ocdp v1

2025-11-13 02:54:06 +00:00
commit c5e51ed069
254 changed files with 54901 additions and 0 deletions
--- a/infra/nginx/certs/README.md
+++ b/infra/nginx/certs/README.md
@ -0,0 +1,6 @@
+# TLS Certificates
+
+The docker-compose stack mounts this directory into `/etc/nginx/certs` inside the `nginx` container.  
+By default, it contains a self-signed certificate (`tls.crt` / `tls.key`) generated for `localhost` so the HTTPS listener works out of the box.
+
+For production use, replace `tls.crt` and `tls.key` with certificates issued by a trusted CA (keep the filenames the same or update the Nginx config accordingly).
--- a/infra/nginx/certs/tls.crt
+++ b/infra/nginx/certs/tls.crt
@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFHzCCAwegAwIBAgIUecglKF+gywytDCR7GHMXY+MTJQowDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MTExMjA1MzgzMVoXDTM1MTEx
+MDA1MzgzMVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAsMMffb7mKqcPncOE5k3GL8AukwgZWSoARdESpQ8ykw51
+ZCDj6u5GmMVTZ77/G7IDjB4tardeG0LIQYIDhM6OfI9mgN7lRjmIHyHybq/5gFO9
+yNdbCdS03vbSHgPCLhayQcxw9vEzIMBbYUkMX9V3ntw/dx8/x4LAtBTYitdQz7yF
+h6nOL8oJdGkwtCJy+xd7s5qLNXrALVIYFDzl7X2k3w3/T437TrxRcM5Z2CR/mx2m
+02LEKl9UuAX74lLtdzeGmNGzLIQC5UDqXi7uSCKRaRNe/4b/ZTKqQqkJj7NU44qV
+oK76r8prUya+O87pXswoudXJu6u+nsaF/TTNBJTTDUDnSX7XKNBSXLL63jg1sYIh
+iQCVsoRwTrhqbgJwU4F1O5TwNPI0uHzEHHj7zTozqeJRVhns8gxmJKw1+V4gonZ5
+2UnpDbHRZ25Etkiun2vIsPzmXBKC/UCsXs0eXmBvERoK5XYdmPVU2AFhfGNrF8B6
+q3S5cGM3x7arQrPklbR8m2DTFcYf1NVLesiaKmSQPsC2uBT/CvuWGGed4dxz15nE
+tHSjin0KR2ljkRprfnLD2KCldgb9wvr6bPt2ko+pFoHvsFdtTlcjLdCuwAjjaoN2
+XNtz+5PND5y7+/drWln+c6IX3lS8OmR4Wc3iOzmt4QWK/BhImfExdMiNdEyuuTcC
+AwEAAaNpMGcwHQYDVR0OBBYEFDXDQL/kiLo+cQyP5Fn4xja4r7XwMB8GA1UdIwQY
+MBaAFDXDQL/kiLo+cQyP5Fn4xja4r7XwMA8GA1UdEwEB/wQFMAMBAf8wFAYDVR0R
+BA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4ICAQCG5lDdyGRPgcbASXmH
+9SPdsugoWiWMGl1cy/a0AcWO40WAwv4xKrYG5epHh8+k4Tc10XT5rT+IWKaNg9oX
+svY875mLc0Aiiz2//JbBUpFGpint/ITn/ofClm0YFGPOnhqt4WiDrEgRKx53VyUw
+ta3KBvaEtZSQ45Wxc+hLjFUjoG/XfzUOFFPO1FWYXAWki9dTwO0CICtMI7u1Gj1e
+c0jIIwBWhuqN002i4bRftN0mcFeMRrqDJYsMY52m6ZmUppDpe0vGRcq3+1QYIsL+
+4n1enpIImmhP+lyjue390sqEna99VeWlV2ZGLNuLCAXZiQ88Vv6q9+N79PpkaZ1Q
+W9EwdLEf9HmPbaVQkp1BEABGreDsmNcmIrwvFSmoT8dbbniiTTGC4bWO6gZYBoh+
+wdvf+wLPls27v9Dw2PPk4wSMIf0Xs/XofMqkviGvmGQ0rXlXk39F0PJ2Mnu09fi4
+SqCSuSL/rJEiZPJsUt5XQl3WaEceQ1kDgyD2QJT+aXoMCjQx2N9NesJlcNvCf+72
+z2Hqra13Tg6YMdT2kRzNGPgdJb3/lNYlRj650uEtokNDGGDW73OknTuIJm9E6ppH
+0a06/malTch4Sc/huOhu8eVf8zP7s/NYQ3M5NJQWn3BfIKRBxzVuXyAQ7bRknNVJ
+YPqB4ZcduChu+NyS7rrSbbPvTw==
+-----END CERTIFICATE-----
--- a/infra/nginx/certs/tls.key
+++ b/infra/nginx/certs/tls.key
@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCwwx99vuYqpw+d
+w4TmTcYvwC6TCBlZKgBF0RKlDzKTDnVkIOPq7kaYxVNnvv8bsgOMHi1qt14bQshB
+ggOEzo58j2aA3uVGOYgfIfJur/mAU73I11sJ1LTe9tIeA8IuFrJBzHD28TMgwFth
+SQxf1Xee3D93Hz/HgsC0FNiK11DPvIWHqc4vygl0aTC0InL7F3uzmos1esAtUhgU
+POXtfaTfDf9PjftOvFFwzlnYJH+bHabTYsQqX1S4BfviUu13N4aY0bMshALlQOpe
+Lu5IIpFpE17/hv9lMqpCqQmPs1TjipWgrvqvymtTJr47zulezCi51cm7q76exoX9
+NM0ElNMNQOdJftco0FJcsvreODWxgiGJAJWyhHBOuGpuAnBTgXU7lPA08jS4fMQc
+ePvNOjOp4lFWGezyDGYkrDX5XiCidnnZSekNsdFnbkS2SK6fa8iw/OZcEoL9QKxe
+zR5eYG8RGgrldh2Y9VTYAWF8Y2sXwHqrdLlwYzfHtqtCs+SVtHybYNMVxh/U1Ut6
+yJoqZJA+wLa4FP8K+5YYZ53h3HPXmcS0dKOKfQpHaWORGmt+csPYoKV2Bv3C+vps
+3aSj6kWge+wV21OVyMt0K7ACONqg3Zc23P7k80PnLv792taWf5zohfeVLw6ZHhZ
+zeI7Oa3hBYr8GEiZ8TF0yI10TK65NwIDAQABAoICAFardddsMOMdAvUyFwntfI2R
+R8TkJbmodHXHK8MvDnc4karEzbw1lPv3VQv7hI6J3F9ptI8s1cG8HwCvxRXrScYd
+cf8iS30BXJMXTA2lz0pyxQ2jOoo5d24Ty7bX1PBQRJsqqQEMByu55ZRwAtdCjeKg
+z6WS9uzWWbJyvjJlnMQfBcIdKnIYOEaSBUVt1r7zJr5LupJAW9Zc+F2D9qFaB+su
+q87QKTbT84LCSx9F1iOyiEgBl3nHQHzywiyYyMK5wQ9RUu8y01ChYclIbaGFAZNp
+4hycjsGJ9B23UG7bWXYwT2l4IobrU3B0ALbGn3rR0+46uy1/6nljkfMzXosuhcSZ
+j1Zup/RWgYQlH4BQc45V7kCdp1rfF1GP0aeL9b/w07XI1q8GlvCTT9UShHWWqqM2
+Fvd4LYaUlvSCyd+I2+PCB0mvTOxL6N66tvOAeZ7VQOAxdNQ9VupY7RhaBjcJBlwe
+Q3tk0+MiJZot2/5bykOgJzdW3dSX98x5ndfpfEPaDEDg0SH8iSqgP1NAX+QDGyKi
+ILLiD0L/tQRIJYxV1ZO1wzdJgAwR+z7mecEy2K/tfzDxL2YhVbz1DjGwDd88+XVH
+Bcxv9dxhj6Y3l+bCxaQYgSRBETfZtyPhl2XBzKWVhjqwjf0mju3UbwJ0oSWL3tBA
+7XVDREQaaUXZIyc69KrxAoIBAQDxm+tTYTj0d3+1CpCO+PTq6eVvqgsnDni/II50
+PBEms3FyrOr5/zfkqB+0xYAisyaJ86ghCdDUw0d8noRF8J7x193evKekKJk8cIQX
+5GQD9nJIcZT0hY63Jy38EdntUxvXZXB8bdAgEQKVsXi+7MJZpy9YnIG/UNGXWSRX
+/NY0LqqmjD0K082Gb9OyGZz/rwg59/vz9rTmQS7HWx5h8HJ7pRFUqeRzUjIfjR3f
+yDEeniBkBUOA/WNrGRlRDT0RNN5U24+bpE0gJnywnIn2uFtPwsxgOpvu36PGVsD0
+RcEx4UQsIuLnh/As/5TcIVURluavTRIjs5zIZxHyFwAWtAyLAoIBAQC7SmlzWTuy
+kq4osMQT3SF351za3fqUq0yKSaOqVPyoYv9k+MUjvS5L+hQKzN6qSyM2wuAW1XgJ
+bvHSUK3f9q5OvPGJCyIXXpE0kmv4H04rAZph4btjj7e8ZlFX62pfd+JLdeotlkqk
+Jxp2vm6ezOOqpbp86g/ATt/ulA3jq9wxzOOrdW3alKzPyl57emo4q/M65Fx5u2LS
+fdA8K1Z74lxoTTKxqJFK6FaJlN8Pig69xqyWKweLqKiDol5Wx/u4GFSIkysPaqUo
+KzwZ86oPVDEz0awXkM7iCiLfh+wmIhT5DHAUdLCRUwm9YmA/t90M89gRA5i4xa+f
+Yw6D++yR6j+FAoIBAQCVtZiW3Npu2REf/EDg5rDUU0Rg8cvhUp1NSP4cVhAGnBBD
+D5S2fgeDPw4OdIbWeY360ykt96gX/jzwokSyFcxXbPxFBT8XgDSbd9jR+SpkLjRY
+YVD8RznMkZFz7RfNb78DtA6Ee4MIK6IfYY3BOHGhHfA/hxL6mjiVAJ59iuSsBvKl
+Kqa0a9OhZu+VHzviTvHZAal0XT1wo5k53GMyKsy1gu3/ORqevqLiXA3T2XdeUnsd
+nwlaByiwdyfxyjM50zmk+Tu+JIvJzS9cPFNctpWWEc2UHxz6YkdYIe+ELSjuIHie
+pKtW7ivLpj72PA07Tfb5TtdbmfMfVoaPLONYLg7LAoIBACXyF5dVNvEhIsP/vFpB
+7Sv75iY53zEL28AQ12YFPgNnu1LbzCVHiP+/tRvTEjHyczn/FaPKsD1JCxmPWwsL
+UZmGUnFvngKaGFVMbS+iOBYihwLZ1zt+vL0hBc4IVk7tXR3oz/9Yedr0STpRrtvh
+qybB2RzB11shH+GYgY/lHAHC/0WXzyAAC1s2JxphXPAKdocyCUJoosb+0pe+OBF1
+dT90lJbGDlnc5NuPG/psADyW6hSqtyamjy3MUczHS8qqs0XQe2LuOnP+/nhLk+Lz
+LdzP2EwV/LRzVUlwonm/YfxrdrHOSo/HASwrqFCAkfqz1Mztq52T/9cNHL3E5tNR
+YHkCggEAC9GJAZnmBOWIZY/leGRxueh77v2aRTREKK7DcljB86hdl0dqxIvKxJ2d
+ps7EJYQun2vDYijprt00oxoJ8fCLfccPGrHbP/F1E6ZYH9QSwmeK1Y6/p1XLXn0l
+9rOiIg62dNeUqa6aKs9yMi9xY8j+usP4x5pkC9RTc/v1m5mI9i+U0vhNXXqyyXRJ
+p15pFJRorvG22Uktjog98B8fpshIli1OeMdvFXpshFbsWY3FdLeLA9+tYYRz0bPu
+RqLnFAN/H60EWEIxgqXzjcJ8+7CBaMv2ghcoJzr9HjBlTwGLje4XgGKmhIqBFkvX
+hIFo/yf8yxkOintdBia9CX83xxb16g==
+-----END PRIVATE KEY-----
--- a/infra/nginx/default.conf
+++ b/infra/nginx/default.conf
@ -0,0 +1,50 @@
+# default.conf - OCDP production gateway
+# - 对外监听 80/443（Docker 默认映射宿主 80/443）
+# - 路由策略: /api/* → backend 服务，其余路径 → SPA 静态资源
+# - TLS 证书通过 /etc/nginx/certs/tls.(crt|key) 挂载，可替换为正式证书
+
+server {
+    listen 80 default_server;
+    listen 443 ssl http2 default_server;
+    server_name _;
+
+    ssl_certificate     /etc/nginx/certs/tls.crt;
+    ssl_certificate_key /etc/nginx/certs/tls.key;
+    ssl_session_cache   shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
+    ssl_prefer_server_ciphers on;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # 前端 SPA 路由 fallback
+    location / {
+        try_files $uri /index.html;
+    }
+
+    # API 请求代理到 backend 服务
+    location /api/ {
+        proxy_pass         http://backend:8080;
+        proxy_http_version 1.1;
+        proxy_set_header   Host $host;
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+
+    # Nginx 健康检查
+    location = /healthz {
+        access_log off;
+        add_header Content-Type text/plain;
+        return 200 'ok';
+    }
+
+    # 提供静态资源 (cache control)
+    location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico)$ {
+        expires 7d;
+        add_header Cache-Control "public, max-age=604800, immutable";
+        try_files $uri /index.html;
+    }
+}