no-referrer"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: base64;"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - # limit_conn limitperip 10; - - if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE)$) { - return 444; - } - - location ~ /\. { - deny all; - return 404; - } - - location ~ ^(?:(?!/static)).*\.(js|css|ico|png|jpg|eot|svg|ttf|woff|html|txt|pdf)$ { - root /usr/share/nginx/html; - expires 30d; - } - - location / { - proxy_set_header X-Real-IP $remote_addr; - root /usr/share/nginx/html; - try_files $uri $uri/ /index.html; - if (!-e $request_filename){ - rewrite ^(.*)$ /index.html last; - } - } - - location /api/health_check { - deny all; - return 404; - } - - location /api/ { - proxy_set_header X-Real-IP $remote_addr; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: base64;"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - proxy_buffering off; - error_page 404 = @not_found; - - proxy_pass https://rag.test.osinfra.cn/; - } - - location @not_found { - root /usr/share/nginx/html; - rewrite ^ /404.html break; - } - - - error_page 401 402 403 405 406 407 413 414 /error.html; - error_page 404 /404.html; - error_page 500 501 502 503 504 505 /error.html; - - location = /404.html { - root /usr/share/nginx/html; - } - - location = /error.html { - root /usr/share/nginx/html; - } - - } diff --git a/deploy/k8s/web-config.yaml b/deploy/k8s/web-config.yaml deleted file mode 100644 index bef88739a3e53730af007c38277df6fd6f7d45e1..0000000000000000000000000000000000000000 --- a/deploy/k8s/web-config.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: web-config - namespace: euler-copilot -data: - .env: | - #配置文件,参考deploy/prod/.env.example -# dhparam.pem: | #SSL秘钥协商配置文件 -# -----BEGIN DH PARAMETERS----- -# MIICCAKCAgEA29KHqU1FaHYwJkQiPjpKV7bCV3cV6dvMtRpr1g3I6Q7AcDUGEDk0 -# 1XV01HWJShymeN2WuKkLR28Es6N9kvu/3t3Po+PagHNXJg7RTlPgyeOM/dckUiWe -# 86+CpRM8iHKkgoh2JARswTVRHmiwBcVK/GDL2cPTT6Q3YihZZg4GIcIxqQ2Pn8EF -# ZH3XkLiaOqQpfUF/j20qhi4n8/Zktb3EIJxxBHk06cWVaGvClv6uN6trxIp65Kk5 -# SMMeG//AulZ08Wj4tCqWnktn1ZqfgBXBPB0nSankMHVz2iX8dSJerST8BUPo56VB -# 9eimEKR19Em7hCJOZrl8rBwkZy2w8LFz0UDNaDRLqL+X16KszwRYKmNtEQKwJOjT -# qWJV0UAUAjPkTbvbtzK0JANT+EWvaESjsmh05+Y5Ezoi69422FNfKhxi4veUN8A+ -# Gfvqve+lqUTwiWESh6zmNpFn4ifvJQZc+QeNUYUSAoYz4n5rKP7CL9rBql2PMSqV -# QSc9gG/mhSXrgFPM7kN8lG5QUzj78Ove0+DwKD7agMIKS5RI3e8ecmq8XNtLecLW -# iU/UMbwLsmNzhV6tL0YoMHmkqHfPHyBAbzK9Pk5TG3MPcCE4Sb8TkO1TR3blWbcC -# xU09fcDYBfNsH6B8MngEAxtXTLTORwJZVpt1k0rl607WnoXIGXBpQqsCAQI= -# -----END DH PARAMETERS----- - server.crt: | - #SSL证书 - server.key: | - #SSL私钥 - pass.txt: | - #SSL私钥密码 \ No newline at end of file diff --git a/deploy/k8s/web-deployment.yaml b/deploy/k8s/web-deployment.yaml deleted file mode 100644 index ae5b566c429b3e5541d460bfa7d0295a7b499241..0000000000000000000000000000000000000000 --- a/deploy/k8s/web-deployment.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: web-deploy - namespace: euler-copilot - labels: - app: web -spec: - replicas: 1 - selector: - matchLabels: - app: web - template: - metadata: - labels: - app: web - spec: - automountServiceAccountToken: false - securityContext: - fsGroup: 1001 - containers: - - name: web - image: #Web镜像地址 - imagePullPolicy: Always - ports: - - containerPort: 8080 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: 8080 - scheme: HTTP #依据实际可改为HTTPS协议 - failureThreshold: 5 - initialDelaySeconds: 60 - periodSeconds: 90 - env: - - name: TZ - value: Asia/Shanghai - volumeMounts: - - mountPath: /config - name: web-config-volume - - mountPath: /var/lib/nginx/tmp - name: web-tmp - - mountPath: /home/eulercopilot/.env - name: web-env-volume - subPath: .env - # 使用SSL证书的时候,需要挂载证书文件 -# - mountPath: /config/pass.txt -# name: web-env-volume -# subPath: pass.txt -# - mountPath: /config/server.key -# name: web-env-volume -# subPath: server.key -# - mountPath: /config/server.crt -# name: web-env-volume -# subPath: server.crt -# - mountPath: /config/dhparam.pem -# name: web-env-volume -# subPath: dhparam.pem - securityContext: - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - allowPrivilegeEscalation: false -# resources: -# limits: -# memory: 1024Mi -# cpu: 500m - restartPolicy: Always - volumes: - - name: web-config-volume - emptyDir: - medium: Memory - - name: web-env-volume - configMap: - name: web-config - - name: web-tmp - emptyDir: - medium: Memory diff --git a/deploy/k8s/web-ingress.yaml b/deploy/k8s/web-ingress.yaml deleted file mode 100644 index e04c813966669f008ef6689ccb50a79ee8263740..0000000000000000000000000000000000000000 --- a/deploy/k8s/web-ingress.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: web-ingress - namespace: euler-copilot -spec: - entryPoints: - - websecure - routes: - - match: PathPrefix(`/`) - kind: Rule - services: - - name: web-service - port: 8080 \ No newline at end of file diff --git a/deploy/k8s/web-service.yaml b/deploy/k8s/web-service.yaml deleted file mode 100644 index 29689dc7d7706bfcc90334068d9b56c9df01d69d..0000000000000000000000000000000000000000 --- a/deploy/k8s/web-service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: web-service - namespace: euler-copilot -spec: - type: ClusterIP #暴露端口,可使用NodePort,也可使用Ingress - selector: - app: web - ports: - - port: 8080 - targetPort: 8080 - #nodePort: 30000 diff --git a/deploy/prod/nginx.conf.tmpl b/deploy/nginx.conf.tmpl similarity index 87% rename from deploy/prod/nginx.conf.tmpl rename to deploy/nginx.conf.tmpl index 138aacdeb405561d0e11434c8e9c6f015f664da0..c2ef1a64218811aeb6ac1dd4357072b3fc2af2a3 100644 --- a/deploy/prod/nginx.conf.tmpl +++ b/deploy/nginx.conf.tmpl @@ -1,7 +1,7 @@ worker_processes auto; worker_rlimit_nofile 4096; -error_log ${ERROR_FILE} info; -pid ${PID_FILE}; +error_log /dev/stderr info; +pid /var/lib/nginx/tmp/nginx.pid; include /usr/share/nginx/modules/*.conf; @@ -15,7 +15,7 @@ http { '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; - access_log ${LOG_FILE} main; + access_log /dev/stdout main; autoindex off; server_tokens off; @@ -59,8 +59,8 @@ http { include /etc/nginx/conf.d/*.conf; server { - listen 8080 ${SSL_ENABLE} default_server; - server_name ${SERVER_NAME}; + listen 8080 default_server; + server_name localhost; charset utf-8; add_header X-XSS-Protection "1; mode=block"; @@ -71,14 +71,9 @@ http { add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: base64;"; limit_conn limitperip 50; - - ${SSL_SETTINGS} - resolver 8.8.8.8 8.8.4.4 valid=60s; resolver_timeout 5s; - ${DOMAIN_LIMIT} - if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE)$) { return 444; } @@ -87,7 +82,6 @@ http { deny all; return 404; } - location / { limit_req zone=ratelimit burst=50 nodelay; @@ -97,13 +91,6 @@ http { return 404; } } - - location /copilot { - limit_req zone=ratelimit burst=50 nodelay; - alias /usr/share/nginx/html; - index index.html; - try_files $uri $uri/ /index.html; - } location /login { limit_req zone=ratelimit burst=50 nodelay; @@ -130,6 +117,19 @@ http { proxy_pass ${FRAMEWORK_URL}/api/; } + + location /witchaind/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + add_header X-Accel-Buffering no; + proxy_buffering off; + proxy_intercept_errors on; + + error_page 404 /404.html; + proxy_read_timeout 500s; + proxy_connect_timeout 500s; + + proxy_pass ${RAG_WEB_URL}/witchaind/; + } error_page 401 402 403 405 406 407 413 414 /error.html; error_page 404 /404.html; diff --git a/deploy/prod/.env.example b/deploy/prod/.env.example deleted file mode 100644 index 5caa64d19da806ba7c7cf5a514d95bded7d3fb27..0000000000000000000000000000000000000000 --- a/deploy/prod/.env.example +++ /dev/null @@ -1,5 +0,0 @@ -PROD= -SSL_ENABLE_FLAG= -DOMAIN_LIMIT_ENABLE_FLAG= -SERVER_NAME= -FRAMEWORK_URL= \ No newline at end of file diff --git a/deploy/prod/Dockerfile b/deploy/prod/Dockerfile deleted file mode 100644 index 43f3cbf54277892caf6dc335d5f14640ae57c3e1..0000000000000000000000000000000000000000 --- a/deploy/prod/Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -FROM node:22.14.0-alpine -WORKDIR /opt/eulerCopilot-web - -COPY . . -ENV ELECTRON_MIRROR="https://npmmirror.com/mirrors/electron/" -RUN npm install pnpm -g --registry=https://registry.npmmirror.com && \ - pnpm install --registry=https://registry.npmmirror.com && \ - pnpm run build - - -FROM hub.oepkgs.net/openeuler/openeuler:22.03-lts-sp4 - -ENV TZ Asia/Shanghai -RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ - echo $TZ > /etc/timezone - -RUN sed -i 's|repo.openeuler.org|mirrors.nju.edu.cn/openeuler|g' /etc/yum.repos.d/openEuler.repo && \ - sed -i '/metalink/d' /etc/yum.repos.d/openEuler.repo && \ - sed -i '/metadata_expire/d' /etc/yum.repos.d/openEuler.repo && \ - yum update -y && \ - yum install -y nginx shadow-utils passwd gettext && \ - yum clean all && \ - groupadd -g 1001 eulercopilot && \ - useradd -m -u 1001 -g eulercopilot -s /sbin/nologin eulercopilot && \ - passwd -l eulercopilot - -COPY --from=0 /opt/eulerCopilot-web/dist /usr/share/nginx/html -COPY --from=0 /opt/eulerCopilot-web/public /usr/share/nginx/html -COPY --from=0 /opt/eulerCopilot-web/deploy/prod/nginx.conf.tmpl /home/eulercopilot/nginx.conf.tmpl -COPY --from=0 /opt/eulerCopilot-web/deploy/prod/start.sh /home/eulercopilot/start.sh - -RUN sed -i 's/umask 002/umask 027/g' /etc/bashrc && \ - sed -i 's/umask 022/umask 027/g' /etc/bashrc && \ - chown -R eulercopilot:eulercopilot /usr/share/nginx && \ - chown -R eulercopilot:eulercopilot /var/log/nginx && \ - chown -R eulercopilot:eulercopilot /var/lib/nginx && \ - chown -R eulercopilot:eulercopilot /etc/nginx && \ - chmod -R 750 /var/log/nginx && \ - find /var/log/nginx -type f -exec chmod 640 {} + && \ - chmod -R 500 /var/lib/nginx && \ - chmod -R 500 /usr/share/nginx && \ - chmod -R 500 /etc/nginx && \ - find /var/log/nginx -type f -exec chmod 400 {} + - -RUN yum remove -y gdb-gdbserver && \ - sh -c "find /usr /etc \( -name *yum* -o -name *dnf* -o -name *sqlite* -o -name *python* \) -exec rm -rf {} + || true" && \ - sh -c "find /usr /etc \( -name ps -o -name top \) -exec rm -rf {} + || true" - -EXPOSE 8080 - -USER eulercopilot -WORKDIR /home/eulercopilot - -ENTRYPOINT [ "bash", "./start.sh" ] diff --git a/deploy/prod/start.sh b/deploy/prod/start.sh deleted file mode 100644 index f49d1b8c39b468b05ac8f83560a5c1c36f16f33c..0000000000000000000000000000000000000000 --- a/deploy/prod/start.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -export $(cat .env | xargs) - -domain_limit=" - if (\$http_Host !~ ${SERVER_NAME} $) { - return 403; - } -" - -ssl_settings=" - ssl_session_tickets off; - ssl_session_timeout 5m; - ssl_session_cache shared:SSL:10m; - - ssl_certificate /config/server.crt; - ssl_certificate_key /config/server.key; - ssl_password_file /config/pass.txt; - ssl_dhparam /config/dhparam.pem; - ssl_ecdh_curve auto; - ssl_protocols TLSv1.2; - ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384\"; - ssl_prefer_server_ciphers on; - ssl_stapling on; - ssl_stapling_verify on; -" - -if [[ -v SSL_ENABLE_FLAG ]]; then - export SSL_ENABLE=ssl - export SSL_SETTINGS=$ssl_settings -else - export SSL_ENABLE="" -fi - -if [[ -v PROD ]]; then - export ERROR_FILE="/dev/stderr" - export LOG_FILE="/dev/stdout" - export PID_FILE="/var/lib/nginx/tmp/nginx.pid" -else - export ERROR_FILE="/var/log/nginx/error.log" - export LOG_FILE="/var/log/nginx/access.log" - export PID_FILE="/var/log/nginx/nginx.pid" -fi - -if [[ -v DOMAIN_LIMIT_ENABLE_FLAG ]]; then - export DOMAIN_LIMIT=$domain_limit -else - export DOMAIN_LIMIT="" -fi - -bash -c "envsubst '\${SERVER_NAME} \${SSL_ENABLE} \${SSL_SETTINGS} \${ERROR_FILE} \${LOG_FILE} \${PID_FILE} \${DOMAIN_LIMIT} \${FRAMEWORK_URL}' < nginx.conf.tmpl > /config/nginx.conf" - -nginx -c /config/nginx.conf -g "daemon off;" \ No newline at end of file diff --git a/deploy/start.sh b/deploy/start.sh new file mode 100644 index 0000000000000000000000000000000000000000..85bc5a80a9a16cf17a33b6a2608bd258e66e488b --- /dev/null +++ b/deploy/start.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +export $(cat .env | xargs) +bash -c "envsubst '\${FRAMEWORK_URL}' < nginx.conf.tmpl > /config/nginx.conf" +nginx -c /config/nginx.conf -g "daemon off;" \ No newline at end of file