001project_wildgrowth/backend/deploy/setup-ssl-api.sh

#!/bin/bash
# ============================================
# SSL 证书配置脚本（Let's Encrypt）
# ============================================
# 用途：为 api.muststudy.xin 配置 HTTPS
# 使用方法：在服务器上执行 bash deploy/setup-ssl-api.sh
# ============================================

set -e

# 颜色
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
BLUE='\033[0;34m'
NC='\033[0m'

echo -e "${BLUE}🔒 开始配置 SSL 证书...${NC}"
echo ""

# 配置变量
DOMAIN="api.muststudy.xin"
NGINX_CONF="/etc/nginx/conf.d/wildgrowth-api.conf"

# ============================================
# 第一步：检查并安装 Certbot
# ============================================
echo -e "${BLUE}📦 第一步：检查 Certbot...${NC}"

if ! command -v certbot &> /dev/null; then
    echo -e "${YELLOW}⚠️  Certbot 未安装，开始安装...${NC}"
    
    # 检测系统类型
    if [ -f /etc/redhat-release ]; then
        # CentOS/RHEL
        yum install -y epel-release
        yum install -y certbot python3-certbot-nginx
    elif [ -f /etc/debian_version ]; then
        # Debian/Ubuntu
        apt-get update
        apt-get install -y certbot python3-certbot-nginx
    else
        echo -e "${RED}❌ 无法检测系统类型，请手动安装 certbot${NC}"
        exit 1
    fi
    
    echo -e "${GREEN}✅ Certbot 安装完成${NC}"
else
    echo -e "${GREEN}✅ Certbot 已安装${NC}"
fi

echo ""

# ============================================
# 第二步：确保 Nginx 配置存在（HTTP）
# ============================================
echo -e "${BLUE}🌐 第二步：检查 Nginx 配置...${NC}"

if [ ! -f "$NGINX_CONF" ]; then
    echo -e "${YELLOW}⚠️  Nginx 配置文件不存在，创建基础配置...${NC}"
    
    cat > $NGINX_CONF <<'EOF'
server {
    listen 80;
    server_name api.muststudy.xin;

    # 日志
    access_log /var/log/nginx/wildgrowth-api-access.log;
    error_log /var/log/nginx/wildgrowth-api-error.log;

    # 上传文件大小限制
    client_max_body_size 10M;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        
        # 超时设置
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}
EOF
    
    # 测试并重载 Nginx
    if nginx -t; then
        systemctl reload nginx
        echo -e "${GREEN}✅ Nginx 配置已创建${NC}"
    else
        echo -e "${RED}❌ Nginx 配置有误${NC}"
        exit 1
    fi
else
    echo -e "${GREEN}✅ Nginx 配置文件已存在${NC}"
fi

echo ""

# ============================================
# 第三步：申请 SSL 证书
# ============================================
echo -e "${BLUE}🔐 第三步：申请 SSL 证书...${NC}"
echo -e "${YELLOW}⚠️  这将为 ${DOMAIN} 申请 Let's Encrypt 证书${NC}"
echo ""

# 检查证书是否已存在
if [ -d "/etc/letsencrypt/live/${DOMAIN}" ]; then
    echo -e "${YELLOW}⚠️  证书已存在，是否续期？${NC}"
    read -p "续期证书？(y/n): " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]; then
        certbot renew --dry-run
        echo -e "${GREEN}✅ 证书续期测试完成${NC}"
    else
        echo -e "${YELLOW}⚠️  跳过证书续期${NC}"
    fi
else
    # 申请新证书
    echo -e "${BLUE}正在申请 SSL 证书...${NC}"
    certbot --nginx -d $DOMAIN --non-interactive --agree-tos --email admin@muststudy.xin
    
    if [ $? -eq 0 ]; then
        echo -e "${GREEN}✅ SSL 证书申请成功${NC}"
    else
        echo -e "${RED}❌ SSL 证书申请失败${NC}"
        echo -e "${YELLOW}提示：请确保：${NC}"
        echo "  1. 域名 ${DOMAIN} 已正确解析到服务器 IP"
        echo "  2. 防火墙已开放 80 和 443 端口"
        echo "  3. Nginx 正在运行"
        exit 1
    fi
fi

echo ""

# ============================================
# 第四步：验证 SSL 配置
# ============================================
echo -e "${BLUE}✅ 第四步：验证 SSL 配置...${NC}"

# 测试 Nginx 配置
if nginx -t; then
    systemctl reload nginx
    echo -e "${GREEN}✅ Nginx 配置验证通过${NC}"
else
    echo -e "${RED}❌ Nginx 配置验证失败${NC}"
    exit 1
fi

# 测试 HTTPS 连接
echo ""
echo -e "${BLUE}测试 HTTPS 连接...${NC}"
if curl -s -k https://${DOMAIN}/health > /dev/null; then
    echo -e "${GREEN}✅ HTTPS 连接正常${NC}"
else
    echo -e "${YELLOW}⚠️  HTTPS 连接测试失败，请检查配置${NC}"
fi

echo ""
echo "============================================"
echo -e "${GREEN}🎉 SSL 配置完成！${NC}"
echo "============================================"
echo ""
echo "📊 验证信息："
echo "  - 证书路径: /etc/letsencrypt/live/${DOMAIN}/"
echo "  - HTTPS URL: https://${DOMAIN}"
echo ""
echo "📝 证书自动续期："
echo "  Let's Encrypt 证书有效期为 90 天"
echo "  Certbot 会自动续期，或手动运行: certbot renew"
echo ""
echo "🌐 测试命令："
echo "  curl https://${DOMAIN}/health"
echo ""