From ba1f52996fdb559e048e2a35d1d0c2400ffba252 Mon Sep 17 00:00:00 2001 From: abearxiong Date: Wed, 26 Nov 2025 17:02:14 +0800 Subject: [PATCH] update --- k8s/xiongxiao.me/clean.sh | 82 ++++++ k8s/xiongxiao.me/deploy-apps.sh | 91 ------ k8s/xiongxiao.me/docs/08-nginx-proxy-modes.md | 270 ++++++++++++++++++ .../ingress/apps-ingressroute.yaml | 18 -- k8s/xiongxiao.me/ingress/rancher-ingress.yaml | 3 +- .../ingress/verdaccio-ingress.yaml | 10 +- k8s/xiongxiao.me/nginx/nginx-80.conf | 0 .../nginx/nginx-stream-proxy.conf | 44 +++ k8s/xiongxiao.me/restart.sh | 4 + .../services/external-services.yaml | 26 -- k8s/xiongxiao.me/test-services.sh | 88 ------ k8s/xiongxiao.me/todos/nginx/blinko.conf | 35 --- k8s/xiongxiao.me/todos/nginx/chat.conf | 50 ---- k8s/xiongxiao.me/todos/nginx/cloud.conf | 34 --- k8s/xiongxiao.me/todos/nginx/docmost.conf | 45 --- k8s/xiongxiao.me/todos/nginx/drawio.conf | 48 ---- k8s/xiongxiao.me/todos/nginx/esm.conf | 47 --- k8s/xiongxiao.me/todos/nginx/gist.conf | 48 ---- k8s/xiongxiao.me/todos/nginx/git.xx.conf | 39 --- k8s/xiongxiao.me/todos/nginx/home.mz.conf | 50 ---- k8s/xiongxiao.me/todos/nginx/immich.conf | 48 ---- k8s/xiongxiao.me/todos/nginx/kevisual.conf | 85 ------ k8s/xiongxiao.me/todos/nginx/look-good.conf | 42 --- k8s/xiongxiao.me/todos/nginx/meilisearch.conf | 34 --- k8s/xiongxiao.me/todos/nginx/memos.conf | 43 --- k8s/xiongxiao.me/todos/nginx/minio.conf | 49 ---- k8s/xiongxiao.me/todos/nginx/npm.conf | 35 --- k8s/xiongxiao.me/todos/nginx/pwd.conf | 44 --- k8s/xiongxiao.me/todos/nginx/unami.conf | 47 --- k8s/xiongxiao.me/todos/nginx/webdav.conf | 50 ---- .../todos/nginx/www.xiongxiao.me.conf | 42 --- .../traefik/traefik-complete.yaml | 10 +- k8s/xiongxiao.me/undeploy-apps.sh | 70 ----- 33 files changed, 415 insertions(+), 1216 deletions(-) create mode 100755 k8s/xiongxiao.me/clean.sh delete mode 100755 k8s/xiongxiao.me/deploy-apps.sh create mode 100644 k8s/xiongxiao.me/docs/08-nginx-proxy-modes.md create mode 100644 k8s/xiongxiao.me/nginx/nginx-80.conf create mode 100644 k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf create mode 100755 k8s/xiongxiao.me/restart.sh delete mode 100755 k8s/xiongxiao.me/test-services.sh delete mode 100644 k8s/xiongxiao.me/todos/nginx/blinko.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/chat.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/cloud.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/docmost.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/drawio.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/esm.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/gist.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/git.xx.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/home.mz.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/immich.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/kevisual.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/look-good.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/meilisearch.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/memos.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/minio.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/npm.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/pwd.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/unami.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/webdav.conf delete mode 100644 k8s/xiongxiao.me/todos/nginx/www.xiongxiao.me.conf delete mode 100755 k8s/xiongxiao.me/undeploy-apps.sh diff --git a/k8s/xiongxiao.me/clean.sh b/k8s/xiongxiao.me/clean.sh new file mode 100755 index 0000000..24aaa4b --- /dev/null +++ b/k8s/xiongxiao.me/clean.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +# 清理 Kubernetes 集群中失败和未就绪的 Pod +# tags: kubernetes, k3s, cleanup, maintenance +# description: 自动清理所有失败、未就绪或处于错误状态的 Pod +# title: Kubernetes Pod 清理脚本 +# createdAt: 2025-11-26 + +set -e + +# 颜色定义 +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +RED='\033[0;31m' +NC='\033[0m' # No Color + +echo "======================================" +echo "Kubernetes Pod 清理脚本" +echo "======================================" +echo "" + +# 获取所有失败或未就绪的 Pod +echo -e "${YELLOW}正在扫描失败的 Pod...${NC}" +echo "" + +# 查找所有问题 Pod +FAILED_PODS=$(kubectl get pods -A -o json | jq -r ' + .items[] | + select( + .status.phase != "Running" and + .status.phase != "Succeeded" or + (.status.containerStatuses // [] | any(.ready == false)) + ) | + "\(.metadata.namespace) \(.metadata.name) \(.status.phase // "Unknown")" +' 2>/dev/null || echo "") + +if [ -z "$FAILED_PODS" ]; then + echo -e "${GREEN}✓ 没有发现失败的 Pod${NC}" + echo "" + exit 0 +fi + +echo "发现以下问题 Pod:" +echo "$FAILED_PODS" | while read namespace name status; do + echo -e "${RED} [$status] $namespace/$name${NC}" +done +echo "" + +# 确认删除 +read -p "是否删除这些 Pod?(y/N): " -n 1 -r +echo +if [[ ! $REPLY =~ ^[Yy]$ ]]; then + echo -e "${YELLOW}取消清理${NC}" + exit 0 +fi + +# 删除问题 Pod +echo "" +echo -e "${YELLOW}开始清理...${NC}" +DELETED=0 +FAILED=0 + +echo "$FAILED_PODS" | while read namespace name status; do + if [ -n "$namespace" ] && [ -n "$name" ]; then + printf "删除 ${namespace}/${name} ... " + if kubectl delete pod "$name" -n "$namespace" --grace-period=0 --force 2>/dev/null; then + echo -e "${GREEN}✓${NC}" + ((DELETED++)) || true + else + echo -e "${RED}✗${NC}" + ((FAILED++)) || true + fi + fi +done + +echo "" +echo -e "${GREEN}======================================" +echo "清理完成" +echo "======================================${NC}" +echo "" +echo "提示:相关的 Deployment/StatefulSet 会自动重新创建 Pod" +echo "" diff --git a/k8s/xiongxiao.me/deploy-apps.sh b/k8s/xiongxiao.me/deploy-apps.sh deleted file mode 100755 index 345978d..0000000 --- a/k8s/xiongxiao.me/deploy-apps.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/bin/bash - -# Nginx 配置迁移到 K3s + Traefik 部署脚本 -# tags: kubernetes, k3s, traefik, deployment, automation -# description: 自动部署外部服务和 IngressRoute 配置的脚本 -# title: 自动部署脚本 -# createdAt: 2025-11-26 - -set -e - -echo "======================================" -echo "Nginx 配置迁移到 K3s + Traefik" -echo "======================================" -echo "" - -# 颜色定义 -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -RED='\033[0;31m' -NC='\033[0m' # No Color - -# 检查 kubectl -if ! command -v kubectl &> /dev/null; then - echo -e "${RED}错误: kubectl 未安装${NC}" - exit 1 -fi - -# 检查 Traefik -echo -e "${YELLOW}步骤 1/4: 检查 Traefik 部署状态...${NC}" -if ! kubectl get namespace traefik &> /dev/null; then - echo -e "${YELLOW}Traefik namespace 不存在,正在创建...${NC}" - kubectl create namespace traefik -fi - -if ! kubectl get deployment traefik -n traefik &> /dev/null; then - echo -e "${YELLOW}Traefik 未部署,正在部署...${NC}" - kubectl apply -f traefik/traefik-complete.yaml - echo -e "${GREEN}等待 Traefik Pod 就绪...${NC}" - kubectl wait --for=condition=ready pod -l app=traefik -n traefik --timeout=120s -else - echo -e "${GREEN}✓ Traefik 已部署${NC}" -fi - -# 部署外部服务 -echo "" -echo -e "${YELLOW}步骤 2/4: 部署外部服务配置...${NC}" -kubectl apply -f services/external-services.yaml -echo -e "${GREEN}✓ 外部服务配置已应用${NC}" - -# 验证服务 -echo "" -echo -e "${YELLOW}步骤 3/4: 验证服务创建...${NC}" -sleep 2 -SERVICE_COUNT=$(kubectl get svc -n default | grep -c "external" || true) -ENDPOINT_COUNT=$(kubectl get endpoints -n default | grep -c "external" || true) -echo -e "${GREEN}✓ 创建了 ${SERVICE_COUNT} 个服务${NC}" -echo -e "${GREEN}✓ 创建了 ${ENDPOINT_COUNT} 个 Endpoints${NC}" - -# 部署 IngressRoute -echo "" -echo -e "${YELLOW}步骤 4/4: 部署 IngressRoute 配置...${NC}" -kubectl apply -f ingress/apps-ingressroute.yaml -sleep 2 -ROUTE_COUNT=$(kubectl get ingressroute -n default 2>/dev/null | grep -c "https" || true) -echo -e "${GREEN}✓ 创建了 ${ROUTE_COUNT} 个 IngressRoute${NC}" - -# 显示结果 -echo "" -echo -e "${GREEN}======================================" -echo "部署完成!" -echo "======================================${NC}" -echo "" -echo "已部署的服务:" -kubectl get svc -n default | grep external || echo "无" -echo "" -echo "已部署的 IngressRoute:" -kubectl get ingressroute -n default || echo "无" -echo "" -echo -e "${YELLOW}提示:${NC}" -echo "1. 查看 Traefik Dashboard:" -echo " kubectl port-forward svc/traefik 8080:8080 -n traefik" -echo " 然后访问 http://localhost:8080/dashboard/" -echo "" -echo "2. 查看 Traefik 日志:" -echo " kubectl logs -n traefik -l app=traefik -f" -echo "" -echo "3. 测试服务访问:" -echo " curl -k https://blinko.xiongxiao.me" -echo "" -echo "4. 确保 DNS 已配置正确,将域名指向 Traefik 的 NodePort (30443)" -echo "" diff --git a/k8s/xiongxiao.me/docs/08-nginx-proxy-modes.md b/k8s/xiongxiao.me/docs/08-nginx-proxy-modes.md new file mode 100644 index 0000000..037a9e6 --- /dev/null +++ b/k8s/xiongxiao.me/docs/08-nginx-proxy-modes.md @@ -0,0 +1,270 @@ +--- +title: Nginx 代理模式选择指南 +description: 详细说明 Nginx Stream 模式和 HTTP 反向代理模式的区别、适用场景及常见问题解决方案 +tags: + - nginx + - proxy + - traefik + - stream + - reverse-proxy + - mime-type +createdAt: 2025-11-26 +--- + +# Nginx 代理模式选择指南 + +## 问题现象 + +当使用 Stream 模式转发时,浏览器会报错: + +``` +Refused to execute script from 'https://npm.xiongxiao.me/-/static/Home.854787d3346e44ccc262.js' +because its MIME type ('') is not executable, and strict MIME type checking is enabled. +``` + +## 原因分析 + +Nginx Stream 模式工作在 **TCP/UDP 层**(OSI 第 4 层),只做字节流转发,**不解析 HTTP 协议**,因此: +- ❌ 不会处理 HTTP 头信息(包括 Content-Type) +- ❌ 不会设置 X-Forwarded-* 头 +- ❌ 不支持 WebSocket 协议升级 +- ❌ MIME 类型信息丢失 +- ✅ 转发效率更高(无需解析 HTTP) + +## 两种模式对比 + +### 1. Stream 模式 (nginx-stream-proxy.conf) + +**工作层级**: OSI 第 4 层 (TCP/UDP) + +**特点**: +- ✅ 性能最优,CPU 占用低 +- ✅ 适合纯 TCP/UDP 转发 +- ❌ 不处理 HTTP 头 +- ❌ 不支持基于 HTTP 的负载均衡 +- ❌ 无法查看 HTTP 请求细节 + +**适用场景**: +- MySQL/PostgreSQL 数据库转发 +- Redis/MongoDB 等数据库代理 +- SSH/SFTP 端口转发 +- 纯 TCP 协议转发 +- 不需要 HTTP 头信息的场景 + +**配置示例**: +```nginx +# /etc/nginx/nginx.conf 的 stream {} 块中 +stream { + upstream traefik_http { + server 127.0.0.1:30080; + } + + server { + listen 80; + proxy_pass traefik_http; + } +} +``` + +### 2. HTTP 反向代理模式 (nginx-traefik-proxy.conf) ⭐ 推荐 + +**工作层级**: OSI 第 7 层 (HTTP/HTTPS) + +**特点**: +- ✅ 完整的 HTTP 协议支持 +- ✅ 保留所有 HTTP 头信息(包括 Content-Type) +- ✅ 支持 WebSocket +- ✅ 可以设置自定义头 +- ✅ 支持 SSL/TLS 终止 +- ✅ 可以记录详细访问日志 +- ⚠️ 性能略低于 Stream 模式(差异很小) + +**适用场景**: +- Web 应用反向代理 ⭐ +- API 网关 +- 静态资源服务 +- WebSocket 应用 +- 需要处理 HTTP 头的场景 + +**配置示例**: +```nginx +# /etc/nginx/conf.d/traefik-proxy.conf +server { + listen 80; + server_name _; + + # 关键:保留 HTTP 头信息 + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + proxy_pass http://127.0.0.1:30080; + } +} +``` + +## 解决方案 + +### 当前问题:MIME Type 错误 + +**原因**: 使用了 Stream 模式,导致 Content-Type 头丢失 + +**解决方法**: 切换到 HTTP 反向代理模式 + +#### 步骤 1: 停止当前 Nginx 配置 + +```bash +# 如果使用了 stream 模式配置 +sudo rm /etc/nginx/nginx.conf.d/stream/traefik.conf +# 或删除 nginx.conf 中的 stream {} 块 +``` + +#### 步骤 2: 应用 HTTP 反向代理配置 + +```bash +# 复制配置文件 +sudo cp nginx-traefik-proxy.conf /etc/nginx/conf.d/traefik-proxy.conf + +# 创建 SSL 证书目录和占位证书(如果需要) +sudo mkdir -p /etc/nginx/ssl +sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -keyout /etc/nginx/ssl/placeholder.key \ + -out /etc/nginx/ssl/placeholder.crt \ + -subj "/CN=placeholder" + +# 测试配置 +sudo nginx -t + +# 重载 Nginx +sudo nginx -s reload +``` + +#### 步骤 3: 验证 + +```bash +# 检查 HTTP 响应头 +curl -I http://npm.xiongxiao.me + +# 应该能看到正确的 Content-Type +# Content-Type: application/javascript; charset=utf-8 +``` + +## 性能对比 + +### Stream 模式 +- **延迟**: ~0.1ms +- **吞吐量**: 接近网卡上限 +- **CPU 占用**: 极低 +- **内存占用**: 极低 + +### HTTP 反向代理模式 +- **延迟**: ~0.5-1ms +- **吞吐量**: 95%+ 网卡性能 +- **CPU 占用**: 低 +- **内存占用**: 低 + +**结论**: 对于 Web 应用,性能差异可以忽略不计,HTTP 反向代理模式是更好的选择。 + +## 常见问题 + +### Q1: 为什么 Traefik 后端应用会收到错误的 IP? + +**原因**: 没有设置 `X-Real-IP` 和 `X-Forwarded-For` 头 + +**解决**: +```nginx +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +``` + +### Q2: WebSocket 连接失败 + +**原因**: 没有配置协议升级 + +**解决**: +```nginx +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "upgrade"; +``` + +### Q3: HTTPS 证书错误 + +**原因**: +- HTTP 反向代理模式需要占位证书 +- 或者 Traefik 后端使用自签名证书 + +**解决**: +```nginx +# 创建占位证书 +sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -keyout /etc/nginx/ssl/placeholder.key \ + -out /etc/nginx/ssl/placeholder.crt \ + -subj "/CN=placeholder" + +# 信任后端自签名证书 +proxy_ssl_verify off; +``` + +### Q4: 什么时候用 Stream 模式? + +**答**: 仅在以下场景使用 Stream 模式: +- 转发非 HTTP 协议(MySQL、Redis、SSH 等) +- 需要最极致的性能(每毫秒都很重要的场景) +- 纯 TCP/UDP 负载均衡 + +**对于所有 Web 应用,请使用 HTTP 反向代理模式。** + +## 推荐配置 + +### 生产环境标准配置 + +```nginx +# /etc/nginx/conf.d/traefik-proxy.conf +server { + listen 80; + listen [::]:80; + server_name _; + + # 保留客户端信息 + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # WebSocket 支持 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # 缓冲设置(根据实际调整) + proxy_buffering on; + proxy_buffer_size 4k; + proxy_buffers 8 4k; + proxy_busy_buffers_size 8k; + + # 超时设置 + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + location / { + proxy_pass http://127.0.0.1:30080; + proxy_redirect off; + } + + # 日志 + access_log /var/log/nginx/traefik-proxy.access.log; + error_log /var/log/nginx/traefik-proxy.error.log warn; +} +``` + +## 参考资源 + +- [Nginx Stream Module 文档](http://nginx.org/en/docs/stream/ngx_stream_core_module.html) +- [Nginx HTTP Proxy Module 文档](http://nginx.org/en/docs/http/ngx_http_proxy_module.html) +- [Traefik 官方文档](https://doc.traefik.io/traefik/) diff --git a/k8s/xiongxiao.me/ingress/apps-ingressroute.yaml b/k8s/xiongxiao.me/ingress/apps-ingressroute.yaml index 814ad41..1657b3b 100644 --- a/k8s/xiongxiao.me/ingress/apps-ingressroute.yaml +++ b/k8s/xiongxiao.me/ingress/apps-ingressroute.yaml @@ -167,24 +167,6 @@ spec: tls: certResolver: letsencrypt --- -# NPM - npm.xiongxiao.me -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: npm-https - namespace: default -spec: - entryPoints: - - websecure - routes: - - match: Host(`npm.xiongxiao.me`) - kind: Rule - services: - - name: npm-external - port: 30001 - tls: - certResolver: letsencrypt ---- # Gist - gist.xiongxiao.me (支持 WebSocket) apiVersion: traefik.io/v1alpha1 kind: IngressRoute diff --git a/k8s/xiongxiao.me/ingress/rancher-ingress.yaml b/k8s/xiongxiao.me/ingress/rancher-ingress.yaml index 00e40a2..681ee14 100644 --- a/k8s/xiongxiao.me/ingress/rancher-ingress.yaml +++ b/k8s/xiongxiao.me/ingress/rancher-ingress.yaml @@ -7,6 +7,7 @@ metadata: annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt # 使用 Let's Encrypt spec: ingressClassName: traefik rules: @@ -23,4 +24,4 @@ spec: tls: - hosts: - rancher.xiongxiao.me - secretName: tls-rancher-ingress + # secretName: tls-rancher-ingress # 使用自动证书,不需要手动指定 secret diff --git a/k8s/xiongxiao.me/ingress/verdaccio-ingress.yaml b/k8s/xiongxiao.me/ingress/verdaccio-ingress.yaml index be56cef..f2b490f 100644 --- a/k8s/xiongxiao.me/ingress/verdaccio-ingress.yaml +++ b/k8s/xiongxiao.me/ingress/verdaccio-ingress.yaml @@ -1,8 +1,12 @@ +# NPM - npm.xiongxiao.me apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: verdaccio-ingress namespace: default + annotations: + traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt spec: ingressClassName: traefik rules: @@ -16,5 +20,7 @@ spec: name: verdaccio-service port: number: 4873 - # curl http://verdaccio-service:4873 - # wget http://verdaccio-service:4873 \ No newline at end of file + tls: + - hosts: + - npm.xiongxiao.me + secretName: npm-xiongxiao-me-tls \ No newline at end of file diff --git a/k8s/xiongxiao.me/nginx/nginx-80.conf b/k8s/xiongxiao.me/nginx/nginx-80.conf new file mode 100644 index 0000000..e69de29 diff --git a/k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf b/k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf new file mode 100644 index 0000000..861a677 --- /dev/null +++ b/k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf @@ -0,0 +1,44 @@ +# HTTP 转发 (80 -> 30080) - Let's Encrypt HTTP Challenge 需要 +upstream traefik_http { + server 127.0.0.1:30080; +} + +server { + listen 80; + listen [::]:80; + + proxy_pass traefik_http; + + # 优化的超时设置 + proxy_timeout 1h; + proxy_connect_timeout 5s; + + # Stream 模块支持的选项 + proxy_responses 1; + proxy_buffer_size 16k; +} + +# HTTPS 转发 (443 -> 30443) +upstream traefik_https { + server 127.0.0.1:30443; +} + +server { + listen 443; + listen [::]:443; + + # SNI 预读 - 让 Traefik 处理 SSL 证书选择 + ssl_preread on; + + proxy_pass traefik_https; + + # 优化的超时设置 + proxy_timeout 1h; + proxy_connect_timeout 5s; + + # Stream 模块支持的选项 + proxy_responses 1; + proxy_buffer_size 16k; +} + + \ No newline at end of file diff --git a/k8s/xiongxiao.me/restart.sh b/k8s/xiongxiao.me/restart.sh new file mode 100755 index 0000000..48c51cd --- /dev/null +++ b/k8s/xiongxiao.me/restart.sh @@ -0,0 +1,4 @@ +kubectl rollout restart deployment/traefik -n traefik + + +kubectl logs -n traefik -l app=traefik -f diff --git a/k8s/xiongxiao.me/services/external-services.yaml b/k8s/xiongxiao.me/services/external-services.yaml index b919c17..9b8d630 100644 --- a/k8s/xiongxiao.me/services/external-services.yaml +++ b/k8s/xiongxiao.me/services/external-services.yaml @@ -239,32 +239,6 @@ subsets: - port: 9000 name: http --- -# NPM (Verdaccio) 服务 (端口 30001, IP: 10.0.32.6) -apiVersion: v1 -kind: Service -metadata: - name: npm-external - namespace: default -spec: - type: ClusterIP - ports: - - port: 30001 - targetPort: 30001 - protocol: TCP - name: http ---- -apiVersion: v1 -kind: Endpoints -metadata: - name: npm-external - namespace: default -subsets: -- addresses: - - ip: 10.0.32.6 - ports: - - port: 30001 - name: http ---- # Gist 服务 (端口 6157, 本地) apiVersion: v1 kind: Service diff --git a/k8s/xiongxiao.me/test-services.sh b/k8s/xiongxiao.me/test-services.sh deleted file mode 100755 index bd2ffe7..0000000 --- a/k8s/xiongxiao.me/test-services.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/bash - -# 服务连通性测试脚本 -# tags: kubernetes, k3s, traefik, testing, health-check -# description: 测试所有已部署服务的连通性和健康状态 -# title: 服务测试脚本 -# createdAt: 2025-11-26 - -# 颜色定义 -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -RED='\033[0;31m' -NC='\033[0m' # No Color - -echo "======================================" -echo "服务连通性测试" -echo "======================================" -echo "" - -# 定义所有服务 -declare -a SERVICES=( - "blinko.xiongxiao.me" - "chat.xiongxiao.me" - "kevisual.xiongxiao.me" - "www.xiongxiao.me" - "immich.xiongxiao.me" - "cloud.xiongxiao.me" - "docmost.xiongxiao.me" - "drawio.xiongxiao.me" - "minio.xiongxiao.me" - "npm.xiongxiao.me" - "gist.xiongxiao.me" - "webdav.xiongxiao.me" - "esm.xiongxiao.me" - "umami.xiongxiao.me" - "pwd.xiongxiao.me" - "meilisearch.xiongxiao.me" - "memos.xiongxiao.me" - "git.xiongxiao.me" -) - -# 统计 -TOTAL=${#SERVICES[@]} -SUCCESS=0 -FAILED=0 - -echo "测试 ${TOTAL} 个服务..." -echo "" - -# 测试每个服务 -for service in "${SERVICES[@]}"; do - printf "%-35s ... " "$service" - - # 使用 curl 测试,允许不安全的 SSL (因为是自签名) - # 设置 5 秒超时 - if curl -k -s -o /dev/null -w "%{http_code}" --max-time 5 "https://${service}" | grep -qE "^(200|301|302|401|403)$"; then - echo -e "${GREEN}✓ OK${NC}" - ((SUCCESS++)) - else - echo -e "${RED}✗ FAILED${NC}" - ((FAILED++)) - fi -done - -# 显示结果 -echo "" -echo "======================================" -echo "测试结果" -echo "======================================" -echo -e "总计: ${TOTAL}" -echo -e "${GREEN}成功: ${SUCCESS}${NC}" -echo -e "${RED}失败: ${FAILED}${NC}" -echo "" - -if [ $FAILED -eq 0 ]; then - echo -e "${GREEN}所有服务测试通过!${NC}" - exit 0 -else - echo -e "${YELLOW}部分服务测试失败,请检查:${NC}" - echo "1. Service 和 Endpoints 配置是否正确" - echo "2. 后端服务是否正常运行" - echo "3. 网络连接是否正常" - echo "4. DNS 解析是否正确" - echo "" - echo "查看详细日志:" - echo " kubectl logs -n traefik -l app=traefik" - exit 1 -fi diff --git a/k8s/xiongxiao.me/todos/nginx/blinko.conf b/k8s/xiongxiao.me/todos/nginx/blinko.conf deleted file mode 100644 index 74bb5de..0000000 --- a/k8s/xiongxiao.me/todos/nginx/blinko.conf +++ /dev/null @@ -1,35 +0,0 @@ -server { - server_name blinko.xiongxiao.me; - - client_max_body_size 1024m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - #proxy_pass http://localhost:3111/; - proxy_pass http://10.0.32.6:3111/; - } - - listen [::]:443 ssl; # managed by Certbot - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/blinko.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/blinko.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} -server { - if ($host = blinko.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name blinko.xiongxiao.me; - return 404; # managed by Certbot - - -} diff --git a/k8s/xiongxiao.me/todos/nginx/chat.conf b/k8s/xiongxiao.me/todos/nginx/chat.conf deleted file mode 100644 index 82f4faa..0000000 --- a/k8s/xiongxiao.me/todos/nginx/chat.conf +++ /dev/null @@ -1,50 +0,0 @@ - - -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - server_name chat.xiongxiao.me; - client_max_body_size 200m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:3000/; - } - - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/chat.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/chat.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - - - -server { - if ($host = chat.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name chat.xiongxiao.me; - return 404; # managed by Certbot - - -} \ No newline at end of file diff --git a/k8s/xiongxiao.me/todos/nginx/cloud.conf b/k8s/xiongxiao.me/todos/nginx/cloud.conf deleted file mode 100644 index 29b1964..0000000 --- a/k8s/xiongxiao.me/todos/nginx/cloud.conf +++ /dev/null @@ -1,34 +0,0 @@ -server { - server_name cloud.xiongxiao.me; - - client_max_body_size 1024m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:5212/; - } - - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/cloud.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/cloud.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} -server { - if ($host = cloud.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name cloud.xiongxiao.me; - return 404; # managed by Certbot - - -} \ No newline at end of file diff --git a/k8s/xiongxiao.me/todos/nginx/docmost.conf b/k8s/xiongxiao.me/todos/nginx/docmost.conf deleted file mode 100644 index 5e440eb..0000000 --- a/k8s/xiongxiao.me/todos/nginx/docmost.conf +++ /dev/null @@ -1,45 +0,0 @@ - -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - server_name docmost.xiongxiao.me; - - client_max_body_size 1024m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - proxy_pass http://localhost:3011/; - } - - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/docmost.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/docmost.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -}server { - if ($host = docmost.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name docmost.xiongxiao.me; - return 404; # managed by Certbot - - -} \ No newline at end of file diff --git a/k8s/xiongxiao.me/todos/nginx/drawio.conf b/k8s/xiongxiao.me/todos/nginx/drawio.conf deleted file mode 100644 index 31c54d8..0000000 --- a/k8s/xiongxiao.me/todos/nginx/drawio.conf +++ /dev/null @@ -1,48 +0,0 @@ -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - server_name drawio.xiongxiao.me; - - client_max_body_size 1024m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:13000/; - } - - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/drawio.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/drawio.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - - -server { - if ($host = drawio.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name drawio.xiongxiao.me; - return 404; # managed by Certbot - - -} \ No newline at end of file diff --git a/k8s/xiongxiao.me/todos/nginx/esm.conf b/k8s/xiongxiao.me/todos/nginx/esm.conf deleted file mode 100644 index 2b372ec..0000000 --- a/k8s/xiongxiao.me/todos/nginx/esm.conf +++ /dev/null @@ -1,47 +0,0 @@ -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - listen 80; - listen [::]:80; - server_name esm.xiongxiao.me; - - client_max_body_size 1200m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:12000; - } -} - -server { - server_name esm.xiongxiao.me; - location / { - # root /root/web; - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:12000; - } - client_max_body_size 2048M; - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/esm.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/esm.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot -} - diff --git a/k8s/xiongxiao.me/todos/nginx/gist.conf b/k8s/xiongxiao.me/todos/nginx/gist.conf deleted file mode 100644 index 9cb7a7a..0000000 --- a/k8s/xiongxiao.me/todos/nginx/gist.conf +++ /dev/null @@ -1,48 +0,0 @@ -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - server_name gist.xiongxiao.me; - - client_max_body_size 1024m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:6157/; - } - - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/gist.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/gist.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - - -server { - if ($host = gist.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name gist.xiongxiao.me; - return 404; # managed by Certbot - - -} \ No newline at end of file diff --git a/k8s/xiongxiao.me/todos/nginx/git.xx.conf b/k8s/xiongxiao.me/todos/nginx/git.xx.conf deleted file mode 100644 index cafe604..0000000 --- a/k8s/xiongxiao.me/todos/nginx/git.xx.conf +++ /dev/null @@ -1,39 +0,0 @@ -server { - #填写绑定证书的域名 - server_name git.xiongxiao.me; - #把http的域名请求转成https - #rewrite ^(.*)$ https://${server_name}$1 permanent; - # return 301 https://$host$request_uri; - location / { - # root /root/web; - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - #proxy_pass http://10.0.0.10:3000/; - proxy_pass http://10.0.32.6:3000/; - } - client_max_body_size 2048M; - - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/git.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/git.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - -} - - -server { - if ($host = git.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name git.xiongxiao.me; - return 404; # managed by Certbot - - -} diff --git a/k8s/xiongxiao.me/todos/nginx/home.mz.conf b/k8s/xiongxiao.me/todos/nginx/home.mz.conf deleted file mode 100644 index bb0feab..0000000 --- a/k8s/xiongxiao.me/todos/nginx/home.mz.conf +++ /dev/null @@ -1,50 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; # ✅ 启用 HTTP/2 - - server_name home.mz.xiongxiao.me; - client_max_body_size 240m; - - # SSL 配置 - ssl_certificate /etc/letsencrypt/live/home.mz.xiongxiao.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/home.mz.xiongxiao.me/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - # 提升 WebSocket 支持 - proxy_http_version 1.1; - - location ~* \.(gif|png|jpg|css|js|woff|woff2)$ { - proxy_pass http://xionmi.mz.zxj.im:8123; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - expires 12h; - add_header Cache-Control "public"; - } - - location / { - proxy_pass http://xionmi.mz.zxj.im:8123/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - add_header X-Cache $upstream_cache_status; - add_header Cache-Control no-cache; - } -} - -server { - listen 80; - listen [::]:80; - server_name home.mz.xiongxiao.me; - return 301 https://$host$request_uri; -} diff --git a/k8s/xiongxiao.me/todos/nginx/immich.conf b/k8s/xiongxiao.me/todos/nginx/immich.conf deleted file mode 100644 index f380e54..0000000 --- a/k8s/xiongxiao.me/todos/nginx/immich.conf +++ /dev/null @@ -1,48 +0,0 @@ -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - server_name immich.xiongxiao.me; - - client_max_body_size 1024m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:2283/; - } - - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/immich.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/immich.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - - -server { - if ($host = immich.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name immich.xiongxiao.me; - return 404; # managed by Certbot - - -} \ No newline at end of file diff --git a/k8s/xiongxiao.me/todos/nginx/kevisual.conf b/k8s/xiongxiao.me/todos/nginx/kevisual.conf deleted file mode 100644 index 456b5df..0000000 --- a/k8s/xiongxiao.me/todos/nginx/kevisual.conf +++ /dev/null @@ -1,85 +0,0 @@ - -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - server_name kevisual.xiongxiao.me; - #add_header Access-Control-Allow-Origin *; - #add_header Access-Control-Allow-Credentials true; - #add_header Access-Control-Allow-Methods GET,POST; - - client_max_body_size 200m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:3005/; - } - location /api/proxy { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_buffering off; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:3005/api/proxy; - } - location /api { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_buffering off; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:4005/api; - } - - - listen [::]:443 ssl; # managed by Certbot - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/kevisual.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/kevisual.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - -} - - - -server { - if ($host = kevisual.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name kevisual.xiongxiao.me; - return 404; # managed by Certbot - - -} diff --git a/k8s/xiongxiao.me/todos/nginx/look-good.conf b/k8s/xiongxiao.me/todos/nginx/look-good.conf deleted file mode 100644 index 56e85c0..0000000 --- a/k8s/xiongxiao.me/todos/nginx/look-good.conf +++ /dev/null @@ -1,42 +0,0 @@ -server { - server_name look-good.xiongxiao.me; - - client_max_body_size 1024m; - - root /var/www/book/look-good; - index index.html index.htm; - # 更安全的访问控制 - location / { - try_files $uri $uri.html $uri/ =404; - } - - # 隐藏 .git 等敏感文件 - location ~ /\.(git|svn|hg) { - deny all; - } - - # 日志路径可自定义 - access_log /var/log/nginx/look-good.access.log; - error_log /var/log/nginx/look-good.error.log; - - listen [::]:443 ssl; # managed by Certbot - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/look-good.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/look-good.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} -server { - if ($host = look-good.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name look-good.xiongxiao.me; - return 404; # managed by Certbot - - -} diff --git a/k8s/xiongxiao.me/todos/nginx/meilisearch.conf b/k8s/xiongxiao.me/todos/nginx/meilisearch.conf deleted file mode 100644 index 975cbdf..0000000 --- a/k8s/xiongxiao.me/todos/nginx/meilisearch.conf +++ /dev/null @@ -1,34 +0,0 @@ -server { - server_name meilisearch.xiongxiao.me; - - client_max_body_size 1024m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:7700/; - } - - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/meilisearch.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/meilisearch.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} -server { - if ($host = meilisearch.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name meilisearch.xiongxiao.me; - return 404; # managed by Certbot - - -} \ No newline at end of file diff --git a/k8s/xiongxiao.me/todos/nginx/memos.conf b/k8s/xiongxiao.me/todos/nginx/memos.conf deleted file mode 100644 index f1a6b77..0000000 --- a/k8s/xiongxiao.me/todos/nginx/memos.conf +++ /dev/null @@ -1,43 +0,0 @@ -server { - if ($host = memos.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - #填写绑定证书的域名 - server_name memos.xiongxiao.me memos.zxj.im; - #把http的域名请求转成https - rewrite ^(.*)$ https://${server_name}$1 permanent; - # return 301 https://$host$request_uri; - - -} -server { - listen 443 ssl; - #填写绑定证书的域名 - server_name memos.xiongxiao.me; - #网站主页路径。此路径仅供参考,具体请您按照实际目录操作。 - # root /root/web; - index index.html index.htm; - #证书文件名称 - #ssl_certificate /etc/nginx/conf/short.xiongxiao.me_bundle.crt; - #私钥文件名称 - #ssl_certificate_key /etc/nginx/conf/short.xiongxiao.me.key; - ssl_session_timeout 5m; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - - location / { - # root /root/web; - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://10.0.32.6:8181/; - } - ssl_certificate /etc/letsencrypt/live/memos.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/memos.xiongxiao.me/privkey.pem; # managed by Certbot - -} diff --git a/k8s/xiongxiao.me/todos/nginx/minio.conf b/k8s/xiongxiao.me/todos/nginx/minio.conf deleted file mode 100644 index 25a2894..0000000 --- a/k8s/xiongxiao.me/todos/nginx/minio.conf +++ /dev/null @@ -1,49 +0,0 @@ -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - server_name minio.xiongxiao.me; - - client_max_body_size 200m; - - location / { - proxy_pass http://127.0.0.1:9000/; - - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - } - - listen [::]:443 ssl; # managed by Certbot - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/minio.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/minio.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - -} - - -server { - if ($host = minio.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name minio.xiongxiao.me; - return 404; # managed by Certbot - - -} diff --git a/k8s/xiongxiao.me/todos/nginx/npm.conf b/k8s/xiongxiao.me/todos/nginx/npm.conf deleted file mode 100644 index ab4487e..0000000 --- a/k8s/xiongxiao.me/todos/nginx/npm.conf +++ /dev/null @@ -1,35 +0,0 @@ -server { - server_name npm.xiongxiao.me; - - client_max_body_size 24m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - #proxy_pass http://10.0.0.10:4873/; - proxy_pass http://10.0.32.6:30001/; - } - - listen [::]:443 ssl ipv6only=on; # managed by Certbot - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/npm.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/npm.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} -server { - if ($host = npm.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name npm.xiongxiao.me; - return 404; # managed by Certbot - - -} diff --git a/k8s/xiongxiao.me/todos/nginx/pwd.conf b/k8s/xiongxiao.me/todos/nginx/pwd.conf deleted file mode 100644 index 057b13a..0000000 --- a/k8s/xiongxiao.me/todos/nginx/pwd.conf +++ /dev/null @@ -1,44 +0,0 @@ -server { - if ($host = pwd.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - #填写绑定证书的域名 - server_name pwd.xiongxiao.me; - #把http的域名请求转成https - rewrite ^(.*)$ https://${server_name}$1 permanent; - # return 301 https://$host$request_uri; - - -} -server { - listen 443 ssl; - #填写绑定证书的域名 - server_name pwd.xiongxiao.me; - #网站主页路径。此路径仅供参考,具体请您按照实际目录操作。 - # root /root/web; - index index.html index.htm; - #证书文件名称 - #ssl_certificate /etc/nginx/conf/short.xiongxiao.me_bundle.crt; - #私钥文件名称 - #ssl_certificate_key /etc/nginx/conf/short.xiongxiao.me.key; - ssl_session_timeout 5m; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - - location / { - # root /root/web; - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://127.0.0.1:8180/; - } - - ssl_certificate /etc/letsencrypt/live/pwd.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/pwd.xiongxiao.me/privkey.pem; # managed by Certbot -} - diff --git a/k8s/xiongxiao.me/todos/nginx/unami.conf b/k8s/xiongxiao.me/todos/nginx/unami.conf deleted file mode 100644 index 6560313..0000000 --- a/k8s/xiongxiao.me/todos/nginx/unami.conf +++ /dev/null @@ -1,47 +0,0 @@ - -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - server_name umami.xiongxiao.me; - index index.html; - client_max_body_size 1024m; - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:4004; - } - - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/umami.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/umami.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - - - -server { - if ($host = umami.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name umami.xiongxiao.me; - return 404; # managed by Certbot - - -} diff --git a/k8s/xiongxiao.me/todos/nginx/webdav.conf b/k8s/xiongxiao.me/todos/nginx/webdav.conf deleted file mode 100644 index b34ee59..0000000 --- a/k8s/xiongxiao.me/todos/nginx/webdav.conf +++ /dev/null @@ -1,50 +0,0 @@ - -map $http_upgrade $connection_upgrade { - default keep-alive; #默认为keep-alive 可以支持 一般http请求 - 'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。 -} - -server { - server_name webdav.xiongxiao.me; - - client_max_body_size 2024m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:6060; - } - - listen [::]:443 ssl; # managed by Certbot - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/webdav.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/webdav.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - - - -server { - if ($host = webdav.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - server_name webdav.xiongxiao.me; - return 404; # managed by Certbot - - -} \ No newline at end of file diff --git a/k8s/xiongxiao.me/todos/nginx/www.xiongxiao.me.conf b/k8s/xiongxiao.me/todos/nginx/www.xiongxiao.me.conf deleted file mode 100644 index bab803a..0000000 --- a/k8s/xiongxiao.me/todos/nginx/www.xiongxiao.me.conf +++ /dev/null @@ -1,42 +0,0 @@ -server { - server_name www.xiongxiao.me; - - index index.html index.htm index.nginx-debian.html; - - client_max_body_size 24m; - - location / { - proxy_set_header HOST $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_http_version 1.1; - proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接 - - proxy_pass http://localhost:3005/; - } - - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/www.xiongxiao.me/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/www.xiongxiao.me/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - -server { - if ($host = www.xiongxiao.me) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name www.xiongxiao.me; - return 404; # managed by Certbot - - -} diff --git a/k8s/xiongxiao.me/traefik/traefik-complete.yaml b/k8s/xiongxiao.me/traefik/traefik-complete.yaml index 31bf74c..113a585 100644 --- a/k8s/xiongxiao.me/traefik/traefik-complete.yaml +++ b/k8s/xiongxiao.me/traefik/traefik-complete.yaml @@ -130,7 +130,6 @@ spec: labels: app: traefik spec: - hostNetwork: true serviceAccountName: traefik containers: - name: traefik @@ -141,12 +140,10 @@ spec: - --providers.kubernetescrd - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443 - # HTTP 自动重定向到 HTTPS - - --entrypoints.web.http.redirections.entrypoint.to=websecure - - --entrypoints.web.http.redirections.entrypoint.scheme=https # Let's Encrypt 配置 - --certificatesresolvers.letsencrypt.acme.email=root@xiongxiao.me - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json + - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web # 使用 Let's Encrypt 生产环境(如果测试,使用 caserver) # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory @@ -172,19 +169,22 @@ metadata: name: traefik namespace: traefik spec: - type: ClusterIP + type: NodePort selector: app: traefik ports: - name: web port: 80 targetPort: 80 + nodePort: 30080 # 外部通过 30080 访问 HTTP - name: websecure port: 443 targetPort: 443 + nodePort: 30443 # 外部通过 30443 访问 HTTPS - name: admin port: 8080 targetPort: 8080 + nodePort: 30808 # Dashboard --- apiVersion: networking.k8s.io/v1 kind: IngressClass diff --git a/k8s/xiongxiao.me/undeploy-apps.sh b/k8s/xiongxiao.me/undeploy-apps.sh deleted file mode 100755 index 720d3a2..0000000 --- a/k8s/xiongxiao.me/undeploy-apps.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash - -# Nginx 配置迁移卸载脚本 -# tags: kubernetes, k3s, traefik, cleanup, uninstall -# description: 卸载所有已部署的外部服务和 IngressRoute 配置 -# title: 卸载脚本 -# createdAt: 2025-11-26 - -set -e - -echo "======================================" -echo "卸载 K3s 外部服务配置" -echo "======================================" -echo "" - -# 颜色定义 -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -RED='\033[0;31m' -NC='\033[0m' # No Color - -# 确认卸载 -read -p "确认要卸载所有外部服务和 IngressRoute 配置吗?(y/N): " -n 1 -r -echo -if [[ ! $REPLY =~ ^[Yy]$ ]]; then - echo -e "${YELLOW}取消卸载${NC}" - exit 0 -fi - -# 删除 IngressRoute -echo "" -echo -e "${YELLOW}步骤 1/2: 删除 IngressRoute...${NC}" -if kubectl get ingressroute -n default &> /dev/null; then - kubectl delete -f k8s/xiongxiao.me/ingress/apps-ingressroute.yaml || true - echo -e "${GREEN}✓ IngressRoute 已删除${NC}" -else - echo -e "${YELLOW}无 IngressRoute 需要删除${NC}" -fi - -# 删除外部服务 -echo "" -echo -e "${YELLOW}步骤 2/2: 删除外部服务和 Endpoints...${NC}" -if kubectl get svc -n default | grep -q external; then - kubectl delete -f k8s/xiongxiao.me/services/external-services.yaml || true - echo -e "${GREEN}✓ 外部服务已删除${NC}" -else - echo -e "${YELLOW}无外部服务需要删除${NC}" -fi - -# 验证清理 -echo "" -echo -e "${YELLOW}验证清理结果...${NC}" -REMAINING_SVC=$(kubectl get svc -n default | grep -c "external" || true) -REMAINING_ROUTES=$(kubectl get ingressroute -n default 2>/dev/null | grep -c "https" || true) - -if [ "$REMAINING_SVC" -eq 0 ] && [ "$REMAINING_ROUTES" -eq 0 ]; then - echo -e "${GREEN}✓ 所有配置已清理完成${NC}" -else - echo -e "${RED}警告: 仍有 ${REMAINING_SVC} 个服务和 ${REMAINING_ROUTES} 个路由${NC}" -fi - -echo "" -echo -e "${GREEN}======================================" -echo "卸载完成!" -echo "======================================${NC}" -echo "" -echo -e "${YELLOW}注意: Traefik 本身未被删除${NC}" -echo "如需删除 Traefik,请运行:" -echo " kubectl delete -f k8s/xiongxiao.me/traefik/traefik-complete.yaml" -echo ""