add ci.moicen.com reverse proxy to Gitea

Proxy ci.moicen.com → 127.0.0.1:3006 for self-hosted Gitea CI. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
disable prow hook/deck — return 200 without proxying
2026-05-03 08:14:37 +08:00 · 2026-05-01 08:09:06 +08:00 · 2026-04-28 10:14:28 +08:00 · 2026-04-28 09:52:25 +08:00 · 2026-04-28 08:25:09 +08:00 · 2026-04-26 22:38:36 +08:00
21 changed files with 541 additions and 218 deletions
@@ -1 +0,0 @@
-huiwing:$apr1$r50umplo$ltopNoFz2rhNuSgKN46e0/
@@ -1,69 +0,0 @@
-server {
-#     https://serverfault.com/questions/798734/use-variable-for-server-name-in-nginx#
-#     server_name $servername;
-    server_name "ai.alchemy-studio.cn";
-    listen 443 ssl;
-#    listen 80;
-    client_max_body_size 10M;
-
-    # disable in local test env
-     ssl_certificate /etc/letsencrypt/live/alchemy-studio.cn/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/alchemy-studio.cn/privkey.pem; # managed by Certbot
-
-    location / {
-        try_files $uri $uri/ /index.html;
-        proxy_set_header  Host "ai.alchemy-studio.cn";
-        proxy_set_header  X-Real-IP $remote_addr;
-        # disable in local test env
-        proxy_set_header  X-Forwarded-Proto https;
-        proxy_set_header  X-Forwarded-For $remote_addr;
-        proxy_set_header  X-Forwarded-Host $remote_addr;
-    }
-
-    location /api/v1/index {
-
-       return 200 "Ai api index";
-    }
-    add_header Access-Control-Allow-Origin $http_origin always;
-    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
-    add_header Access-Control-Allow-Headers 'Authorization,unionid,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
-    add_header Access-Control-Allow-Credentials true always;
-    add_header Access-Control-Max-Age 86400 always;
-    if ($request_method = 'OPTIONS') {
-        return 200;
-    }
-
-    location /api/v1/ai/ {
-        proxy_set_header Host            $host;
-        add_header Access-Control-Allow-Origin $http_origin always;
-        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
-        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
-        add_header Access-Control-Allow-Credentials true always;
-        add_header Access-Control-Max-Age 86400 always;
-        if ($request_method = 'OPTIONS') {
-            return 200;
-        }
-
-#         auth_basic "ai_api access auth";
-#         auth_basic_user_file /usr/local/openresty/nginx/conf.d/.htpasswd;
-
-        proxy_pass http://127.0.0.1:5000/;
-    }
-
-    location /api/v1/coze/ {
-        proxy_set_header Host            $host;
-        add_header Access-Control-Allow-Origin $http_origin always;
-        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
-        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
-        add_header Access-Control-Allow-Credentials true always;
-        add_header Access-Control-Max-Age 86400 always;
-        if ($request_method = 'OPTIONS') {
-            return 200;
-        }
-
-#         auth_basic "coze_api access auth";
-#         auth_basic_user_file /usr/local/openresty/nginx/conf.d/.htpasswd;
-
-        proxy_pass http://127.0.0.1:6000/;
-    }
-}
@@ -10,7 +10,9 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/huiwings.cn/privkey.pem; # managed by Certbot

    set $tmp_file_dir "/file_upload"; # 文件存储路径
-    set $task_server "http://127.0.0.1:8080"; # task server host
+    set $task_server "http://127.0.0.1:8080"; # Java task_server
+    set $huiwing_htyts_rust "127.0.0.1:3003";  # huiwing 仓库 htyts（Rust）
+    set $huiwing_htyproc_rust "127.0.0.1:3004"; # huiwing 仓库 htyproc（Rust）
    set $htyuc "http://127.0.0.1:3000"; #htyuc host
    set $resty_loc "/usr/local/openresty";
    set $convert "/usr/bin/convert";
@@ -109,6 +111,22 @@ server {
    location /api/v1/uc/ {
        proxy_pass http://127.0.0.1:3000/api/v1/uc/;
    }
+
+    # 同域独立测 Rust TS/proc（不经 ts./proc. 子域）；/api/v2 → 本机 htyts/htyproc
+    location /api/v2/ts/ {
+        proxy_pass http://$huiwing_htyts_rust/api/v1/ts/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/v2/proc/ {
+        proxy_pass http://$huiwing_htyproc_rust/api/v1/proc/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
 }

 server {
@@ -61,6 +61,9 @@ server {
            return 200;
        }

+#         auth_basic "coze_api access auth";
+#         auth_basic_user_file /usr/local/openresty/nginx/conf.d/.htpasswd;
+
        proxy_pass http://127.0.0.1:6000/;
    }
 }
@@ -8,6 +8,9 @@ server {
     ssl_certificate /etc/letsencrypt/live/huiwings.cn/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/huiwings.cn/privkey.pem; # managed by Certbot

+    # huiwing 仓库：`cargo run -p htyproc`，env 见 envs/*/htyproc.env（PROC_PORT=3004）
+    set $huiwing_htyproc_rust "127.0.0.1:3004";
+
    location /api/v1/proc/ {
        add_header Access-Control-Allow-Origin $http_origin always;
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
@@ -19,4 +22,17 @@ server {
        }
        proxy_pass http://127.0.0.1:8880/api/v1/proc/;
    }
+
+    # Rust htyproc：对外 /api/v2/proc → 本进程；后端路由仍为 /api/v1/proc
+    location /api/v2/proc/ {
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
+        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
+        add_header Access-Control-Allow-Credentials true always;
+        add_header Access-Control-Max-Age 86400 always;
+        if ($request_method = 'OPTIONS') {
+            return 200;
+        }
+        proxy_pass http://$huiwing_htyproc_rust/api/v1/proc/;
+    }
 }
@@ -10,7 +10,10 @@ server {
     ssl_certificate /etc/letsencrypt/live/huiwings.cn/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/huiwings.cn/privkey.pem; # managed by Certbot

-    set $task_server "http://127.0.0.1:8080"; # task server host
+    set $task_server "http://127.0.0.1:8080"; # Java task_server
+    # huiwing 仓库：`cargo run -p htyts`，env 见 envs/*/htyts.env（TS_PORT=3003）
+    set $huiwing_htyts_rust "127.0.0.1:3003";
+    set $task_server_rust "http://$huiwing_htyts_rust"; # 与 Java 并行，仅 /api/v2 走此
    set $htyuc "http://127.0.0.1:3000"; #htyuc host
    set $resty_loc "/usr/local/openresty";

@@ -26,6 +29,19 @@ server {
        }
        proxy_pass http://127.0.0.1:8080/api/v1/ts/;
    }
+
+    # Rust htyts：对外 /api/v2/ts → 本进程；后端路由仍为 /api/v1/ts（与 Java /api/v1/ts 并行）
+    location /api/v2/ts/ {
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
+        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
+        add_header Access-Control-Allow-Credentials true always;
+        add_header Access-Control-Max-Age 86400 always;
+        if ($request_method = 'OPTIONS') {
+            return 200;
+        }
+        proxy_pass http://$huiwing_htyts_rust/api/v1/ts/;
+    }
 }

 # server {
@@ -6,7 +6,9 @@ server {
    client_max_body_size 10M;

    set $tmp_file_dir "/file_upload"; # 文件存储路径
-    set $task_server "http://127.0.0.1:8080"; # task server host
+    set $task_server "http://127.0.0.1:8080"; # Java task_server
+    set $huiwing_htyts_rust "127.0.0.1:3003";
+    set $huiwing_htyproc_rust "127.0.0.1:3004";
    set $htyuc "http://127.0.0.1:3000"; #htyuc host
    set $resty_loc "/usr/local/openresty";
    set $convert "/usr/local/bin/convert";
@@ -101,4 +103,19 @@ server {
    location /api/v1/uc/ {
        proxy_pass http://127.0.0.1:3000/api/v1/uc/;
    }
+
+    location /api/v2/ts/ {
+        proxy_pass http://$huiwing_htyts_rust/api/v1/ts/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/v2/proc/ {
+        proxy_pass http://$huiwing_htyproc_rust/api/v1/proc/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
 }
@@ -5,7 +5,9 @@ server {
    listen 8088;
    client_max_body_size 10M;

-    set $task_server "http://127.0.0.1:8080"; # task server host
+    set $task_server "http://127.0.0.1:8080"; # Java task_server
+    set $huiwing_htyts_rust "127.0.0.1:3003"; # huiwing 仓库 htyts（Rust）
+    set $task_server_rust "http://$huiwing_htyts_rust";
    set $htyuc "http://127.0.0.1:3000"; #htyuc host
    set $resty_loc "/usr/local/openresty";

@@ -20,5 +22,17 @@ server {
        }
        proxy_pass http://127.0.0.1:8080/api/v1/ts/;
    }
+
+    location /api/v2/ts/ {
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
+        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
+        add_header Access-Control-Allow-Credentials true always;
+        add_header Access-Control-Max-Age 86400 always;
+        if ($request_method = 'OPTIONS') {
+            return 200;
+        }
+        proxy_pass http://$huiwing_htyts_rust/api/v1/ts/;
+    }
 }

@@ -6,7 +6,9 @@ server {
    client_max_body_size 10M;

    set $tmp_file_dir "/usr/local/file_upload"; # 文件存储路径
-    set $task_server "http://127.0.0.1:8080"; # task server host
+    set $task_server "http://127.0.0.1:8080"; # Java task_server
+    set $huiwing_htyts_rust "127.0.0.1:3003";
+    set $huiwing_htyproc_rust "127.0.0.1:3004";
 #     set $htyuc "http://127.0.0.1:3000"; #htyuc host
    set $htyuc "https://admin.moicen.com"; #Verify jwt token
    set $resty_loc "/usr/local/opt/openresty";
@@ -105,6 +107,21 @@ server {
        proxy_pass http://127.0.0.1:3000/api/v1/uc/;
    }

+    location /api/v2/ts/ {
+        proxy_pass http://$huiwing_htyts_rust/api/v1/ts/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/v2/proc/ {
+        proxy_pass http://$huiwing_htyproc_rust/api/v1/proc/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
    location /api/ngx/upyun_download {
         content_by_lua_file $resty_loc/nginx/scripts/upyun_download.lua;
    }
@@ -0,0 +1,31 @@
+server {
+    server_name "proc.localhost";
+    listen 8088;
+    client_max_body_size 10M;
+
+    set $huiwing_htyproc_rust "127.0.0.1:3004"; # huiwing 仓库 htyproc（Rust）
+
+    location /api/v1/proc/ {
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
+        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
+        add_header Access-Control-Allow-Credentials true always;
+        add_header Access-Control-Max-Age 86400 always;
+        if ($request_method = 'OPTIONS') {
+            return 200;
+        }
+        proxy_pass http://127.0.0.1:8880/api/v1/proc/;
+    }
+
+    location /api/v2/proc/ {
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
+        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
+        add_header Access-Control-Allow-Credentials true always;
+        add_header Access-Control-Max-Age 86400 always;
+        if ($request_method = 'OPTIONS') {
+            return 200;
+        }
+        proxy_pass http://$huiwing_htyproc_rust/api/v1/proc/;
+    }
+}
@@ -5,7 +5,9 @@ server {
    listen 8088;
    client_max_body_size 10M;

-    set $task_server "http://127.0.0.1:8080"; # task server host
+    set $task_server "http://127.0.0.1:8080"; # Java task_server
+    set $huiwing_htyts_rust "127.0.0.1:3003"; # huiwing 仓库 htyts（Rust）
+    set $task_server_rust "http://$huiwing_htyts_rust";
    set $htyuc "http://127.0.0.1:3000"; #htyuc host
    set $resty_loc "/usr/local/opt/openresty";

@@ -20,5 +22,17 @@ server {
        }
        proxy_pass http://127.0.0.1:8080/api/v1/ts/;
    }
+
+    location /api/v2/ts/ {
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
+        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
+        add_header Access-Control-Allow-Credentials true always;
+        add_header Access-Control-Max-Age 86400 always;
+        if ($request_method = 'OPTIONS') {
+            return 200;
+        }
+        proxy_pass http://$huiwing_htyts_rust/api/v1/ts/;
+    }
 }

@@ -31,7 +31,9 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem; # managed by Certbot

    set $tmp_file_dir "/file_upload"; # 文件存储路径
-    set $task_server "http://127.0.0.1:8080"; # task server host
+    set $task_server "http://127.0.0.1:8080"; # Java task_server
+    set $huiwing_htyts_rust "127.0.0.1:3003";
+    set $huiwing_htyproc_rust "127.0.0.1:3004";
    set $htyuc "http://127.0.0.1:3000"; #htyuc host
    set $resty_loc "/usr/local/openresty";
    set $convert "/usr/bin/convert";
@@ -133,6 +135,21 @@ server {
    location /api/v1/uc/ {
        proxy_pass http://127.0.0.1:3000/api/v1/uc/;
    }
+
+    location /api/v2/ts/ {
+        proxy_pass http://127.0.0.1:3003/api/v1/ts/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/v2/proc/ {
+        proxy_pass http://127.0.0.1:3004/api/v1/proc/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
 }

 server {
@@ -0,0 +1,17 @@
+server {
+    server_name "ci.moicen.com";
+    listen 443 ssl;
+    listen 80;
+    client_max_body_size 100M;
+
+    ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem; # managed by Certbot
+
+    location / {
+        proxy_pass http://127.0.0.1:3006/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -1,49 +1,132 @@
 server {
-#     https://serverfault.com/questions/798734/use-variable-for-server-name-in-nginx#
-#     server_name $servername;
    server_name "music-room.moicen.com";
    listen 443 ssl;
    client_max_body_size 20M;

+    ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem;
+
+    # 与 admin.moicen.com 保持一致：本域直接命中 /api/ngx/image/* Lua 时需 tmp、convert、又拍参数
+    set $tmp_file_dir "/file_upload";
+    set $task_server "http://127.0.0.1:8080";
+    set $huiwing_htyts_rust "127.0.0.1:3003";
+    set $huiwing_htyproc_rust "127.0.0.1:3004";
+    set $htyuc "http://127.0.0.1:3000";
    set $resty_loc "/usr/local/openresty";
+    set $convert "/usr/bin/convert";
+    set $upyun_operator "moicen";
+    set $upyun_password "NyJ51zRwFApY9Wo9EHJMrb8GI9YtvpVN";
+    set $upyun_bucket "moicen";
+    set $upyun_directory "music-room";
+    set $upyun_domain "https://upyun.moicen.com";
+    set $upyun_cdn "https://upyun.moicen.com/";
+    set $wx_domain "wx.moicen.com";
+    set $upt_huiwings_secret "C5E4B01EC86A4CE8A84871EA2C826DD1";
+    set $upt_moicen_secret "339666FBB93C46D7B00D9F6E790C6C18";
+    set $upt_alchemy_secret "0D32E581A445404FA4C306709724FA07";
+    set $upt_duration 3600;

-    # disable in local test env
-    ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem; # managed by Certbot
-
-    location / {
-        try_files $uri $uri/ /index.html;
-        proxy_set_header  Host "music-room.moicen.com";
-        proxy_set_header  X-Real-IP $remote_addr;
-        # disable in local test env
-        proxy_set_header  X-Forwarded-Proto https;
-        proxy_set_header  X-Forwarded-For $remote_addr;
-        proxy_set_header  X-Forwarded-Host $remote_addr;
-    }
-
-    root $resty_loc/nginx/html/music-room;
+    root /usr/local/openresty/nginx/html/music-room;
    index index.html;

-    # 公众号校验 炼金工坊
-    location /MP_verify_Jo6pKmy43wx7S5Sh.txt {
+    location = /MP_verify_Jo6pKmy43wx7S5Sh.txt {
+        default_type text/plain;
        return 200 'Jo6pKmy43wx7S5Sh';
    }

-    # 公众号校验 慧添翼音乐教室
-    location /MP_verify_xDbyXEtPHigY8dCN.txt {
+    location = /MP_verify_xDbyXEtPHigY8dCN.txt {
+        default_type text/plain;
        return 200 'xDbyXEtPHigY8dCN';
    }

-    # 小程序业务域名校验
-    location /wy7of6ofMw.txt {
+    location = /wy7of6ofMw.txt {
+        default_type text/plain;
        return 200 'aa91a8d33359e82465dcc0aae9284b27';
    }
+
+    location /api/v1/kc/ {
+        proxy_set_header Host $host;
+        proxy_set_header HtyHost $host;
+        proxy_pass http://127.0.0.1:3002/api/v1/kc/;
+    }
+    location /api/v1/clazz/ {
+        proxy_set_header Host $host;
+        proxy_set_header HtyHost $host;
+        proxy_pass http://127.0.0.1:3002/api/v1/clazz/;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/v1/ws/ {
+        proxy_set_header Host $host;
+        proxy_set_header HtyHost $host;
+        proxy_pass http://127.0.0.1:3001/api/v1/ws/;
+    }
+    location /api/v1/uc/ {
+        proxy_set_header Host $host;
+        proxy_set_header HtyHost $host;
+        proxy_pass http://127.0.0.1:3000/api/v1/uc/;
+    }
+    location /api/v1/ts/ {
+        proxy_set_header Host $host;
+        proxy_set_header HtyHost $host;
+        proxy_pass http://127.0.0.1:3003/api/v1/ts/;
+    }
+
+    location /api/ngx/image/upload {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/old_upload.lua;
+    }
+    location /api/ngx/image/wx_upload_single {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/wx_upload_single.lua;
+    }
+    location /api/ngx/image/form_upload_to_combine {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/form_upload_to_combine.lua;
+    }
+    location /api/ngx/image/wx_upload_to_combine {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/wx_upload_to_combine.lua;
+    }
+    location /api/ngx/image/form_upload_to_compress {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/form_upload_to_compress.lua;
+    }
+    location /api/ngx/image/combine {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/combine.lua;
+    }
+    location /api/ngx/image/check {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/check_file.lua;
+    }
+    location /api/ngx/image/upload_combined {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/upload_combined_image.lua;
+    }
+    location /api/ngx/image/upyun_remove {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/upyun_remove.lua;
+    }
+    location /api/ngx/audio/upload {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/upload_audio.lua;
+    }
+    location /api/ngx/audio/convert {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/convert_audio.lua;
+    }
+    location /api/ngx/upt {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/upt.lua;
+    }
+    location /api/ngx/convert/test {
+        content_by_lua_file /usr/local/openresty/nginx/scripts/test.lua;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.html;
+        proxy_set_header Host "music-room.moicen.com";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Host $remote_addr;
+    }
 }

 server {
-  listen 80;
-  server_name "music-room.moicen.com";
-  location / {
-    return 301 https://$host$request_uri;
-  }
+    listen 80;
+    server_name "music-room.moicen.com";
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
@@ -8,7 +8,7 @@ server {
     ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem; # managed by Certbot

-    location /api/v1/proc/ {
+    location /api/v2/proc/ {
        add_header Access-Control-Allow-Origin $http_origin always;
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
@@ -17,6 +17,6 @@ server {
        if ($request_method = 'OPTIONS') {
            return 200;
        }
-        proxy_pass http://127.0.0.1:8880/api/v1/proc/;
+        proxy_pass http://127.0.0.1:3004/api/v1/proc/;
    }
 }
@@ -2,23 +2,12 @@ server {
    server_name "hook.prow.moicen.com";
    listen 443 ssl;
    listen 80;
-    client_max_body_size 10M;
-    access_by_lua_file /usr/local/openresty/nginx/scripts/log_to_webhook.lua;

-    # disable in local test env
-     ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem; # managed by Certbot
-     ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem; # managed by Certbot

    location / {
-        add_header Access-Control-Allow-Origin $http_origin always;
-        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
-        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
-        add_header Access-Control-Allow-Credentials true always;
-        add_header Access-Control-Max-Age 86400 always;
-        if ($request_method = 'OPTIONS') {
-            return 200;
-        }
-        proxy_pass http://127.0.0.1:30001/;
+        return 200 "disabled";
    }
 }

@@ -26,21 +15,11 @@ server {
    server_name "deck.prow.moicen.com";
    listen 443 ssl;
    listen 80;
-    client_max_body_size 10M;

-    # disable in local test env
-     ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem; # managed by Certbot
-     ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem; # managed by Certbot

    location / {
-        add_header Access-Control-Allow-Origin $http_origin always;
-        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
-        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
-        add_header Access-Control-Allow-Credentials true always;
-        add_header Access-Control-Max-Age 86400 always;
-        if ($request_method = 'OPTIONS') {
-            return 200;
-        }
-        proxy_pass http://127.0.0.1:30002/;
+        return 200 "disabled";
    }
 }
@@ -10,12 +10,10 @@ server {
     ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem; # managed by Certbot

-    set $task_server "http://127.0.0.1:8080"; # task server host
    set $htyuc "http://127.0.0.1:3000"; #htyuc host
    set $resty_loc "/usr/local/openresty";

-    location /api/v1/ts/ {
-
+    location /api/v2/ts/ {
        add_header Access-Control-Allow-Origin $http_origin always;
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
        add_header Access-Control-Allow-Headers 'Authorization,HtyAdminToken,HtySudoerToken,HtyHost,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
@@ -24,7 +22,7 @@ server {
        if ($request_method = 'OPTIONS') {
            return 200;
        }
-        proxy_pass http://127.0.0.1:8080/api/v1/ts/;
+        proxy_pass http://127.0.0.1:3003/api/v1/ts/;
    }
 }

@@ -0,0 +1,46 @@
+server {
+    server_name "wx.moicen.com";
+    listen 443 ssl;
+    client_max_body_size 20M;
+
+    set $resty_loc "/usr/local/openresty";
+
+    ssl_certificate /etc/letsencrypt/live/moicen.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/moicen.com/privkey.pem;
+
+    root $resty_loc/nginx/html/music-room;
+    index index.html;
+
+    # 与 music-room.moicen.com 一致：微信校验该授权域名时必须 GET 到纯文本正文
+    location = /MP_verify_Jo6pKmy43wx7S5Sh.txt {
+        default_type text/plain;
+        return 200 'Jo6pKmy43wx7S5Sh';
+    }
+
+    location = /MP_verify_xDbyXEtPHigY8dCN.txt {
+        default_type text/plain;
+        return 200 'xDbyXEtPHigY8dCN';
+    }
+
+    location = /wy7of6ofMw.txt {
+        default_type text/plain;
+        return 200 'aa91a8d33359e82465dcc0aae9284b27';
+    }
+
+    location / {
+        try_files $uri $uri/ /index.html;
+        proxy_set_header Host "wx.moicen.com";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Host $remote_addr;
+    }
+}
+
+server {
+    listen 80;
+    server_name "wx.moicen.com";
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
@@ -17,6 +17,34 @@ ngx.log(ngx.INFO, "sudoerToken ", sudoerToken)

 verify(httpc, authHeader, sudoerToken)

+--- @param disposition_val string raw Content-Disposition header value
+local function filename_from_disposition(disposition_val)
+    if not disposition_val then
+        return nil
+    end
+    local m = ngx.re.match(disposition_val, [[filename\*=UTF-8''([^;\s]+)]], "ijo")
+    if m and m[1] then
+        return ngx.unescape_uri(m[1])
+    end
+    m = ngx.re.match(disposition_val, [[filename="([^"]+)"]], "ijo")
+    if m and m[1] then
+        return m[1]
+    end
+    m = ngx.re.match(disposition_val, [[filename=([^;\s]+)]], "ijo")
+    if m and m[1] then
+        return m[1]
+    end
+    return nil
+end
+
+local function extension_from_filename(fn)
+    if not fn then
+        return nil
+    end
+    local em = ngx.re.match(fn, [[\.([A-Za-z0-9]+)$]], "ijo")
+    return em and em[1] or nil
+end
+
 local function read_form_file()
    local chunk_size = 4096
    local form, err = upload:new(chunk_size)
@@ -24,77 +52,107 @@ local function read_form_file()
        ngx.log(ngx.ERR, "failed to new upload: ", err)
        ngx.exit(500)
    end
-    --uuid.seed()

    local file_dir = ngx.var.tmp_file_dir
+    local convert = ngx.var.convert
+
+    if not file_dir or file_dir == "" then
+        ngx.status = 500
+        ngx.log(ngx.ERR, "tmp_file_dir is not set in nginx (set $tmp_file_dir).")
+        ngx.say("server misconfiguration: tmp_file_dir")
+        return
+    end
+
+    if not convert or convert == "" then
+        ngx.status = 500
+        ngx.log(ngx.ERR, "ImageMagick NOT FOUND (set $convert).")
+        ngx.say("server misconfiguration: convert")
+        return
+    end
+
+    -- 确保临时目录存在（避免 worker 无权限写根路径等导致 io.open 失败）
+    os.execute("mkdir -p " .. file_dir)
+
    local file
    local file_name
    local files = {}
    local output_file = {}
-
-    local convert = ngx.var.convert
-
-    if not convert then
-        ngx.status = 500
-        ngx.log(ngx.ERR, "ImageMagick NOT FOUND.")
-        return
-    end
+    --- 当前 multipart 部件里 Content-Disposition 里的文件名（用于扩展名回退）
+    local pending_disp_filename

    while true do
-        local type, res, err = form:read()
+        local typ, res, read_err = form:read()

-        if not type then
-            ngx.say("FAILED TO READ *UPLOAD IMAGE* -> ", err)
+        if not typ then
+            ngx.status = 500
+            ngx.log(ngx.ERR, "FAILED TO READ upload: ", read_err)
+            ngx.say("FAILED TO READ *UPLOAD IMAGE* -> ", read_err)
            return
        end

-        if type == "header" then
-            --"Content-Disposition","form-data; name=\"files[]\"; filename=\"Song-of-joy.png\""
-            --"Content-Type","image\/png"
+        if typ == "header" then
            local key = res[1]
            local val = res[2]
-            if key == "Content-Type" then
-                local ext = ngx.re.match(val, [[(\w+)\/(\w+)]], "jo")[2]
+            if key == "Content-Disposition" then
+                pending_disp_filename = filename_from_disposition(val)
+            elseif key == "Content-Type" then
+                local mt = ngx.re.match(val, [[(\w+)/([\w\-\+\.]+)]], "jo")
+                local ext = mt and mt[2] or nil
+                if ext then
+                    ext = string.lower(ext)
+                    if ext == "jpeg" then
+                        ext = "jpg"
+                    end
+                end
+                if not ext and pending_disp_filename then
+                    ext = extension_from_filename(pending_disp_filename)
+                    if ext then
+                        ext = string.lower(ext)
+                    end
+                end
+                if not ext then
+                    ngx.status = 400
+                    ngx.log(ngx.ERR, "cannot derive extension; Content-Type=", val)
+                    ngx.say("cannot derive image file extension")
+                    return
+                end
                file_name = uuid.uuid() .. "." .. ext
-            end

-            if file_name then
                file = io.open(file_dir .. "/" .. file_name, "w+")
                ngx.log(ngx.INFO, "FILENAME -> ", file_name)
                if not file then
+                    ngx.status = 500
+                    ngx.log(ngx.ERR, "failed to open temp file under ", file_dir, " name=", file_name)
                    ngx.say("failed to open file ", file_name)
                    return
                end
+                pending_disp_filename = nil
            end

-        elseif type == "body" then
+        elseif typ == "body" then
            if file then
                file:write(res)
-                -- sha1:update(res)
            end
-        elseif type == "part_end" then
+        elseif typ == "part_end" then
            if file then
                file:close()
                table.insert(files, file_name)
            end
-            -- 这里要重置一下file_name，否则后面的文件保存时会导致前面已保存的文件变成空文件
-            -- file:flush() 和 io.flush() 都没效果
            file_name = nil
            file = nil
-        elseif type == "eof" then
-            -- TODO : Compress image and upload to upyun
-
-            local len = table.getn(files)
+            pending_disp_filename = nil
+        elseif typ == "eof" then
+            local len = #files
            if len == 0 then
                ngx.status = 500
                ngx.log(ngx.ERR, "No images to compress!")
-                return ;
+                ngx.say("no image data received")
+                return
            end

            for i = 1, len do
                ngx.log(ngx.INFO, 'COMPRESS FILE -> ', files[i])

-                -- Compress image
                local incoming = file_dir .. "/" .. files[i]
                output_file[i] = file_dir .. "/" .. uuid.uuid() .. ".jpg"

@@ -108,22 +166,24 @@ local function read_form_file()
                ngx.log(ngx.INFO, 'CMD RESIZE -> RESULT ', pl.dump(result))
                handle:close()

-                -- Upload compressed file to upyun
                local upyun_upload = require("lib.upyun_upload")
+                local ts_compress_audit = require("lib.ts_compress_audit")

                ngx.log(ngx.INFO, 'UPLOAD COMPRESSED IMAGE -> fullpath -> ', output_file[i])
-                
-                upyun_upload.upload(output_file[i], nil)

+                local public_url = upyun_upload.upload_return_url(output_file[i], nil)
+                if not public_url then
+                    return
+                end
+                ts_compress_audit.create(httpc, authHeader, sudoerToken, public_url)
+                ngx.status = 200
+                ngx.say(public_url)
            end

            break
-        else
-            -- do nothing
        end
    end
 end


 read_form_file()
-
@@ -0,0 +1,38 @@
+-- 压缩直传成功后向 Rust TS（3003）登记 IMAGE_FORM_COMPRESS，便于管理端 Tasks 可追溯（非 UPLOAD_PICTURE：后者专指 combine 管线）。
+local cjson = require("cjson")
+
+local function create(httpc, auth_header, sudoer_token, public_url)
+    local ts_host = ngx.var.huiwing_htyts_rust or "127.0.0.1:3003"
+    local remote_url = "http://" .. ts_host .. "/api/v1/ts/create_task"
+    local hty_host = ngx.req.get_headers()["HtyHost"] or ""
+    local body_tbl = {
+        task_type = "IMAGE_FORM_COMPRESS",
+        payload = {
+            url = public_url,
+        },
+    }
+    local body = cjson.encode(body_tbl)
+    local res, err = httpc:request_uri(remote_url, {
+        ssl_verify = false,
+        method = "POST",
+        headers = {
+            ["Content-Type"] = "application/json",
+            ["Authorization"] = auth_header or "",
+            ["HtySudoerToken"] = sudoer_token or "",
+            ["HtyHost"] = hty_host,
+        },
+        body = body,
+    })
+    if not res then
+        ngx.log(ngx.ERR, "IMAGE_FORM_COMPRESS audit: request failed ", err)
+        return false
+    end
+    if res.status ~= 201 and res.status ~= 200 then
+        ngx.log(ngx.ERR, "IMAGE_FORM_COMPRESS audit: status=", res.status, " body=", res.body)
+        return false
+    end
+    ngx.log(ngx.INFO, "IMAGE_FORM_COMPRESS audit task created")
+    return true
+end
+
+return { create = create }
@@ -6,69 +6,78 @@ local upyun_upload = {}

 local json = require("cjson")

+
 local strip_path = require("lib.strip_path")
 local Upyun = require('lib.upyun')

-function upyun_upload.upload(filepath, filename, retry)
-
+--- @return string|nil public_url 成功返回又拍完整 URL；失败返回 nil（已打日志）
+function upyun_upload.upload_return_url(filepath, filename, retry)
    if retry == nil then
        retry = 1
    end

    if retry > 3 then
        ngx.log(ngx.ERR, "failed to upload file : reach max retries")
-    else
-        local upyun, err = Upyun:new({
-            user = ngx.var.upyun_operator,
-            passwd = ngx.var.upyun_password,
-            localFilePath = filepath
-        })
+        return nil
+    end

-        if not upyun then
-            ngx.status = 500
-            ngx.log(ngx.ERR, "failed to initialize upyun: " .. err)
-            return
-        end
+    local upyun, err = Upyun:new({
+        user = ngx.var.upyun_operator,
+        passwd = ngx.var.upyun_password,
+        localFilePath = filepath
+    })

-        local bucket = ngx.var.upyun_bucket
-        local directory = ngx.var.upyun_directory
-        if not filename then
-            filename = strip_path.strip_path(filepath)
-        end
+    if not upyun then
+        ngx.status = 500
+        ngx.log(ngx.ERR, "failed to initialize upyun: " .. err)
+        return nil
+    end

-        ngx.log(ngx.INFO, 'bucket -> ', bucket)
-        ngx.log(ngx.INFO, 'directory -> ', directory)
+    local bucket = ngx.var.upyun_bucket
+    local directory = ngx.var.upyun_directory
+    if not filename then
+        filename = strip_path.strip_path(filepath)
+    end

-        local savePath = bucket .. "/" .. directory .. "/" .. filename
-        ngx.log(ngx.INFO, " savePath " , savePath)
+    ngx.log(ngx.INFO, 'bucket -> ', bucket)
+    ngx.log(ngx.INFO, 'directory -> ', directory)

-        local options = {
-            md5 = true
-        }
+    local savePath = bucket .. "/" .. directory .. "/" .. filename
+    ngx.log(ngx.INFO, " savePath " , savePath)

-        local info, err = upyun:upload_file(savePath, nil, options)
-        if not info then
-            local error_table = json.decode(err)
-            ngx.log(ngx.INFO, "Upyun Upload File Error: " .. err)
-            ngx.log(ngx.ERR, '[' .. error_table["code"] .. ']')
+    local options = {
+        md5 = true
+    }

-            if (error_table["code"] == 40000006)
-            then
-                ngx.status = 400
-                ngx.log(ngx.ERR, "Retry upload file : " .. '[' .. err .. ']')
-                upyun_upload.upload(filepath, filename, retry+1)
-            else
-                ngx.status = 400
-                ngx.log(ngx.ERR, "failed to upload file : " .. '[' .. err .. ']')
-            end
+    local info, upl_err = upyun:upload_file(savePath, nil, options)
+    if not info then
+        local error_table = json.decode(upl_err)
+        ngx.log(ngx.INFO, "Upyun Upload File Error: " .. upl_err)
+        ngx.log(ngx.ERR, '[' .. error_table["code"] .. ']')
+
+        if (error_table["code"] == 40000006)
+        then
+            ngx.status = 400
+            ngx.log(ngx.ERR, "Retry upload file : " .. '[' .. upl_err .. ']')
+            return upyun_upload.upload_return_url(filepath, filename, retry + 1)
        else
-            ngx.status = 200
-            local fullpath = ngx.var.upyun_domain .. "/" .. directory .. "/" .. filename
-            ngx.log(ngx.INFO, "SUCCESS UPLOAD -> UPYUN URL -> ", fullpath)
-            ngx.say(fullpath)
+            ngx.status = 400
+            ngx.log(ngx.ERR, "failed to upload file : " .. '[' .. upl_err .. ']')
+            return nil
        end
    end

+    ngx.status = 200
+    local fullpath = ngx.var.upyun_domain .. "/" .. directory .. "/" .. filename
+    ngx.log(ngx.INFO, "SUCCESS UPLOAD -> UPYUN URL -> ", fullpath)
+    return fullpath
 end

-return upyun_upload
+function upyun_upload.upload(filepath, filename, retry)
+    local url = upyun_upload.upload_return_url(filepath, filename, retry)
+    if url then
+        ngx.say(url)
+    end
+end
+
+return upyun_upload
Author	SHA1	Message	Date
weli	792b800d6d	add ci.moicen.com reverse proxy to Gitea Proxy ci.moicen.com → 127.0.0.1:3006 for self-hosted Gitea CI. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-03 08:14:37 +08:00
weli	96c308efe6	disable prow hook/deck — return 200 without proxying Prow hook/deck services are not running, causing connection refused errors in OpenResty logs from GitHub webhook retries. Replace proxy_pass with direct return 200 to stop the noise. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-01 08:09:06 +08:00
weli	93f47042d5	feat(lua): TS task IMAGE_FORM_COMPRESS for compress upload audit Made-with: Cursor	2026-04-28 10:14:28 +08:00
weli	bb95a39dfa	feat(ngx): NOOP IMAGE_FORM_COMPRESS audit after form_upload_to_compress Made-with: Cursor	2026-04-28 09:52:25 +08:00
weli	e053cab89e	fix(ngx): form_upload_to_compress errors; moicen music-room nginx vars for Lua uploads Made-with: Cursor	2026-04-28 08:25:09 +08:00
weli	e8898efc0c	fix: hardcode upstream address in admin.conf proxy_pass (same variable URI rewrite issue)	2026-04-26 22:38:36 +08:00
weli	8c583acfcc	fix: hardcode upstream address in proxy_pass to avoid nginx variable URI rewrite issue	2026-04-26 22:30:18 +08:00
weli	b10bc5b0fb	remove v1 location, keep only /api/v2/ts/ and /api/v2/proc/	2026-04-26 22:19:20 +08:00
weli	ec34b450e1	fix: route /api/v1/ts/ and /api/v1/proc/ to Rust, remove Java upstream	2026-04-26 22:16:49 +08:00
weli	9c111492f1	fix(moicen): add wx.moicen.com with WeChat MP_verify endpoints Made-with: Cursor	2026-04-26 22:01:12 +08:00
weli	3fbe5e900a	feat: /api/v2 ts/proc to Rust htyts:3003 htyproc:3004, admin routes - ts.conf/proc.conf: v2 locations and huiwing_htyts_rust/htyproc_rust vars - admin.conf: /api/v2/ts and /api/v2/proc on admin for same-origin tests - local_macos proc.conf; remove duplicate conf/alchemy - huiwings ai.conf: coze auth comment lines merged from removed alchemy copy Made-with: Cursor	2026-04-04 22:12:18 +08:00
				`@@ -1 +0,0 @@`
				`huiwing:$apr1$r50umplo$ltopNoFz2rhNuSgKN46e0/`