From f9bf2d544e7f6c38c4f6cd6127d62aa266f0e614 Mon Sep 17 00:00:00 2001 From: shaw Date: Wed, 16 Jul 2025 18:33:28 +0800 Subject: [PATCH] update readme --- README.md | 118 +++++++++++++++++++++++---------------------------- README_EN.md | 116 +++++++++++++++++++++++--------------------------- 2 files changed, 107 insertions(+), 127 deletions(-) diff --git a/README.md b/README.md index 86c4e68d..915681eb 100644 --- a/README.md +++ b/README.md @@ -305,80 +305,69 @@ redis-cli ping ### 生产环境部署建议(重要!) -**强烈建议使用nginx反向代理 + SSL证书** +**强烈建议使用Caddy反向代理(自动HTTPS)** -建议使用nginx反向代理并配置SSL证书:(以下为Nginx示例,如不想折腾可以选择安装面板进行操作,比如宝塔、1panel等) +推荐使用Caddy作为反向代理,它会自动申请和更新SSL证书,配置更简单: -**1. 安装nginx和获取SSL证书** +**1. 安装Caddy** ```bash # Ubuntu/Debian -sudo apt install nginx +sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list +sudo apt update +sudo apt install caddy -# 安装 acme.sh -curl https://get.acme.sh | sh -source ~/.bashrc - -# 获取免费SSL证书(以Let's Encrypt为例) -acme.sh --issue -d your-domain.com --nginx -# 或者使用 standalone 模式 -# acme.sh --issue -d your-domain.com --standalone +# CentOS/RHEL/Fedora +sudo yum install yum-plugin-copr +sudo yum copr enable @caddy/caddy +sudo yum install caddy ``` -**2. nginx配置示例** +**2. Caddy配置(超简单!)** -创建 `/etc/nginx/sites-available/claude-relay` 配置文件: -```nginx -server { - listen 80; - server_name your-domain.com; - return 301 https://$server_name$request_uri; -} - -server { - listen 443 ssl http2; - server_name your-domain.com; - - # SSL配置 - ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - - # 安全头 - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - - # 反向代理配置 - location / { - proxy_pass http://127.0.0.1:3000; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_cache_bypass $http_upgrade; +编辑 `/etc/caddy/Caddyfile`: +``` +your-domain.com { + # 反向代理到本地服务 + reverse_proxy 127.0.0.1:3000 { + # 支持流式响应(SSE) + flush_interval -1 - # 超时设置 - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + # 传递真实IP + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + + # 超时设置(适合长连接) + transport http { + read_timeout 300s + write_timeout 300s + dial_timeout 30s + } + } + + # 安全头部 + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + -Server } } ``` -**3. 启用配置** +**3. 启动Caddy** ```bash -# 启用站点 -sudo ln -s /etc/nginx/sites-available/claude-relay /etc/nginx/sites-enabled/ - # 测试配置 -sudo nginx -t +sudo caddy validate --config /etc/caddy/Caddyfile -# 重启nginx -sudo systemctl restart nginx +# 启动服务 +sudo systemctl start caddy +sudo systemctl enable caddy + +# 查看状态 +sudo systemctl status caddy ``` **4. 更新服务配置** @@ -395,11 +384,12 @@ module.exports = { } ``` -**安全优势:** -- 🔒 **数据加密**: 所有API请求都通过HTTPS加密传输 -- 🛡️ **隐藏端口**: 不直接暴露服务端口,降低攻击面 -- 🚀 **更好性能**: nginx的静态文件服务和缓存能力 -- 📊 **访问日志**: nginx提供详细的访问日志和监控 +**Caddy优势:** +- 🔒 **自动HTTPS**: 自动申请和续期Let's Encrypt证书,零配置 +- 🛡️ **安全默认**: 默认启用现代安全协议和加密套件 +- 🚀 **流式支持**: 原生支持SSE/WebSocket等流式传输 +- 📊 **简单配置**: 配置文件极其简洁,易于维护 +- ⚡ **HTTP/2**: 默认启用HTTP/2,提升传输性能 --- @@ -411,7 +401,7 @@ module.exports = { - **合理分配**: 可以给不同的人分配不同的apikey,可以根据不同的apikey来分析用量 ### 安全建议 -- **使用HTTPS**: 强烈建议配置nginx反向代理和SSL证书,确保数据传输安全 +- **使用HTTPS**: 强烈建议使用Caddy反向代理(自动HTTPS),确保数据传输安全 - **定期备份**: 重要配置和数据要备份 - **监控日志**: 定期查看异常日志 - **更新密钥**: 定期更换JWT和加密密钥 diff --git a/README_EN.md b/README_EN.md index 43ed47b6..2d04d4e7 100644 --- a/README_EN.md +++ b/README_EN.md @@ -303,80 +303,69 @@ redis-cli ping ### Production Deployment Recommendations (Important!) -**Strongly recommend using nginx reverse proxy + SSL certificate** +**Strongly recommend using Caddy reverse proxy (Automatic HTTPS)** -It's recommended to use nginx reverse proxy and configure SSL certificate: (The following is an nginx example, if you don't want to fiddle with it, you can choose to install a panel for operation, such as Baota, 1panel, etc.) +Recommend using Caddy as reverse proxy, it will automatically apply and renew SSL certificates with simpler configuration: -**1. Install nginx and obtain SSL certificate** +**1. Install Caddy** ```bash # Ubuntu/Debian -sudo apt install nginx +sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list +sudo apt update +sudo apt install caddy -# Install acme.sh -curl https://get.acme.sh | sh -source ~/.bashrc - -# Get free SSL certificate (using Let's Encrypt as example) -acme.sh --issue -d your-domain.com --nginx -# Or use standalone mode -# acme.sh --issue -d your-domain.com --standalone +# CentOS/RHEL/Fedora +sudo yum install yum-plugin-copr +sudo yum copr enable @caddy/caddy +sudo yum install caddy ``` -**2. nginx configuration example** +**2. Caddy Configuration (Super Simple!)** -Create `/etc/nginx/sites-available/claude-relay` configuration file: -```nginx -server { - listen 80; - server_name your-domain.com; - return 301 https://$server_name$request_uri; -} - -server { - listen 443 ssl http2; - server_name your-domain.com; - - # SSL configuration - ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; +Edit `/etc/caddy/Caddyfile`: +``` +your-domain.com { + # Reverse proxy to local service + reverse_proxy 127.0.0.1:3000 { + # Support streaming responses (SSE) + flush_interval -1 + + # Pass real IP + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + + # Timeout settings (suitable for long connections) + transport http { + read_timeout 300s + write_timeout 300s + dial_timeout 30s + } + } # Security headers - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - - # Reverse proxy configuration - location / { - proxy_pass http://127.0.0.1:3000; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_cache_bypass $http_upgrade; - - # Timeout settings - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + -Server } } ``` -**3. Enable configuration** +**3. Start Caddy** ```bash -# Enable site -sudo ln -s /etc/nginx/sites-available/claude-relay /etc/nginx/sites-enabled/ - # Test configuration -sudo nginx -t +sudo caddy validate --config /etc/caddy/Caddyfile -# Restart nginx -sudo systemctl restart nginx +# Start service +sudo systemctl start caddy +sudo systemctl enable caddy + +# Check status +sudo systemctl status caddy ``` **4. Update service configuration** @@ -393,11 +382,12 @@ module.exports = { } ``` -**Security advantages:** -- 🔒 **Data Encryption**: All API requests transmitted through HTTPS encryption -- 🛡️ **Hide Ports**: Don't directly expose service ports, reduce attack surface -- 🚀 **Better Performance**: nginx's static file serving and caching capabilities -- 📊 **Access Logs**: nginx provides detailed access logs and monitoring +**Caddy Advantages:** +- 🔒 **Automatic HTTPS**: Automatically apply and renew Let's Encrypt certificates, zero configuration +- 🛡️ **Secure by Default**: Modern security protocols and cipher suites enabled by default +- 🚀 **Streaming Support**: Native support for SSE/WebSocket streaming +- 📊 **Simple Configuration**: Extremely concise configuration files, easy to maintain +- ⚡ **HTTP/2**: HTTP/2 enabled by default for improved performance --- @@ -408,7 +398,7 @@ module.exports = { - **Reasonable Allocation**: Can assign different API keys to different people, analyze usage based on different API keys ### Security Recommendations -- **Use HTTPS**: Strongly recommend configuring nginx reverse proxy and SSL certificate to ensure secure data transmission +- **Use HTTPS**: Strongly recommend using Caddy reverse proxy (automatic HTTPS) to ensure secure data transmission - **Regular Backups**: Back up important configurations and data - **Monitor Logs**: Regularly check exception logs - **Update Keys**: Regularly change JWT and encryption keys