1. 云服务器基础配置
1.1 服务器准备与初始化
在开始搭建Python全栈服务前,我们需要先准备一台云服务器。我推荐使用Ubuntu 22.04 LTS作为操作系统,这是目前最稳定且长期支持的版本。以下是服务器初始化的详细步骤:
首先,登录到新创建的云服务器后,建议立即执行以下安全措施:
- 修改root密码(如果使用密码登录)
- 创建专用部署用户(避免直接使用root)
- 设置SSH密钥登录(禁用密码登录更安全)
bash复制# 创建部署专用用户
sudo adduser deployer
sudo usermod -aG sudo deployer
# 切换到新用户
su - deployer
# 更新系统软件包(重要安全补丁)
sudo apt update && sudo apt upgrade -y
# 安装基础工具集
sudo apt install -y curl wget git vim tmux htop
提示:使用tmux可以在SSH会话断开后保持进程运行,这对长时间运行的任务特别有用。安装后只需输入
tmux命令即可启动新会话。
1.2 Python环境配置详解
Python是全栈开发的核心,我们需要安装特定版本的Python并配置隔离的虚拟环境。以下是详细步骤和原理说明:
bash复制# 安装Python 3.11(Ubuntu 22.04默认是3.10,我们需要新版)
sudo apt install -y software-properties-common
sudo add-apt-repository -y ppa:deadsnakes/ppa
sudo apt update
sudo apt install -y python3.11 python3.11-venv python3.11-dev
# 安装构建依赖(编译Python包需要)
sudo apt install -y build-essential libssl-dev libffi-dev \
libxml2-dev libxslt1-dev zlib1g-dev libpq-dev \
libjpeg-dev libfreetype6-dev libcurl4-openssl-dev
# 设置Python版本优先级
sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 1
sudo update-alternatives --config python3
# 安装pip并升级到最新
curl -sS https://bootstrap.pypa.io/get-pip.py | python3.11
python3.11 -m pip install --upgrade pip
为什么选择Python 3.11+?
- 更快的执行速度(相比3.10有10-60%的性能提升)
- 更好的错误信息提示
- 新特性如异常组和except*语法
- 更长的支持周期
虚拟环境配置建议:
bash复制# 创建项目目录
mkdir -p ~/projects/myapp && cd ~/projects/myapp
# 创建专用虚拟环境(使用Python 3.11)
python3.11 -m venv venv
# 激活虚拟环境的正确方式
source venv/bin/activate # 注意不是直接运行activate脚本
# 验证Python版本
python --version # 应显示Python 3.11.x
2. 后端服务搭建(Django深度配置)
2.1 Django项目初始化与架构设计
Django是一个功能强大的Web框架,以下是创建生产级项目的专业做法:
bash复制# 在激活的虚拟环境中安装Django和相关包
pip install django==4.2 djangorestframework==3.14
pip install psycopg2-binary python-decouple django-cors-headers
# 创建Django项目(注意结尾的点表示当前目录)
django-admin startproject backend .
# 创建API应用(推荐分离核心业务)
django-admin startapp api
# 生成requirements.txt(精确版本控制)
pip freeze > requirements.txt
项目目录结构设计建议:
code复制myapp/
├── venv/ # 虚拟环境
├── backend/ # Django项目核心
│ ├── settings.py # 主配置
│ ├── urls.py # 路由
│ └── wsgi.py # WSGI入口
├── api/ # API应用
│ ├── models.py # 数据模型
│ ├── serializers.py # DRF序列化
│ └── views.py # 视图逻辑
├── .env # 环境变量
└── requirements.txt # 依赖清单
2.2 生产环境配置要点
settings.py是Django的核心配置文件,以下是关键生产配置:
python复制# backend/settings.py
import os
from pathlib import Path
from decouple import config, Csv
BASE_DIR = Path(__file__).resolve().parent.parent
# 安全配置
SECRET_KEY = config('SECRET_KEY') # 必须从环境变量获取
DEBUG = config('DEBUG', default=False, cast=bool)
ALLOWED_HOSTS = config('ALLOWED_HOSTS', cast=Csv())
# 数据库配置(PostgreSQL)
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': config('DB_NAME'),
'USER': config('DB_USER'),
'PASSWORD': config('DB_PASSWORD'),
'HOST': config('DB_HOST', default='localhost'),
'PORT': config('DB_PORT', default='5432'),
'OPTIONS': {
'connect_timeout': 5, # 连接超时设置
'sslmode': 'require' if config('DB_SSL', default=False, cast=bool) else 'disable'
}
}
}
# 静态文件配置
STATIC_URL = '/static/'
STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles')
STATICFILES_DIRS = [os.path.join(BASE_DIR, 'static')]
# 媒体文件配置
MEDIA_URL = '/media/'
MEDIA_ROOT = os.path.join(BASE_DIR, 'media')
# 安全中间件
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'whitenoise.middleware.WhiteNoiseMiddleware', # 静态文件优化
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware', # CORS支持
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
# CORS设置(生产环境应严格限制)
CORS_ALLOWED_ORIGINS = config('CORS_ALLOWED_ORIGINS', cast=Csv())
CSRF_TRUSTED_ORIGINS = config('CSRF_TRUSTED_ORIGINS', cast=Csv())
# 缓存配置(生产环境推荐Redis)
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.redis.RedisCache',
'LOCATION': config('REDIS_URL', default='redis://localhost:6379/0'),
'OPTIONS': {
'CLIENT_CLASS': 'django_redis.client.DefaultClient',
}
}
}
# 日志配置
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'file': {
'level': 'DEBUG' if DEBUG else 'INFO',
'class': 'logging.handlers.RotatingFileHandler',
'filename': os.path.join(BASE_DIR, 'logs/django.log'),
'maxBytes': 1024*1024*5, # 5MB
'backupCount': 5,
},
},
'loggers': {
'django': {
'handlers': ['file'],
'level': 'DEBUG' if DEBUG else 'INFO',
'propagate': True,
},
},
}
2.3 环境变量管理最佳实践
生产环境必须使用环境变量管理敏感配置,.env文件示例:
ini复制# .env 文件(不要提交到版本控制!)
SECRET_KEY=your-50-char-random-secret-key
DEBUG=False
ALLOWED_HOSTS=.yourdomain.com,localhost,127.0.0.1
# 数据库配置
DB_NAME=myapp_prod
DB_USER=myapp_user
DB_PASSWORD=complex-password-here
DB_HOST=localhost
DB_PORT=5432
DB_SSL=True
# CORS配置
CORS_ALLOWED_ORIGINS=https://frontend.yourdomain.com
CSRF_TRUSTED_ORIGINS=https://yourdomain.com
# Redis配置
REDIS_URL=redis://:password@redis-host:6379/0
安全提示:
- 永远不要将
.env文件提交到版本控制 - 为不同环境(开发、测试、生产)使用不同的
.env文件 - 敏感信息应使用专门的密钥管理服务(如AWS Secrets Manager)
3. 数据库配置与优化
3.1 PostgreSQL安装与性能调优
PostgreSQL是Django推荐的生产级数据库,以下是专业安装配置方法:
bash复制# 安装PostgreSQL 14(Ubuntu 22.04默认版本)
sudo apt install -y postgresql-14 postgresql-contrib-14 libpq-dev
# 配置PostgreSQL(需要切换到postgres用户)
sudo -u postgres psql
# 在PostgreSQL命令行中执行
CREATE DATABASE myapp_prod ENCODING 'UTF8' LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8' TEMPLATE template0;
CREATE USER myapp_user WITH PASSWORD 'strong-password-here';
ALTER ROLE myapp_user SET client_encoding TO 'utf8';
ALTER ROLE myapp_user SET default_transaction_isolation TO 'read committed';
ALTER ROLE myapp_user SET timezone TO 'UTC';
GRANT ALL PRIVILEGES ON DATABASE myapp_prod TO myapp_user;
\q
生产环境性能调优建议(编辑/etc/postgresql/14/main/postgresql.conf):
ini复制# 内存配置(根据服务器内存调整)
shared_buffers = 4GB # 25% of total RAM
effective_cache_size = 12GB # 75% of total RAM
work_mem = 16MB # 每个连接的工作内存
maintenance_work_mem = 1GB # 维护操作内存
# 并行查询配置
max_worker_processes = 8 # CPU核心数
max_parallel_workers_per_gather = 4 # 每个查询的并行工作数
# 日志配置
log_statement = 'none' # 生产环境关闭语句日志
log_duration = off
log_lock_waits = on # 记录锁等待
deadlock_timeout = 1s
# 连接池配置
max_connections = 100 # 根据应用需求调整
3.2 Django数据库迁移与初始化
配置好数据库后,需要在Django中初始化数据库结构:
bash复制# 创建数据库迁移
python manage.py makemigrations
python manage.py migrate
# 创建超级用户(后台管理)
python manage.py createsuperuser
# 收集静态文件
python manage.py collectstatic --noinput
# 测试开发服务器
python manage.py runserver 0.0.0.0:8000
数据库优化技巧:
- 使用
select_related和prefetch_related优化查询 - 为常用查询字段添加数据库索引
- 定期使用
python manage.py dbshell检查慢查询 - 考虑使用Django-debug-toolbar分析查询性能
4. 前端服务集成(React专业配置)
4.1 Node.js环境搭建
现代前端开发依赖Node.js,以下是生产级安装方法:
bash复制# 使用NodeSource安装Node.js 18 LTS
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs
# 安装Yarn(比npm更可靠的依赖管理)
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt update && sudo apt install -y yarn
# 验证安装
node -v # 应显示v18.x
yarn -v # 应显示1.22+
4.2 React项目创建与架构设计
使用Create React App初始化项目:
bash复制# 创建前端项目(使用Yarn)
cd ~/projects
yarn create react-app frontend
cd frontend
# 安装常用生产依赖
yarn add axios react-router-dom @reduxjs/toolkit react-redux
yarn add -D @types/react @types/react-dom typescript
# 初始化TypeScript配置
mv src/App.js src/App.tsx
mv src/index.js src/index.tsx
yarn tsc --init
推荐的项目结构:
code复制frontend/
├── public/ # 静态资源
├── src/
│ ├── assets/ # 图片等资源
│ ├── components/ # 通用组件
│ ├── features/ # 功能模块
│ ├── hooks/ # 自定义Hook
│ ├── services/ # API服务
│ ├── store/ # Redux状态
│ ├── types/ # TypeScript类型
│ ├── App.tsx # 根组件
│ └── index.tsx # 入口文件
├── .env # 前端环境变量
├── tsconfig.json # TypeScript配置
└── package.json # 依赖配置
4.3 生产环境API连接配置
专业的API服务连接实现:
typescript复制// src/services/api.ts
import axios, { AxiosInstance, AxiosRequestConfig } from 'axios';
const apiConfig: AxiosRequestConfig = {
baseURL: process.env.REACT_APP_API_URL || 'http://localhost:8000/api',
timeout: 10000,
headers: {
'Content-Type': 'application/json',
},
withCredentials: true, // 允许跨域携带cookie
};
const api: AxiosInstance = axios.create(apiConfig);
// 请求拦截器
api.interceptors.request.use(
(config) => {
const token = localStorage.getItem('token');
if (token) {
config.headers.Authorization = `Bearer ${token}`;
}
return config;
},
(error) => Promise.reject(error)
);
// 响应拦截器
api.interceptors.response.use(
(response) => response.data,
(error) => {
if (error.response) {
switch (error.response.status) {
case 401:
// 处理未授权
break;
case 403:
// 处理禁止访问
break;
case 500:
// 处理服务器错误
break;
default:
console.error('API Error:', error.response.data);
}
}
return Promise.reject(error);
}
);
export default api;
前端环境变量配置(.env文件):
ini复制# 前端环境变量(需要REACT_APP_前缀)
REACT_APP_API_URL=https://api.yourdomain.com
REACT_APP_ENV=production
REACT_APP_SENTRY_DSN=https://your-sentry-dsn.ingest.sentry.io/xxxx
5. Nginx生产级配置
5.1 Nginx安装与基础配置
bash复制# 安装最新稳定版Nginx
sudo apt install -y nginx
# 检查版本
nginx -v # 应显示1.18+
# 启动服务
sudo systemctl start nginx
sudo systemctl enable nginx
5.2 专业级Nginx站点配置
创建生产级Nginx配置/etc/nginx/sites-available/myapp:
nginx复制# 全局性能调优
worker_processes auto;
worker_rlimit_nofile 100000;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
http {
# 基础配置
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# MIME类型
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Gzip压缩
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# 静态文件缓存
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# 上传大小限制
client_max_body_size 20M;
# 主服务器配置
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
# 安全头
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' api.example.com; frame-src 'none'; object-src 'none'";
# 前端静态文件
location / {
root /home/deployer/projects/frontend/build;
try_files $uri $uri/ /index.html;
expires 1y;
access_log off;
}
# 后端API代理
location /api {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket支持
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
# 静态文件服务
location /static/ {
alias /home/deployer/projects/myapp/staticfiles/;
expires 1y;
access_log off;
gzip_static on;
}
# 媒体文件
location /media/ {
alias /home/deployer/projects/myapp/media/;
expires 1y;
access_log off;
}
# 禁止访问隐藏文件
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# 健康检查端点
location /health-check {
access_log off;
return 200 'OK';
add_header Content-Type text/plain;
}
}
}
启用配置:
bash复制sudo ln -s /etc/nginx/sites-available/myapp /etc/nginx/sites-enabled/
sudo nginx -t # 测试配置
sudo systemctl reload nginx
6. Gunicorn生产部署
6.1 Gunicorn专业配置
创建生产级Gunicorn服务文件/etc/systemd/system/myapp.service:
ini复制[Unit]
Description=Gunicorn instance for myapp
After=network.target postgresql.service
[Service]
User=deployer
Group=www-data
WorkingDirectory=/home/deployer/projects/myapp
Environment="PATH=/home/deployer/projects/myapp/venv/bin"
EnvironmentFile=/home/deployer/projects/myapp/.env
# 核心数*2+1的worker数量
ExecStart=/home/deployer/projects/myapp/venv/bin/gunicorn \
--workers 5 \
--threads 3 \
--timeout 60 \
--bind unix:/home/deployer/projects/myapp/myapp.sock \
--max-requests 1000 \
--max-requests-jitter 50 \
--access-logfile - \
--error-logfile - \
--capture-output \
--log-level info \
backend.wsgi:application
# 安全限制
Restart=always
RestartSec=3
LimitNOFILE=65535
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
关键参数说明:
workers: CPU核心数*2+1的公式计算threads: 每个worker的线程数,适合I/O密集型应用max-requests: 防止内存泄漏,worker处理指定请求后重启unix socket: 比TCP端口更高效的本地通信方式
启动服务:
bash复制sudo systemctl daemon-reload
sudo systemctl start myapp
sudo systemctl enable myapp
sudo systemctl status myapp # 检查状态
6.2 Nginx与Gunicorn集成
更新Nginx配置中的API代理部分:
nginx复制location /api {
proxy_pass http://unix:/home/deployer/projects/myapp/myapp.sock;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
7. HTTPS安全配置
7.1 Let's Encrypt证书获取
bash复制# 安装Certbot
sudo apt install -y certbot python3-certbot-nginx
# 获取证书(需要域名已解析)
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# 设置自动续期
sudo certbot renew --dry-run # 测试续期
7.2 强化HTTPS安全配置
在Nginx配置中添加以下SSL相关设置:
nginx复制# SSL配置
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# HTTP强制跳转HTTPS
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
# HTTPS主服务器
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
# 原有配置...
}
8. 防火墙与系统安全
8.1 UFW防火墙配置
bash复制# 安装UFW
sudo apt install -y ufw
# 基本规则
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
# 限制SSH访问(可选)
sudo ufw allow from 192.168.1.0/24 to any port 22
# 启用防火墙
sudo ufw enable
sudo ufw status verbose
8.2 系统安全加固
bash复制# 禁用root SSH登录
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# 使用密钥认证
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
# 更改SSH端口(可选)
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
# 重启SSH服务
sudo systemctl restart sshd
# 自动安全更新
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
9. 自动化部署流程
9.1 专业部署脚本
创建deploy.sh自动化部署脚本:
bash复制#!/bin/bash
# 部署脚本 - 生产环境使用
set -e # 任何命令失败立即退出
set -o pipefail # 管道命令失败也退出
echo "=== 开始部署 ==="
date
# 切换到项目目录
cd /home/deployer/projects/myapp
# 拉取最新代码
echo "拉取最新代码..."
git fetch origin
git reset --hard origin/main
# 更新Python依赖
echo "更新Python依赖..."
source venv/bin/activate
pip install -U pip
pip install -r requirements.txt
# 数据库迁移
echo "执行数据库迁移..."
python manage.py migrate --noinput
# 收集静态文件
echo "收集静态文件..."
python manage.py collectstatic --noinput --clear
# 重启后端服务
echo "重启Gunicorn..."
sudo systemctl restart myapp
# 前端构建
echo "构建前端..."
cd /home/deployer/projects/frontend
git fetch origin
git reset --hard origin/main
yarn install --frozen-lockfile --production
yarn build
# 重启Nginx
echo "重启Nginx..."
sudo systemctl reload nginx
# 清理旧Docker容器(如果使用Docker)
# docker system prune -f
echo "=== 部署成功 ==="
date
9.2 CI/CD集成建议
对于专业项目,建议配置GitHub Actions或GitLab CI实现自动部署:
yaml复制# .github/workflows/deploy.yml 示例
name: Deploy to Production
on:
push:
branches: [ main ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: SSH and deploy
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.PRODUCTION_HOST }}
username: ${{ secrets.PRODUCTION_USER }}
key: ${{ secrets.PRODUCTION_SSH_KEY }}
script: |
cd /home/deployer/projects/myapp
./deploy.sh
10. 监控与维护
10.1 日志管理方案
bash复制# 查看Django日志
sudo journalctl -u myapp -n 100 -f # 实时查看最后100行
# 查看Nginx访问日志
sudo tail -f /var/log/nginx/access.log
# 查看Nginx错误日志
sudo tail -f /var/log/nginx/error.log
# 日志轮转配置(/etc/logrotate.d/myapp)
/home/deployer/projects/myapp/logs/*.log {
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 640 deployer www-data
sharedscripts
postrotate
systemctl reload myapp >/dev/null 2>&1 || true
endscript
}
10.2 性能监控工具
bash复制# 安装监控工具
sudo apt install -y htop glances sysstat
# 使用Glances(综合监控)
glances
# 使用htop(进程监控)
htop
# 使用vmstat(系统资源)
vmstat 1
# 使用iftop(网络流量)
sudo apt install -y iftop
sudo iftop
对于生产环境,建议配置专业监控系统:
- Prometheus + Grafana(指标监控)
- Sentry(错误跟踪)
- ELK Stack(日志分析)
11. Docker化部署(进阶方案)
11.1 Docker Compose专业配置
创建生产级docker-compose.prod.yml:
yaml复制version: '3.8'
services:
db:
image: postgres:14-alpine
environment:
POSTGRES_DB: ${DB_NAME}
POSTGRES_USER: ${DB_USER}
POSTGRES_PASSWORD: ${DB_PASSWORD}
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- backend
deploy:
resources:
limits:
cpus: '1'
memory: 2G
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${DB_USER} -d ${DB_NAME}"]
interval: 5s
timeout: 5s
retries: 5
redis:
image: redis:6-alpine
command: redis-server --requirepass ${REDIS_PASSWORD}
volumes:
- redis_data:/data
networks:
- backend
deploy:
resources:
limits:
cpus: '0.5'
memory: 512M
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 3s
retries: 5
backend:
build:
context: .
dockerfile: Dockerfile.prod
args:
PYTHON_VERSION: 3.11
environment:
- DB_HOST=db
- REDIS_URL=redis://:${REDIS_PASSWORD}@redis:6379/0
- ${ENV_FILE:-.env}
volumes:
- static_volume:/app/staticfiles
- media_volume:/app/media
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
networks:
- backend
- frontend
deploy:
resources:
limits:
cpus: '2'
memory: 4G
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
frontend:
build:
context: ./frontend
dockerfile: Dockerfile.prod
environment:
- REACT_APP_API_URL=/api
volumes:
- static_volume:/app/build
networks:
- frontend
deploy:
resources:
limits:
cpus: '1'
memory: 1G
nginx:
image: nginx:1.21-alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.prod.conf:/etc/nginx/nginx.conf
- static_volume:/usr/share/nginx/html
- media_volume:/usr/share/nginx/media
- /etc/letsencrypt:/etc/letsencrypt
depends_on:
- backend
- frontend
networks:
- frontend
- backend
deploy:
resources:
limits:
cpus: '0.5'
memory: 512M
volumes:
postgres_data:
redis_data:
static_volume:
media_volume:
networks:
frontend:
driver: bridge
backend:
driver: bridge
11.2 生产Dockerfile示例
后端Dockerfile.prod:
dockerfile复制# 构建阶段
FROM python:3.11-slim as builder
WORKDIR /app
ENV PYTHONFAULTHANDLER=1 \
PYTHONUNBUFFERED=1 \
PYTHONHASHSEED=random \
PIP_NO_CACHE_DIR=off \
PIP_DISABLE_PIP_VERSION_CHECK=on \
PIP_DEFAULT_TIMEOUT=100
RUN apt-get update && apt-get install -y --no-install-recommends gcc python3-dev
COPY requirements.txt .
RUN pip wheel --no-cache-dir --no-deps --wheel-dir /app/wheels -r requirements.txt
# 运行阶段
FROM python:3.11-slim
WORKDIR /app
RUN apt-get update && apt-get install -y --no-install-recommends libpq5 && \
apt-get clean && rm -rf /var/lib/apt/lists/*
COPY --from=builder /app/wheels /wheels
COPY --from=builder /app/requirements.txt .
RUN pip install --no-cache /wheels/*
COPY . .
RUN python manage.py collectstatic --noinput
CMD ["gunicorn", "--bind", ":8000", "--workers", "4", "--threads", "2", "backend.wsgi:application"]
前端Dockerfile.prod:
dockerfile复制# 构建阶段
FROM node:18-alpine as builder
WORKDIR /app
ENV NODE_ENV=production
COPY package.json yarn.lock ./
RUN yarn install --frozen-lockfile --production=false
COPY . .
RUN yarn build
# 运行阶段
FROM nginx:1.21-alpine
COPY --from=builder /app/build /usr/share/nginx/html
COPY nginx.conf /etc/nginx/conf.d/default.conf
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
12. 生产环境安全建议
12.1 基础安全措施
-
定期更新:
- 设置自动安全更新:
sudo apt install -y unattended-upgrades - 每月手动检查一次主要版本更新
- 设置自动安全更新:
-
备份策略:
bash复制# 数据库每日备份 0 3 * * * pg_dump -U myapp_user -h localhost -d myapp_prod -F c -f /backups/db/db_$(date +\%Y-\%m-\%d).dump # 媒体文件每周备份 0 4 * * 0 tar -czvf