feat: add nginx reverse proxy + Let's Encrypt SSL + free nip.io domain

kane · kane · commit 418baba0fc8a · 2026-03-02T13:24:53.000+08:00
Automatic domain generation using {VM_IP}.nip.io (no DNS purchase needed). Each service gets its own subdomain with full HTTPS: https://n8n.{VM_IP}.nip.io → n8n workflow editor https://mine.{VM_IP}.nip.io → Lead Mining admin panel (/admin) https://outreach.{VM_IP}.nip.io → Sales Outreach API Changes: - nginx/nginx.conf: base nginx config - nginx/conf.d/default.conf: HTTP-only placeholder (overwritten by setup-ssl.sh) - scripts/setup-ssl.sh: auto-detects VM IP, issues multi-domain cert via certbot HTTP-01 challenge, writes HTTPS nginx vhosts, restarts services - docker-compose.prod.yml: add nginx (80/443) + certbot (auto-renew) services - deploy.yml: new 'Setup domain & SSL' step runs setup-ssl.sh after deploy; supports custom domain via workflow_dispatch input - .env.example: add DOMAIN, N8N_PROTOCOL, update comments
diff --git a/.env.example b/.env.example
@@ -37,16 +37,24 @@ CHROMA_COLLECTION=all_leads
 GEMINI_MODEL=gemini-2.0-flash
 GEMINI_MAX_CONCURRENT=10
 
+# ── 域名 & Nginx SSL ──────────────────────────────────
+# 留空 → 部署时自动生成 {VM_IP}.nip.io 免费域名（无需购买）
+# 有自己的域名则填入（需先将 A 记录指向 VM 公网 IP）
+DOMAIN=
+
 # ── n8n 2.x ──────────────────────────────────────────
 # 首次启动自动创建 Owner 账户，无需手动完成 Setup Wizard
 N8N_JWT_SECRET=n8n-super-secret-jwt-key-change-this
 N8N_OWNER_EMAIL=admin@leadminer.local
 N8N_OWNER_FIRST_NAME=Admin
 N8N_OWNER_LAST_NAME=User
 N8N_OWNER_PASSWORD=LeadMiner2024!
+# 以下两项由 scripts/setup-ssl.sh 自动更新为 https://n8n.{DOMAIN}
 WEBHOOK_URL=http://localhost:5678
 N8N_EDITOR_BASE_URL=http://localhost:5678
-# HTTP 访问时必须设 false；上了 HTTPS 后可删除此行
+# HTTPS 反代后 n8n 需感知协议，由 setup-ssl.sh 自动改为 https
+N8N_PROTOCOL=http
+# HTTP 访问时必须设 false；获取 SSL 证书后 setup-ssl.sh 会自动更新
 N8N_SECURE_COOKIE=false
 
 # ── SMTP（邮件发送，sales-outreach-engine 需要）──────────────────────
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -4,6 +4,11 @@ on:
   push:
     branches: [ main ]
   workflow_dispatch:
+    inputs:
+      domain:
+        description: '自定义域名（留空则自动生成 nip.io 域名）'
+        required: false
+        default: ''
 
 env:
   REGISTRY: ghcr.io
@@ -96,9 +101,29 @@ jobs:
             sleep 10
             docker compose -f docker-compose.prod.yml up -d sales-outreach n8n
 
+            # 启动 nginx（HTTP 模式，等待 SSL 脚本处理）
+            docker compose -f docker-compose.prod.yml up -d nginx certbot
+
             # 清理旧镜像
             docker image prune -f
 
+      - name: Setup domain & SSL
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host:     ${{ secrets.VM_HOST }}
+          username: ${{ secrets.VM_USER }}
+          key:      ${{ secrets.VM_SSH_KEY }}
+          script: |
+            cd /opt/lead-mining-system
+
+            # 若 workflow_dispatch 传入了自定义域名则使用，否则自动生成 nip.io
+            CUSTOM_DOMAIN="${{ github.event.inputs.domain }}"
+            if [ -n "$CUSTOM_DOMAIN" ]; then
+              bash scripts/setup-ssl.sh "$CUSTOM_DOMAIN"
+            else
+              bash scripts/setup-ssl.sh
+            fi
+
       - name: Import n8n workflows
         uses: appleboy/ssh-action@v1.0.3
         with:
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
@@ -89,7 +89,9 @@ services:
       DB_POSTGRESDB_SCHEMA:           n8n
       LEAD_MINER_URL:                 http://lead-miner:8000
       GEMINI_API_KEY:                 ${GEMINI_API_KEY}
-      # Cookie 安全（HTTP 访问时必须设为 false；如果配了 HTTPS 可删除此行）
+      # 通过 nginx HTTPS 代理时，设置协议为 https 以修复 cookie
+      N8N_PROTOCOL:                   ${N8N_PROTOCOL:-http}
+      # Cookie 安全（HTTP 访问时必须设 false；如果配了 HTTPS 可删除此行）
       N8N_SECURE_COOKIE:              "false"
       N8N_LOG_LEVEL:                  info
     depends_on:
@@ -101,10 +103,37 @@ services:
     ports:
       - "5678:5678"
 
+  # ── Nginx 反代理 + SSL 入口 ──────────────────────────────────
+  nginx:
+    image: nginx:1.25-alpine
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/conf.d:/etc/nginx/conf.d
+      - certbot_www:/var/www/certbot:ro
+      - certbot_certs:/etc/letsencrypt:ro
+    depends_on:
+      - n8n
+      - lead-miner
+      - sales-outreach
+
+  # ── Certbot 自动 SSL 证书 ──────────────────────────────────────
+  certbot:
+    image: certbot/certbot:latest
+    volumes:
+      - certbot_www:/var/www/certbot
+      - certbot_certs:/etc/letsencrypt
+    entrypoint: ["/bin/sh", "-c", "trap exit TERM; while :; do certbot renew --quiet; sleep 12h & wait $${!}; done"]
+
 volumes:
   postgres_data:
   chroma_data:
   n8n_data:
+  certbot_www:
+  certbot_certs:
 
 networks:
   default:
diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf
@@ -0,0 +1,25 @@
+# 临时 HTTP 配置 — 仅用于 Certbot ACME 验证，SSL 初始化前使用
+# 生产完整配置由 setup-ssl.sh 生成并覆盖此文件
+
+server {
+    listen 80;
+    server_name _;
+
+    # Certbot ACME 验证目录
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # 其余请求临时反代到 n8n（HTTP）
+    location / {
+        proxy_pass http://n8n:5678;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 86400;
+    }
+}
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -0,0 +1,28 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent"';
+    access_log /var/log/nginx/access.log main;
+
+    sendfile        on;
+    keepalive_timeout 65;
+    client_max_body_size 50m;
+
+    # Gzip
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript;
+
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/scripts/setup-ssl.sh b/scripts/setup-ssl.sh
@@ -0,0 +1,217 @@
+#!/bin/bash
+# setup-ssl.sh — 在 VM 上初始化/更新 Nginx + Let's Encrypt SSL
+# 用法: bash scripts/setup-ssl.sh [DOMAIN]
+# 若不传参数, 自动使用 .env 中的 DOMAIN, 或从公网 IP 生成 nip.io 域名
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+cd "$PROJECT_DIR"
+
+# ── 1. 确定域名 ───────────────────────────────────────────────────────────────
+if [ -n "${1:-}" ]; then
+  DOMAIN="$1"
+elif grep -q "^DOMAIN=" .env 2>/dev/null; then
+  DOMAIN="$(grep '^DOMAIN=' .env | cut -d= -f2 | tr -d ' \r')"
+fi
+
+if [ -z "${DOMAIN:-}" ]; then
+  # 自动获取 VM 公网 IP, 生成 nip.io 域名（无需购买域名，DNS 自动生效）
+  PUB_IP="$(curl -s --max-time 5 https://api.ipify.org || curl -s --max-time 5 https://ifconfig.me)"
+  if [ -z "$PUB_IP" ]; then
+    echo "❌ 无法获取公网 IP，请手动设置 DOMAIN 变量" >&2
+    exit 1
+  fi
+  DOMAIN="${PUB_IP}.nip.io"
+  echo "📡 自动检测到公网 IP: $PUB_IP"
+fi
+
+echo "🌐 使用域名: $DOMAIN"
+echo "   - n8n:      https://n8n.${DOMAIN}"
+echo "   - 采集面板: https://mine.${DOMAIN}"
+echo "   - 外展 API: https://outreach.${DOMAIN}"
+
+# ── 2. 更新 .env 中的域名和 n8n URL ──────────────────────────────────────────
+if ! grep -q "^DOMAIN=" .env 2>/dev/null; then
+  echo "DOMAIN=${DOMAIN}" >> .env
+else
+  sed -i "s|^DOMAIN=.*|DOMAIN=${DOMAIN}|" .env
+fi
+
+# 更新 n8n webhook/editor URL
+sed -i "s|^WEBHOOK_URL=.*|WEBHOOK_URL=https://n8n.${DOMAIN}|"           .env
+sed -i "s|^N8N_EDITOR_BASE_URL=.*|N8N_EDITOR_BASE_URL=https://n8n.${DOMAIN}|" .env
+
+# ── 3. 确保 certbot 挂载目录存在 ─────────────────────────────────────────────
+mkdir -p nginx/certbot/www nginx/certbot/conf
+
+# ── 4. 申请/续期 SSL 证书 ────────────────────────────────────────────────────
+echo "🔐 申请 Let's Encrypt SSL 证书..."
+
+# 先确保 nginx 在 HTTP 模式下运行（用于 ACME challenge）
+docker compose -f docker-compose.prod.yml up -d nginx
+sleep 3
+
+# 申请包含三个子域名的单张证书
+docker compose -f docker-compose.prod.yml run --rm certbot certonly \
+  --webroot \
+  --webroot-path /var/www/certbot \
+  --email "admin@${DOMAIN}" \
+  --agree-tos \
+  --no-eff-email \
+  --non-interactive \
+  -d "n8n.${DOMAIN}" \
+  -d "mine.${DOMAIN}" \
+  -d "outreach.${DOMAIN}" \
+  --cert-name "lead-mining" \
+  || {
+    echo "⚠️  SSL 申请失败（可能是首次或 nip.io 限速），切换到仅 HTTP 模式"
+    SSL_FAILED=1
+  }
+
+# ── 5. 生成完整 nginx 配置 ────────────────────────────────────────────────────
+echo "📝 生成 nginx 配置..."
+
+if [ "${SSL_FAILED:-0}" = "1" ]; then
+  # ── HTTP only fallback ────────────────────────────────────────────────────
+  cat > nginx/conf.d/default.conf <<NGINXEOF
+# HTTP 模式（SSL 证书获取失败或待申请）
+server {
+    listen 80;
+    server_name n8n.${DOMAIN};
+    location /.well-known/acme-challenge/ { root /var/www/certbot; }
+    location / {
+        proxy_pass http://n8n:5678;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_read_timeout 86400;
+    }
+}
+server {
+    listen 80;
+    server_name mine.${DOMAIN};
+    location /.well-known/acme-challenge/ { root /var/www/certbot; }
+    location / {
+        proxy_pass http://lead-miner:8000;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_set_header X-Real-IP \$remote_addr;
+    }
+}
+server {
+    listen 80;
+    server_name outreach.${DOMAIN};
+    location /.well-known/acme-challenge/ { root /var/www/certbot; }
+    location / {
+        proxy_pass http://sales-outreach:8080;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_set_header X-Real-IP \$remote_addr;
+    }
+}
+NGINXEOF
+  echo "⚠️  已生成 HTTP 模式配置，之后运行 'bash scripts/setup-ssl.sh' 可补充 SSL"
+else
+  # ── HTTP → HTTPS redirect + HTTPS virtual hosts ───────────────────────────
+  cat > nginx/conf.d/default.conf <<NGINXEOF
+# ── HTTP → HTTPS 强制跳转 + ACME challenge ───────────────────────────────────
+server {
+    listen 80;
+    server_name n8n.${DOMAIN} mine.${DOMAIN} outreach.${DOMAIN};
+    location /.well-known/acme-challenge/ { root /var/www/certbot; }
+    location / { return 301 https://\$host\$request_uri; }
+}
+
+# SSL 通用参数
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+
+# ── n8n ───────────────────────────────────────────────────────────────────────
+server {
+    listen 443 ssl;
+    server_name n8n.${DOMAIN};
+    ssl_certificate     /etc/letsencrypt/live/lead-mining/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/lead-mining/privkey.pem;
+
+    # WebSocket 支持（n8n 编辑器必须）
+    location / {
+        proxy_pass http://n8n:5678;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 86400;
+    }
+}
+
+# ── Lead Mining 控制台 ───────────────────────────────────────────────────────
+server {
+    listen 443 ssl;
+    server_name mine.${DOMAIN};
+    ssl_certificate     /etc/letsencrypt/live/lead-mining/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/lead-mining/privkey.pem;
+
+    location / {
+        proxy_pass http://lead-miner:8000;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 120;
+    }
+}
+
+# ── Sales Outreach API ────────────────────────────────────────────────────────
+server {
+    listen 443 ssl;
+    server_name outreach.${DOMAIN};
+    ssl_certificate     /etc/letsencrypt/live/lead-mining/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/lead-mining/privkey.pem;
+
+    location / {
+        proxy_pass http://sales-outreach:8080;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 120;
+    }
+}
+NGINXEOF
+  echo "✅ 已生成 HTTPS 配置"
+
+  # SSL 成功后更新 n8n 环境变量，启用安全 cookie
+  sed -i "s|^N8N_PROTOCOL=.*|N8N_PROTOCOL=https|"         .env
+  sed -i "s|^N8N_SECURE_COOKIE=.*|N8N_SECURE_COOKIE=true|" .env
+  # 重启 n8n 以应用新的 WEBHOOK_URL 和 PROTOCOL
+  docker compose -f docker-compose.prod.yml up -d --no-deps n8n
+fi
+
+# ── 6. 重载 nginx ─────────────────────────────────────────────────────────────
+docker compose -f docker-compose.prod.yml exec nginx nginx -s reload 2>/dev/null \
+  || docker compose -f docker-compose.prod.yml restart nginx
+
+# ── 7. 打印访问地址 ───────────────────────────────────────────────────────────
+echo ""
+echo "╔══════════════════════════════════════════════════════════╗"
+echo "║            ✅  Lead Mining System — 访问地址             ║"
+echo "╠══════════════════════════════════════════════════════════╣"
+if [ "${SSL_FAILED:-0}" = "1" ]; then
+echo "║  🔄 n8n 工作流     http://n8n.${DOMAIN}"
+echo "║  🎛️  采集控制台   http://mine.${DOMAIN}/admin"
+echo "║  📤 外展 API      http://outreach.${DOMAIN}"
+else
+echo "║  🔄 n8n 工作流     https://n8n.${DOMAIN}"
+echo "║  🎛️  采集控制台   https://mine.${DOMAIN}/admin"
+echo "║  📤 外展 API      https://outreach.${DOMAIN}"
+fi
+echo "╚══════════════════════════════════════════════════════════╝"
