docs: 添加详细的生产部署文档(Gunicorn + Systemd + Nginx)
- WSGI 生产服务器配置说明 - 完整的 Systemd service 配置 - Nginx 反向代理 + SSL 配置示例 - 生产环境检查清单 - 优雅关闭特性说明
This commit is contained in:
@@ -177,38 +177,135 @@ SOCKS5 协议(RFC 1929)本身采用明文传输密码。本项目服务端
|
|||||||
|
|
||||||
所有 API 需要登录认证(Session Cookie),未登录返回 401。
|
所有 API 需要登录认证(Session Cookie),未登录返回 401。
|
||||||
|
|
||||||
## 生产建议
|
## 生产部署
|
||||||
|
|
||||||
|
### 1. WSGI 生产服务器(Gunicorn)
|
||||||
|
|
||||||
|
Flask 内置开发服务器不适合生产环境。使用 **Gunicorn**(生产级 WSGI 服务器):
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# 1. 安装生产依赖
|
# 安装 gunicorn
|
||||||
pip install -r requirements.txt --break-system-packages
|
pip install gunicorn --break-system-packages
|
||||||
|
|
||||||
# 2. 设置强密钥
|
# 启动(4 worker 进程,适合 4 核服务器)
|
||||||
export SM_SECRET_KEY=$(openssl rand -hex 32)
|
gunicorn -w 4 -b 0.0.0.0:5000 --timeout 120 run:app
|
||||||
export SM_ADMIN_PASSWORD=你的强密码
|
|
||||||
|
|
||||||
# 3. 使用 gunicorn 部署
|
# 推荐参数(更长超时 + 优雅关闭)
|
||||||
gunicorn -w 4 -b 0.0.0.0:5000 run:app
|
gunicorn -w 2 -b 0.0.0.0:5000 \
|
||||||
|
--timeout 300 \
|
||||||
# 4. 前置 Nginx 反向代理 + Let's Encrypt SSL
|
--graceful-timeout 30 \
|
||||||
# nginx.conf 示例:
|
--max-requests 10000 \
|
||||||
# location / {
|
--max-requests-jitter 1000 \
|
||||||
# proxy_pass http://127.0.0.1:5000;
|
run:app
|
||||||
# proxy_set_header Host $host;
|
|
||||||
# proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
# }
|
|
||||||
|
|
||||||
# 5. HTTPS 时开启 Secure Cookie
|
|
||||||
export SM_COOKIE_SECURE=true
|
|
||||||
|
|
||||||
# 6. 多服务器跨域访问时设置 SESSION_DOMAIN(必须与浏览器 URL 一致)
|
|
||||||
export SM_SESSION_DOMAIN=你的域名或IP
|
|
||||||
```
|
```
|
||||||
|
|
||||||
其他建议:
|
> **注意**:SOCKS5 代理实例运行在独立的 asyncio 线程中,不受 Gunicorn worker 数量影响。
|
||||||
- 确保 `.env` 文件在 `.gitignore` 中(已配置),**不要提交到 git 仓库**
|
|
||||||
- 设置 `SM_LOG_LEVEL=WARN` 减少日志量
|
---
|
||||||
- 配置 crontab 定期备份数据库
|
|
||||||
- 使用 Daemon 或 systemd 管理进程
|
### 2. Systemd 服务配置(推荐)
|
||||||
|
|
||||||
|
创建 `/etc/systemd/system/socks-manager.service`:
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[Unit]
|
||||||
|
Description=SOCKS5 Proxy Manager
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=notify
|
||||||
|
User=root
|
||||||
|
WorkingDirectory=/opt/socks-manager
|
||||||
|
Environment="PATH=/usr/local/bin:/usr/bin:/bin"
|
||||||
|
|
||||||
|
# 生产环境变量(按需修改)
|
||||||
|
Environment="SM_ADMIN_PASSWORD=你的强密码"
|
||||||
|
Environment="SM_SECRET_KEY=生产环境用openssl rand -hex 32生成"
|
||||||
|
Environment="SM_LOG_LEVEL=WARN"
|
||||||
|
# Environment="SM_COOKIE_SECURE=true" # HTTPS 时开启
|
||||||
|
# Environment="SM_SESSION_DOMAIN=你的域名或IP" # 跨域时设置
|
||||||
|
|
||||||
|
ExecStart=/usr/local/bin/gunicorn -w 2 -b 0.0.0.0:5000 \
|
||||||
|
--timeout 300 \
|
||||||
|
--graceful-timeout 30 \
|
||||||
|
run:app
|
||||||
|
|
||||||
|
# 优雅关闭:先给 SOCKS5 实例时间关闭活跃连接
|
||||||
|
ExecStop=/bin/kill -s TERM $MAINPID
|
||||||
|
TimeoutStopSec=60
|
||||||
|
|
||||||
|
Restart=always
|
||||||
|
RestartSec=5
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
```
|
||||||
|
|
||||||
|
启动服务:
|
||||||
|
```bash
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl enable --now socks-manager
|
||||||
|
systemctl status socks-manager
|
||||||
|
journalctl -u socks-manager -f # 查看实时日志
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
### 3. Nginx 反向代理 + SSL
|
||||||
|
|
||||||
|
```nginx
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name 你的域名;
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name 你的域名;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/你的域名/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/你的域名/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:5000;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_buffering off;
|
||||||
|
proxy_request_buffering off;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
### 4. 生产环境检查清单
|
||||||
|
|
||||||
|
✅ **强制修改默认密码**
|
||||||
|
```bash
|
||||||
|
# 生成强密钥
|
||||||
|
export SM_SECRET_KEY=$(openssl rand -hex 32)
|
||||||
|
```
|
||||||
|
|
||||||
|
✅ **数据库备份**
|
||||||
|
- 配置 crontab 每日备份 `socks_manager.db`
|
||||||
|
- 定期测试恢复流程
|
||||||
|
|
||||||
|
✅ **日志级别**
|
||||||
|
- 生产环境设置 `SM_LOG_LEVEL=WARN` 减少日志量
|
||||||
|
|
||||||
|
✅ **HTTPS**
|
||||||
|
- 启用 Let's Encrypt SSL 证书
|
||||||
|
- 设置 `SM_COOKIE_SECURE=true`
|
||||||
|
|
||||||
|
✅ **防火墙**
|
||||||
|
- 只开放需要的端口:Web 面板(5000) + SOCKS5 代理端口
|
||||||
|
- SOCKS5 端口建议限制源 IP
|
||||||
|
|
||||||
|
✅ **优雅关闭**
|
||||||
|
- v1.1+ 版本已修复 SOCKS5 实例的优雅关闭逻辑
|
||||||
|
- 停止服务时最多等待 5 秒让活跃连接正常关闭
|
||||||
|
- 避免 `GeneratorExit` 和 `Task was destroyed` 警告
|
||||||
|
|||||||
Reference in New Issue
Block a user