diff --git a/.gitignore b/.gitignore index 721bf0c..cdcb2fb 100644 --- a/.gitignore +++ b/.gitignore @@ -15,6 +15,7 @@ __pycache__/ .logs/ .pids/ deploy/.env.production +deploy/.htpasswd # api api/.venv/ diff --git a/.memory/worklog.json b/.memory/worklog.json index a3ee12e..238a420 100644 --- a/.memory/worklog.json +++ b/.memory/worklog.json @@ -1,12 +1,5 @@ { "entries": [ - { - "files_changed": 3, - "hash": "f291788", - "message": "auto-save 2026-05-13 23:34 (+1, ~1)", - "ts": "2026-05-13T23:35:05+08:00", - "type": "commit" - }, { "files_changed": 5, "hash": "b93693c", @@ -3251,6 +3244,13 @@ "type": "session-heartbeat", "message": "Codex 会话活跃 · 最近命令:codex · 1 项未提交变更 · 最近提交:auto-save 2026-05-15 14:53 (~6)", "files_changed": 1 + }, + { + "ts": "2026-05-15T14:59:07+08:00", + "type": "commit", + "message": "auto-save 2026-05-15 14:58 (~1)", + "hash": "02d96e5", + "files_changed": 1 } ] } diff --git a/.project.json b/.project.json index f95bef8..7c9884f 100644 --- a/.project.json +++ b/.project.json @@ -19,6 +19,12 @@ "name" : "VIDEO_API_KEY", "storage" : "api/.env / deploy/.env.production", "type" : "api_key" + }, + { + "description" : "生产站点 Basic Auth 登录;用户名写 RULES.md,密码只放服务器 /root/skg-marketing-studio-login.txt,Nginx 使用 deploy/.htpasswd 哈希文件", + "name" : "WEB_BASIC_AUTH", + "storage" : "/root/skg-marketing-studio-login.txt / deploy/.htpasswd", + "type" : "web_login" } ], "description" : "SKG AI 素材生产管线第二条思路验证:TK 链接 → 拆轨 → 目标化关键帧 + ASR\/翻译 → 接 SKG 产品信息改写口播 → MiniMax 配音 → nano-banana-pro\/GPT Image 生图 → Seedance\/Kling\/Veo3 多模型生视频 → 合成带文案成品", diff --git a/RULES.md b/RULES.md index 45a7dff..8cd3e48 100644 --- a/RULES.md +++ b/RULES.md @@ -14,21 +14,22 @@ ## 部署事实 - 平台:VPS `76.13.31.179`(Ubuntu 24.04 / Docker Compose / Coolify Traefik) -- 发布状态:已部署并验证(2026-05-15);`https://marketing.skg.com` 首页 200,`/api/health` 返回 `ok:true` +- 发布状态:已部署并验证(2026-05-15);`https://marketing.skg.com` 已启用 Basic Auth,认证后首页 200,`/api/health` 返回 `ok:true` - 主站 / 前端:`https://marketing.skg.com` - API / 后端:`https://marketing.skg.com/api` - 文档 / 解析:`docs/source-analysis.html`(项目内独立文档,不公开挂主应用路由) - 管理后台:待定 - 服务器目录:`/opt/skg-marketing-studio` - 生产启动:`docker compose -f docker-compose.prod.yml --env-file deploy/.env.production up -d --build` -- 生产架构:`web` 容器用 Nginx 承载 Next 静态导出并反代 `/api/` 到 `skg-marketing-api:4291`,`api` 容器跑 FastAPI 4291;Traefik 通过 `coolify` 外部网络接入 80/443 +- 生产架构:`web` 容器用 Nginx 承载 Next 静态导出并做 Basic Auth,认证后反代 `/api/` 到 `skg-marketing-api:4291`,`api` 容器跑 FastAPI 4291;Traefik 通过 `coolify` 外部网络接入 80/443 - 持久化目录:服务器 `./data/jobs` 挂载到后端 `/data/jobs` +- 登录凭证:Nginx 使用服务器 `/opt/skg-marketing-studio/deploy/.htpasswd`;明文备份只放服务器 `/root/skg-marketing-studio-login.txt` ## 快捷登录 -- 登录地址:待补充 -- 用户名:待补充 -- 密码:待补充 -- 说明:这里只写项目专属网页登录;数据库密码、API Key、服务器 root 密码不要写这里 +- 登录地址:`https://marketing.skg.com` +- 用户名:`skg` +- 密码:见服务器 `/root/skg-marketing-studio-login.txt`(不入库) +- 说明:当前是生产入口 Basic Auth;数据库密码、API Key、服务器 root 密码不要写这里 ## 元数据回写清单 - 新增或变更公网地址后,必须同步更新 `.project.json.urls` diff --git a/deploy/nginx.conf b/deploy/nginx.conf index 170e084..bda763b 100644 --- a/deploy/nginx.conf +++ b/deploy/nginx.conf @@ -4,6 +4,9 @@ server { client_max_body_size 2g; + auth_basic "SKG Marketing Studio"; + auth_basic_user_file /etc/nginx/auth/.htpasswd; + gzip on; gzip_types text/plain text/css application/json application/javascript application/xml image/svg+xml; diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 791eb39..b635e7f 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -26,6 +26,8 @@ services: container_name: skg-marketing-web depends_on: - api + volumes: + - ./deploy/.htpasswd:/etc/nginx/auth/.htpasswd:ro restart: unless-stopped networks: - skg-marketing-internal diff --git a/docs/deploy-vps.md b/docs/deploy-vps.md index ae8e4f0..57c5dc9 100644 --- a/docs/deploy-vps.md +++ b/docs/deploy-vps.md @@ -32,6 +32,13 @@ cp deploy/.env.production.example deploy/.env.production Fill `deploy/.env.production` with the real production keys. Keep this file out of git. +Create the production login file. Replace the username and password as needed: + +```bash +printf 'skg:%s\n' "$(openssl passwd -apr1 'change-this-password')" > deploy/.htpasswd +chmod 600 deploy/.htpasswd +``` + Then start: ```bash @@ -57,7 +64,7 @@ docker compose -f docker-compose.prod.yml --env-file deploy/.env.production up - ## Runtime Notes - `web` is a static Next export served by Nginx. -- `web` proxies `/api/` to `skg-marketing-api:4291`; avoid the generic hostname `api` because the web container also joins the shared Coolify network. +- `web` requires Nginx Basic Auth for the whole site and then proxies `/api/` to `skg-marketing-api:4291`; avoid the generic hostname `api` because the web container also joins the shared Coolify network. - `api` is only on the internal project network and stores jobs under `/data/jobs`. - Server-side job files persist in `./data/jobs` on the VPS. - Large uploads are allowed up to `2g` at the Nginx proxy layer. diff --git a/docs/source-analysis.html b/docs/source-analysis.html index 64e596c..a88598c 100644 --- a/docs/source-analysis.html +++ b/docs/source-analysis.html @@ -536,7 +536,7 @@ 生产站点 https://marketing.skg.com - 公司域名已解析到 VPS 76.13.31.179。线上由既有 Coolify / Traefik 负责 HTTPS 入口,项目 web 容器用 Nginx 承载静态前端并把 /api/ 反代到 FastAPI。 + 公司域名已解析到 VPS 76.13.31.179。线上由既有 Coolify / Traefik 负责 HTTPS 入口,项目 web 容器用 Nginx 承载静态前端、执行 Basic Auth 登录,并把 /api/ 反代到 FastAPI。 生产部署 @@ -939,6 +939,18 @@ SubjectAsset {

变更记录

这个记录不是 git log 的替代品。它记录“产品理解发生了什么变化、影响了哪些源码、你以后描述需求时该怎么说”。后续每次改功能都要补一条。

+
+
+

2026-05-15 · 生产站点增加登录保护

+ Runtime + Security +
+
+

问题:公司域名部署后任何人知道地址都能打开工作台并调用生成能力。

+

改动:在生产 web Nginx 容器增加 Basic Auth,整站和 /api/ 统一要求账号密码;哈希文件挂载自服务器 /opt/skg-marketing-studio/deploy/.htpasswd,明文密码只保存在服务器 root 说明文件,不入库。

+

影响:docker-compose.prod.ymldeploy/nginx.conf.gitignore.project.jsonRULES.mddocs/deploy-vps.mddocs/source-analysis.html

+
+

2026-05-15 · 公司域名生产部署配置