feat: enable HTTPS admin panel on port 443 for new deployments

Add Nginx SSL panel config, enable-panel-https.sh, secure Flask cookies, and update docs for https login.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
dekun
2026-06-28 00:46:08 +08:00
parent 5704ab1a0a
commit 78b85c0d83
13 changed files with 175 additions and 47 deletions
+60
View File
@@ -0,0 +1,60 @@
#!/usr/bin/env bash
# 为管理面板启用 Nginx HTTPS443);install.sh 与新装/升级后调用
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
ENV_FILE="${ROOT_DIR}/.env"
[[ -f "$ENV_FILE" ]] || { echo "缺少 $ENV_FILE"; exit 1; }
# shellcheck disable=SC1090
source "$ENV_FILE"
: "${DOMAIN:?}"
: "${VPS_IP:?}"
normalize_panel_path() {
local p="${1:-}"
p="${p#/}"
p="${p%/}"
echo "$p"
}
PANEL_PATH="$(normalize_panel_path "${PANEL_PATH:-}")"
if [[ -z "$PANEL_PATH" ]]; then
echo "缺少 PANEL_PATH,请先运行 install.sh 或写入 .env"
exit 1
fi
PANEL_LOCATION="/${PANEL_PATH}/"
PANEL_PREFIX="/${PANEL_PATH}"
PANEL_ALLOW_BLOCK=""
if [[ -n "${PANEL_ALLOW_IP:-}" ]]; then
PANEL_ALLOW_BLOCK=" allow ${PANEL_ALLOW_IP};
deny all;"
fi
if [[ ! -f /etc/sing-box/certs/fullchain.pem ]] || [[ ! -f /etc/sing-box/certs/privkey.pem ]]; then
echo "缺少 TLS 证书,请先完成 install.sh 或 acme.sh 申请证书"
exit 1
fi
if command -v ufw &>/dev/null; then
ufw allow 443/tcp comment 'Panel-HTTPS' 2>/dev/null || true
fi
sed -e "s|__DOMAIN__|${DOMAIN}|g" \
-e "s|__PANEL_LOCATION__|${PANEL_LOCATION}|g" \
-e "s|__PANEL_PREFIX__|${PANEL_PREFIX}|g" \
-e "s|__PANEL_ALLOW__|${PANEL_ALLOW_BLOCK}|g" \
"$ROOT_DIR/server/nginx/panel.conf.template" \
> /etc/nginx/sites-available/jiedian-panel
ln -sf /etc/nginx/sites-available/jiedian-panel /etc/nginx/sites-enabled/jiedian-panel
rm -f /etc/nginx/sites-enabled/acme
nginx -t
systemctl reload nginx
echo "面板 HTTPS 已启用: https://${DOMAIN}${PANEL_LOCATION}"
+9 -8
View File
@@ -115,7 +115,8 @@ ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP-ACME-Panel'
ufw allow 80/tcp comment 'HTTP-ACME'
ufw allow 443/tcp comment 'Panel-HTTPS'
ufw allow 8443:8499/udp comment 'Hysteria2-multi-node'
ufw --force enable
@@ -126,13 +127,10 @@ cp "$ROOT_DIR/server/nginx/fallback.conf" /etc/nginx/sites-available/fallback
ln -sf /etc/nginx/sites-available/fallback /etc/nginx/sites-enabled/fallback
rm -f /etc/nginx/sites-enabled/default
log "部署 Nginx ACME + 管理面板反向代理 (80) ..."
log "部署 Nginx ACME 验证站点 (80) ..."
mkdir -p /var/www/acme
sed -e "s|__DOMAIN__|${DOMAIN}|g" \
-e "s|__PANEL_LOCATION__|${PANEL_LOCATION}|g" \
-e "s|__PANEL_PREFIX__|${PANEL_PREFIX}|g" \
-e "s|__PANEL_ALLOW__|${PANEL_ALLOW_BLOCK}|g" \
"$ROOT_DIR/server/nginx/acme.conf.template" \
"$ROOT_DIR/server/nginx/acme-bootstrap.conf.template" \
> /etc/nginx/sites-available/acme
ln -sf /etc/nginx/sites-available/acme /etc/nginx/sites-enabled/acme
nginx -t && systemctl enable nginx && systemctl restart nginx
@@ -160,8 +158,10 @@ log "安装 TLS 证书到 sing-box ..."
--key-file /etc/sing-box/certs/privkey.pem \
--fullchain-file /etc/sing-box/certs/fullchain.pem
log "部署 Nginx HTTPS 管理面板 (443) ..."
bash "$ROOT_DIR/scripts/enable-panel-https.sh"
rm -f /etc/nginx/sites-enabled/panel /etc/nginx/sites-available/panel
nginx -t && systemctl reload nginx
log "安装 Python 面板依赖 ..."
python3 -m venv "$ROOT_DIR/panel/venv"
@@ -229,7 +229,8 @@ systemctl restart sing-box jiedian-panel
log "部署完成!"
echo ""
echo "=========================================="
echo " 管理面板: http://${DOMAIN}${PANEL_LOCATION}"
echo " 管理面板: https://${DOMAIN}${PANEL_LOCATION}"
echo " HTTP 会自动跳转到 HTTPS"
echo " 面板路径: ${PANEL_PATH} (见 .env 中 PANEL_PATH"
echo " 用户名: ${PANEL_USERNAME}"
echo " 密码: ${PANEL_PASSWORD}"
+10 -8
View File
@@ -1,5 +1,5 @@
#!/usr/bin/env bash
# 已有 VPS:停用 Xray/VLESS仅保留 Hysteria2
# 已有 VPS:停用 Xray/VLESS并启用 HTTPS 管理面板
set -euo pipefail
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
@@ -8,22 +8,24 @@ ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
export JIEDIAN_ROOT="$ROOT"
echo "[1/4] 停止并禁用 Xray ..."
echo "[1/5] 停止并禁用 Xray ..."
systemctl stop xray 2>/dev/null || true
systemctl disable xray 2>/dev/null || true
echo "[2/4] 更新代码并重载 sing-box 配置 ..."
echo "[2/5] 更新代码 ..."
if [[ -d "$ROOT/.git" ]]; then
git -C "$ROOT" pull --ff-only || echo "git pull 跳过,请手动同步)"
fi
echo "[3/5] 重载 sing-box 配置 ..."
python3 "$ROOT/scripts/render-server.py"
echo "[3/4] 重启服务 ..."
echo "[4/5] 启用 HTTPS 管理面板 ..."
bash "$ROOT/scripts/enable-panel-https.sh"
echo "[5/5] 重启服务 ..."
systemctl restart sing-box jiedian-panel
echo "[4/4] 可选:关闭防火墙 443(若不再需要) ..."
ufw delete allow 443/tcp 2>/dev/null || true
echo ""
echo "完成。VLESS 已停用,面板仅显示 Hysteria2 链接。"
echo "完成。VLESS 已停用,面板请用 HTTPS 访问。"
echo "客户端请删除旧 VLESS 节点,从面板复制 hy2:// 链接导入。"