mirror of
https://github.com/Wei-Shaw/claude-relay-service.git
synced 2026-01-22 16:43:35 +00:00
update readme
This commit is contained in:
shaw
118
README.md
118
README.md
@@ -305,80 +305,69 @@ redis-cli ping
|
||||
|
||||
### 生产环境部署建议(重要!)
|
||||
|
||||
**强烈建议使用nginx反向代理 + SSL证书**
|
||||
**强烈建议使用Caddy反向代理(自动HTTPS)**
|
||||
|
||||
建议使用nginx反向代理并配置SSL证书:(以下为Nginx示例,如不想折腾可以选择安装面板进行操作,比如宝塔、1panel等)
|
||||
推荐使用Caddy作为反向代理,它会自动申请和更新SSL证书,配置更简单:
|
||||
|
||||
**1. 安装nginx和获取SSL证书**
|
||||
**1. 安装Caddy**
|
||||
```bash
|
||||
# Ubuntu/Debian
|
||||
sudo apt install nginx
|
||||
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
|
||||
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
|
||||
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
|
||||
sudo apt update
|
||||
sudo apt install caddy
|
||||
|
||||
# 安装 acme.sh
|
||||
curl https://get.acme.sh | sh
|
||||
source ~/.bashrc
|
||||
|
||||
# 获取免费SSL证书(以Let's Encrypt为例)
|
||||
acme.sh --issue -d your-domain.com --nginx
|
||||
# 或者使用 standalone 模式
|
||||
# acme.sh --issue -d your-domain.com --standalone
|
||||
# CentOS/RHEL/Fedora
|
||||
sudo yum install yum-plugin-copr
|
||||
sudo yum copr enable @caddy/caddy
|
||||
sudo yum install caddy
|
||||
```
|
||||
|
||||
**2. nginx配置示例**
|
||||
**2. Caddy配置(超简单!)**
|
||||
|
||||
创建 `/etc/nginx/sites-available/claude-relay` 配置文件:
|
||||
```nginx
|
||||
server {
|
||||
listen 80;
|
||||
server_name your-domain.com;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name your-domain.com;
|
||||
|
||||
# SSL配置
|
||||
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
|
||||
# 安全头
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
# 反向代理配置
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:3000;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection 'upgrade';
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
编辑 `/etc/caddy/Caddyfile`:
|
||||
```
|
||||
your-domain.com {
|
||||
# 反向代理到本地服务
|
||||
reverse_proxy 127.0.0.1:3000 {
|
||||
# 支持流式响应(SSE)
|
||||
flush_interval -1
|
||||
|
||||
# 超时设置
|
||||
proxy_connect_timeout 60s;
|
||||
proxy_send_timeout 60s;
|
||||
proxy_read_timeout 60s;
|
||||
# 传递真实IP
|
||||
header_up X-Real-IP {remote_host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
header_up X-Forwarded-Proto {scheme}
|
||||
|
||||
# 超时设置(适合长连接)
|
||||
transport http {
|
||||
read_timeout 300s
|
||||
write_timeout 300s
|
||||
dial_timeout 30s
|
||||
}
|
||||
}
|
||||
|
||||
# 安全头部
|
||||
header {
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
||||
X-Frame-Options "DENY"
|
||||
X-Content-Type-Options "nosniff"
|
||||
-Server
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
**3. 启用配置**
|
||||
**3. 启动Caddy**
|
||||
```bash
|
||||
# 启用站点
|
||||
sudo ln -s /etc/nginx/sites-available/claude-relay /etc/nginx/sites-enabled/
|
||||
|
||||
# 测试配置
|
||||
sudo nginx -t
|
||||
sudo caddy validate --config /etc/caddy/Caddyfile
|
||||
|
||||
# 重启nginx
|
||||
sudo systemctl restart nginx
|
||||
# 启动服务
|
||||
sudo systemctl start caddy
|
||||
sudo systemctl enable caddy
|
||||
|
||||
# 查看状态
|
||||
sudo systemctl status caddy
|
||||
```
|
||||
|
||||
**4. 更新服务配置**
|
||||
@@ -395,11 +384,12 @@ module.exports = {
|
||||
}
|
||||
```
|
||||
|
||||
**安全优势:**
|
||||
- 🔒 **数据加密**: 所有API请求都通过HTTPS加密传输
|
||||
- 🛡️ **隐藏端口**: 不直接暴露服务端口,降低攻击面
|
||||
- 🚀 **更好性能**: nginx的静态文件服务和缓存能力
|
||||
- 📊 **访问日志**: nginx提供详细的访问日志和监控
|
||||
**Caddy优势:**
|
||||
- 🔒 **自动HTTPS**: 自动申请和续期Let's Encrypt证书,零配置
|
||||
- 🛡️ **安全默认**: 默认启用现代安全协议和加密套件
|
||||
- 🚀 **流式支持**: 原生支持SSE/WebSocket等流式传输
|
||||
- 📊 **简单配置**: 配置文件极其简洁,易于维护
|
||||
- ⚡ **HTTP/2**: 默认启用HTTP/2,提升传输性能
|
||||
|
||||
|
||||
---
|
||||
@@ -411,7 +401,7 @@ module.exports = {
|
||||
- **合理分配**: 可以给不同的人分配不同的apikey,可以根据不同的apikey来分析用量
|
||||
|
||||
### 安全建议
|
||||
- **使用HTTPS**: 强烈建议配置nginx反向代理和SSL证书,确保数据传输安全
|
||||
- **使用HTTPS**: 强烈建议使用Caddy反向代理(自动HTTPS),确保数据传输安全
|
||||
- **定期备份**: 重要配置和数据要备份
|
||||
- **监控日志**: 定期查看异常日志
|
||||
- **更新密钥**: 定期更换JWT和加密密钥
|
||||
|
||||
Reference in New Issue
Block a user