auto-save 2026-05-15 15:04 (~8)

2026-05-15 15:04:41 +08:00
parent 02d96e5a27
commit 59a0d10a8a
8 changed files with 47 additions and 15 deletions
--- a/docs/deploy-vps.md
+++ b/docs/deploy-vps.md
@@ -32,6 +32,13 @@ cp deploy/.env.production.example deploy/.env.production

 Fill `deploy/.env.production` with the real production keys. Keep this file out of git.

+Create the production login file. Replace the username and password as needed:
+
+```bash
+printf 'skg:%s\n' "$(openssl passwd -apr1 'change-this-password')" > deploy/.htpasswd
+chmod 600 deploy/.htpasswd
+```
+
 Then start:

 ```bash
@@ -57,7 +64,7 @@ docker compose -f docker-compose.prod.yml --env-file deploy/.env.production up -
 ## Runtime Notes

 - `web` is a static Next export served by Nginx.
- `web` proxies `/api/` to `skg-marketing-api:4291`; avoid the generic hostname `api` because the web container also joins the shared Coolify network.
+- `web` requires Nginx Basic Auth for the whole site and then proxies `/api/` to `skg-marketing-api:4291`; avoid the generic hostname `api` because the web container also joins the shared Coolify network.
 - `api` is only on the internal project network and stores jobs under `/data/jobs`.
 - Server-side job files persist in `./data/jobs` on the VPS.
 - Large uploads are allowed up to `2g` at the Nginx proxy layer.
--- a/docs/source-analysis.html
+++ b/docs/source-analysis.html
@@ -536,7 +536,7 @@
            <tr>
              <td>生产站点</td>
              <td><code>https://marketing.skg.com</code></td>
-              <td>公司域名已解析到 VPS <code>76.13.31.179</code>。线上由既有 Coolify / Traefik 负责 HTTPS 入口，项目 <code>web</code> 容器用 Nginx 承载静态前端并把 <code>/api/</code> 反代到 FastAPI。</td>
+              <td>公司域名已解析到 VPS <code>76.13.31.179</code>。线上由既有 Coolify / Traefik 负责 HTTPS 入口，项目 <code>web</code> 容器用 Nginx 承载静态前端、执行 Basic Auth 登录，并把 <code>/api/</code> 反代到 FastAPI。</td>
            </tr>
            <tr>
              <td>生产部署</td>
@@ -939,6 +939,18 @@ SubjectAsset {
        <h2>变更记录</h2>
        <p>这个记录不是 git log 的替代品。它记录“产品理解发生了什么变化、影响了哪些源码、你以后描述需求时该怎么说”。后续每次改功能都要补一条。</p>
        <div class="changelog">
+          <article class="change">
+            <header>
+              <h3>2026-05-15 · 生产站点增加登录保护</h3>
+              <span class="tag gray">Runtime</span>
+              <span class="tag blue">Security</span>
+            </header>
+            <div class="body">
+              <p><strong>问题：</strong>公司域名部署后任何人知道地址都能打开工作台并调用生成能力。</p>
+              <p><strong>改动：</strong>在生产 <code>web</code> Nginx 容器增加 Basic Auth，整站和 <code>/api/</code> 统一要求账号密码；哈希文件挂载自服务器 <code>/opt/skg-marketing-studio/deploy/.htpasswd</code>，明文密码只保存在服务器 root 说明文件，不入库。</p>
+              <p><strong>影响：</strong><code>docker-compose.prod.yml</code>、<code>deploy/nginx.conf</code>、<code>.gitignore</code>、<code>.project.json</code>、<code>RULES.md</code>、<code>docs/deploy-vps.md</code>、<code>docs/source-analysis.html</code>。</p>
+            </div>
+          </article>
          <article class="change">
            <header>
              <h3>2026-05-15 · 公司域名生产部署配置</h3>