zishuo/oneterm
1
0
Fork 0
mirror of https://github.com/veops/oneterm.git synced 2025-09-26 19:31:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(deploy): add domain-based deployment configuration with webproxy support

Browse Source
This commit is contained in:
pycook
2025-09-16 19:01:40 +08:00
parent 7a4b3528a7
commit 4eba1135c1
2 changed files with 641 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

220
deploy/docker-compose.domain.yaml Normal file
View File

@@ -0,0 +1,220 @@
# OneTerm Domain Deployment Configuration
#
# Quick Setup:
# 1. Modify ONETERM_DOMAIN in oneterm-ui environment section (line ~123)
# 2. For HTTPS: Uncomment SSL volume mount and HTTPS port (line 141 or 142)
# 3. Configure DNS to point your domain to this server
# 4. Run: docker-compose -f docker-compose.domain.yaml up -d
#
# Access:
# - OneTermUI: http://your-domain.com
# - WebProxy: http://webproxy.your-domain.com
services:
oneterm-api:
image: registry.cn-hangzhou.aliyuncs.com/veops/oneterm-api:v25.8.3
container_name: oneterm-api
environment:
ONETERM_RDP_DRIVE_PATH: /rdp
volumes:
- ./volume/replay:/replay
- ./volume/rdp:/rdp
- ./config.yaml:/oneterm/config.yaml
depends_on:
oneterm-guacd:
condition: service_healthy
acl-api:
condition: service_healthy
healthcheck:
test: ["CMD", "nc", "-z", "localhost", "8888"]
interval: 10s
timeout: 5s
retries: 5
command:
- "./server"
- "config.yaml"
restart: always
networks:
new:
aliases:
- oneterm-api
tty: true
ports:
- "2222:2222"
oneterm-guacd:
image: registry.cn-hangzhou.aliyuncs.com/veops/oneterm-guacd:1.5.4
container_name: oneterm-guacd
user: root
restart: always
volumes:
- ./volume/replay:/replay
- ./volume/rdp:/rdp
healthcheck:
test: ["CMD", "nc", "-z", "localhost", "4822"]
interval: 10s
timeout: 5s
retries: 5
ports:
- "14822:4822"
networks:
new:
aliases:
- oneterm-guacd
mysql:
image: registry.cn-hangzhou.aliyuncs.com/veops/mysql:8.2.0
container_name: oneterm-mysql
environment:
TZ: Asia/Shanghai
MYSQL_ROOT_PASSWORD: '123456'
MYSQL_DATABASE: 'oneterm'
volumes:
- ./volume/mysql:/var/lib/mysql
- ./mysqld.cnf:/etc/mysql/conf.d/mysqld.cnf
- ./acl.sql:/docker-entrypoint-initdb.d/2-acl.sql
- ./create-users.sql:/docker-entrypoint-initdb.d/1-create-users.sql
ports:
- "13306:3306"
healthcheck:
test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-P", "3306", "-u", "root", "-p123456"]
interval: 10s
timeout: 5s
retries: 5
command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
restart: always
networks:
new:
aliases:
- mysql
redis:
image: registry.cn-hangzhou.aliyuncs.com/veops/redis:7.2.3
container_name: oneterm-redis
restart: always
environment:
TZ: Asia/Shanghai
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 5s
retries: 5
ports:
- "16379:6379"
networks:
new:
aliases:
- redis
oneterm-ui:
image: registry.cn-hangzhou.aliyuncs.com/veops/oneterm-ui:v25.8.3
container_name: oneterm-ui
depends_on:
oneterm-api:
condition: service_healthy
environment:
TZ: Asia/Shanghai
# Backend service hosts (modify if using external services)
ONETERM_API_HOST: oneterm-api:8888 # Change if using external OneTermAPI
ACL_API_HOST: acl-api:5000 # Change if using external ACL API
# Domain configuration - REQUIRED: MODIFY THIS TO YOUR DOMAIN
ONETERM_DOMAIN: oneterm.example.com # Your OneTermUI domain
# WebProxy will be: webproxy.oneterm.example.com
# HTTP/HTTPS ports (modify if needed)
NGINX_PORT: 80 # HTTP port (modify if different)
NGINX_HTTPS_PORT: 443 # HTTPS port (modify if different)
# SSL certificate paths (for HTTPS deployment only)
# Modify these paths if your certificates are in different locations
ONETERM_SSL_CERT_PATH: /etc/nginx/ssl/oneterm.crt # OneTermUI SSL cert
ONETERM_SSL_KEY_PATH: /etc/nginx/ssl/oneterm.key # OneTermUI SSL key
WEBPROXY_SSL_CERT_PATH: /etc/nginx/ssl/webproxy.crt # WebProxy SSL cert
WEBPROXY_SSL_KEY_PATH: /etc/nginx/ssl/webproxy.key # WebProxy SSL key
volumes:
# Use the domain-aware nginx configuration
- ./nginx.webproxy.conf.example:/etc/nginx/conf.d/nginx.webproxy.conf.example
# For HTTPS: Uncomment and modify SSL certificates directory path
# - ./ssl:/etc/nginx/ssl:ro # Mount your SSL cert directory
# - /path/to/your/certs:/etc/nginx/ssl:ro # Or use custom path
restart: always
command:
- /bin/sh
- -c
- |
# Generate nginx configuration with environment variable substitution
envsubst '$$ONETERM_API_HOST $$ACL_API_HOST $$ONETERM_DOMAIN $$NGINX_PORT $$NGINX_HTTPS_PORT $$ONETERM_SSL_CERT_PATH $$ONETERM_SSL_KEY_PATH $$WEBPROXY_SSL_CERT_PATH $$WEBPROXY_SSL_KEY_PATH' < /etc/nginx/conf.d/nginx.webproxy.conf.example > /etc/nginx/conf.d/oneterm.conf
# Start nginx
nginx -g 'daemon off;' &
# Wait a moment and reload to pick up any configuration changes
sleep 2
nginx -s reload
# Keep container running
wait
networks:
- new
ports:
# HTTP port (modify if you need different external port)
- "80:80" # External:Internal
# - "8080:80" # Example: External port 8080
# HTTPS port (uncomment if using HTTPS, modify if needed)
# - "443:443" # External:Internal
# - "8443:443" # Example: External port 8443
acl-api:
image: registry.cn-hangzhou.aliyuncs.com/acl-api:2.2
container_name: oneterm-acl-api
depends_on:
mysql:
condition: service_healthy
redis:
condition: service_healthy
environment:
TZ: Asia/Shanghai
WAIT_HOSTS: mysql:3306, redis:6379
SYSTEM_DEFAULT_LANGUAGE: # en-US, zh-CN
volumes:
- ./.env:/data/apps/acl/.env
restart: always
command:
- /bin/sh
- -c
- |
if [ ! -f /var/run/.initialized ]; then
flask db-setup
flask common-check-new-columns
flask init-acl
flask init-department
touch /var/run/.initialized
fi
nohup bash -c 'flask db-setup && flask common-check-new-columns' >/dev/null 2>&1 &
gunicorn --workers=3 autoapp:app -b 0.0.0.0:5000 -D --access-logfile logs/access.log --error-logfile logs/error.log
celery -A celery_worker.celery worker -E -Q acl_async --logfile=one_acl_async.log --autoscale=2,1
healthcheck:
test: ["CMD", "nc", "-z", "127.0.0.1", "5000"]
interval: 5s
timeout: 5s
retries: 5
networks:
new:
aliases:
- acl-api
networks:
new:
driver: bridge
name: oneterm_network
ipam:
config:
- subnet: 172.30.0.0/24

421
deploy/nginx.webproxy.conf.example Normal file
View File

@@ -0,0 +1,421 @@
# OneTerm WebProxy Nginx Configuration
# This configuration supports both OneTermUI and WebProxy domains
#
# DEPLOYMENT OPTIONS:
# 1. HTTP Only: Use as-is (default, HTTPS sections are commented out)
# 2. HTTPS Only: Uncomment HTTPS sections, comment out HTTP sections
# 3. HTTP + HTTPS: Uncomment HTTPS sections, keep HTTP sections
# 4. HTTP to HTTPS Redirect: Uncomment HTTPS sections and redirect rules at bottom
#
# Required Environment Variables:
# - ONETERM_DOMAIN: Domain for OneTermUI (e.g., oneterm.example.com)
# - ONETERM_API_HOST: OneTermAPI backend (e.g., oneterm-api:8888)
# - ACL_API_HOST: ACL API backend (e.g., acl-api:5000)
#
# WebProxy automatically uses: webproxy.${ONETERM_DOMAIN}
#
# For HTTPS deployment, also set these variables and uncomment HTTPS sections:
# - ONETERM_SSL_CERT_PATH: SSL certificate path for OneTermUI
# - ONETERM_SSL_KEY_PATH: SSL private key path for OneTermUI
# - WEBPROXY_SSL_CERT_PATH: SSL certificate path for WebProxy (for webproxy.${ONETERM_DOMAIN})
# - WEBPROXY_SSL_KEY_PATH: SSL private key path for WebProxy (for webproxy.${ONETERM_DOMAIN})
# ============================================================================
# HTTP Configuration (Active by default)
# ============================================================================
# HTTP Configuration for OneTermUI
server {
listen 80;
server_name ${ONETERM_DOMAIN};
access_log /var/log/nginx/access.oneterm.log;
error_log /var/log/nginx/error.oneterm.log;
# CORS Headers
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
# Gzip Compression
gzip on;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
# OneTermUI Frontend
root /etc/nginx/html;
location / {
root /etc/nginx/html;
index index.html;
try_files $uri $uri/ /index.html;
}
# WebSocket connections
location ^~ /api/oneterm/v1/connect {
proxy_pass http://${ONETERM_API_HOST};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 7200s;
proxy_connect_timeout 7200s;
proxy_send_timeout 7200s;
}
# File upload endpoints
location ~ ^/api/oneterm/v1/(rdp/sessions/.+/files/upload|file/(session/.+/upload|upload/.+/.+)) {
proxy_pass http://${ONETERM_API_HOST};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_http_version 1.1;
# File upload optimization
proxy_request_buffering off;
proxy_buffering off;
proxy_read_timeout 1800s;
proxy_send_timeout 1800s;
proxy_connect_timeout 60s;
# Large file upload settings
client_max_body_size 10240m;
client_body_buffer_size 32m;
client_body_timeout 1800s;
}
# OneTermAPI
location ^~ /api/oneterm {
proxy_pass http://${ONETERM_API_HOST};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# ACL API
location /api {
proxy_pass http://${ACL_API_HOST};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Static assets cache
location ~* \.(css|js)$ {
access_log off;
add_header Pragma public;
add_header Cache-Control "public, max-age=7776000";
add_header X-Asset "yes";
}
}
# HTTP Configuration for WebProxy
server {
listen 80;
server_name webproxy.${ONETERM_DOMAIN};
access_log /var/log/nginx/access.webproxy.log;
error_log /var/log/nginx/error.webproxy.log;
# Security headers for web proxy
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Disable caching for proxied content to ensure fresh data
add_header Cache-Control "no-cache, no-store, must-revalidate" always;
add_header Pragma "no-cache" always;
add_header Expires "0" always;
# Large request body support for web content
client_max_body_size 100m;
client_body_buffer_size 8m;
client_body_timeout 300s;
# Proxy buffer settings for web content
proxy_buffering on;
proxy_buffer_size 64k;
proxy_buffers 8 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
# Timeout settings for web requests
proxy_connect_timeout 30s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
# All requests go to webproxy handler (includes API, external, and proxy requests)
location / {
proxy_pass http://${ONETERM_API_HOST};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_http_version 1.1;
# Preserve original request headers for proper web proxy functionality
proxy_set_header Accept $http_accept;
proxy_set_header Accept-Encoding $http_accept_encoding;
proxy_set_header Accept-Language $http_accept_language;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Cookie $http_cookie;
proxy_set_header Referer $http_referer;
}
}
# ============================================================================
# HTTPS Configuration (Commented out by default - Uncomment if needed)
# ============================================================================
#
# To enable HTTPS support:
# 1. Set SSL certificate environment variables (see top of file)
# 2. Uncomment all lines below by removing the leading '#'
# 3. Optionally comment out HTTP sections above or enable HTTP redirect at bottom
#
# # HTTPS Configuration for OneTermUI
# server {
# listen 443 ssl http2;
# server_name ${ONETERM_DOMAIN};
# access_log /var/log/nginx/access.oneterm.ssl.log;
# error_log /var/log/nginx/error.oneterm.ssl.log;
#
# # SSL Configuration
# ssl_certificate ${ONETERM_SSL_CERT_PATH};
# ssl_certificate_key ${ONETERM_SSL_KEY_PATH};
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
# ssl_prefer_server_ciphers on;
#
# # HSTS (optional, uncomment if needed)
# # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#
# # CORS Headers
# add_header 'Access-Control-Allow-Origin' "$http_origin";
# add_header 'Access-Control-Allow-Credentials' 'true';
# add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
# add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
#
# # Gzip Compression
# gzip on;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_min_length 256;
# gzip_types
# text/plain
# text/css
# text/js
# text/xml
# text/javascript
# application/javascript
# application/x-javascript
# application/json
# application/xml
# application/rss+xml
# image/svg+xml;
#
# # OneTermUI Frontend
# root /etc/nginx/html;
# location / {
# root /etc/nginx/html;
# index index.html;
# try_files $uri $uri/ /index.html;
# }
#
# # WebSocket connections
# location ^~ /api/oneterm/v1/connect {
# proxy_pass http://${ONETERM_API_HOST};
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_redirect off;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_read_timeout 7200s;
# proxy_connect_timeout 7200s;
# proxy_send_timeout 7200s;
# }
#
# # File upload endpoints
# location ~ ^/api/oneterm/v1/(rdp/sessions/.+/files/upload|file/(session/.+/upload|upload/.+/.+)) {
# proxy_pass http://${ONETERM_API_HOST};
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_redirect off;
# proxy_http_version 1.1;
#
# # File upload optimization
# proxy_request_buffering off;
# proxy_buffering off;
# proxy_read_timeout 1800s;
# proxy_send_timeout 1800s;
# proxy_connect_timeout 60s;
#
# # Large file upload settings
# client_max_body_size 10240m;
# client_body_buffer_size 32m;
# client_body_timeout 1800s;
# }
#
# # OneTermAPI
# location ^~ /api/oneterm {
# proxy_pass http://${ONETERM_API_HOST};
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_redirect off;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# }
#
# # ACL API
# location /api {
# proxy_pass http://${ACL_API_HOST};
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_redirect off;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# }
#
# # Static assets cache
# location ~* \.(css|js)$ {
# access_log off;
# add_header Pragma public;
# add_header Cache-Control "public, max-age=7776000";
# add_header X-Asset "yes";
# }
# }
#
# # HTTPS Configuration for WebProxy
# server {
# listen 443 ssl http2;
# server_name webproxy.${ONETERM_DOMAIN};
# access_log /var/log/nginx/access.webproxy.ssl.log;
# error_log /var/log/nginx/error.webproxy.ssl.log;
#
# # SSL Configuration
# ssl_certificate ${WEBPROXY_SSL_CERT_PATH};
# ssl_certificate_key ${WEBPROXY_SSL_KEY_PATH};
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
# ssl_prefer_server_ciphers on;
#
# # Security headers for web proxy
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header Referrer-Policy "strict-origin-when-cross-origin" always;
#
# # Disable caching for proxied content to ensure fresh data
# add_header Cache-Control "no-cache, no-store, must-revalidate" always;
# add_header Pragma "no-cache" always;
# add_header Expires "0" always;
#
# # Large request body support for web content
# client_max_body_size 100m;
# client_body_buffer_size 8m;
# client_body_timeout 300s;
#
# # Proxy buffer settings for web content
# proxy_buffering on;
# proxy_buffer_size 64k;
# proxy_buffers 8 64k;
# proxy_busy_buffers_size 128k;
# proxy_temp_file_write_size 128k;
#
# # Timeout settings for web requests
# proxy_connect_timeout 30s;
# proxy_send_timeout 300s;
# proxy_read_timeout 300s;
#
# # All requests go to webproxy handler (includes API, external, and proxy requests)
# location / {
# proxy_pass http://${ONETERM_API_HOST};
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_redirect off;
# proxy_http_version 1.1;
#
# # Preserve original request headers for proper web proxy functionality
# proxy_set_header Accept $http_accept;
# proxy_set_header Accept-Encoding $http_accept_encoding;
# proxy_set_header Accept-Language $http_accept_language;
# proxy_set_header User-Agent $http_user_agent;
# proxy_set_header Cookie $http_cookie;
# proxy_set_header Referer $http_referer;
# }
# }
# ============================================================================
# HTTP to HTTPS Redirect (Optional - Uncomment if needed)
# ============================================================================
#
# Uncomment these sections to force HTTPS redirects:
#
# # Redirect OneTermUI HTTP to HTTPS
# server {
# listen 80;
# server_name ${ONETERM_DOMAIN};
# return 301 https://$server_name$request_uri;
# }
#
# # Redirect WebProxy HTTP to HTTPS
# server {
# listen 80;
# server_name webproxy.${ONETERM_DOMAIN};
# return 301 https://$server_name$request_uri;
# }