diff --git a/.github/workflows/deploy-cn-llm-relay.yml b/.github/workflows/deploy-cn-llm-relay.yml index 5ee9915c..3033662f 100644 --- a/.github/workflows/deploy-cn-llm-relay.yml +++ b/.github/workflows/deploy-cn-llm-relay.yml @@ -45,20 +45,68 @@ jobs: SSH_KEY: ${{ secrets.ZY_CN_LLM_KEY }} run: | mkdir -p ~/.ssh - echo "$SSH_KEY" > ~/.ssh/cn_key + chmod 700 ~/.ssh + + # 写入私钥 · 确保末尾有换行符 + printf '%s\n' "$SSH_KEY" > ~/.ssh/cn_key chmod 600 ~/.ssh/cn_key + + # 格式校验 if head -1 ~/.ssh/cn_key | grep -q "BEGIN" && tail -1 ~/.ssh/cn_key | grep -q "END"; then echo "✅ SSH私钥格式正确" else echo "❌ SSH私钥格式异常 — 请检查 ZY_CN_LLM_KEY" + echo "首行: $(head -1 ~/.ssh/cn_key)" + echo "末行: $(tail -1 ~/.ssh/cn_key)" exit 1 fi - ssh-keyscan -H ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>/dev/null + + # 显示密钥指纹用于调试(不泄露私钥内容) + ssh-keygen -l -f ~/.ssh/cn_key && echo "✅ 密钥指纹读取成功" || echo "⚠️ 无法读取密钥指纹" + + # 写入 SSH config · 统一连接参数 + cat > ~/.ssh/config << 'SSHCONF' + Host cn-relay + StrictHostKeyChecking accept-new + UserKnownHostsFile ~/.ssh/known_hosts + IdentityFile ~/.ssh/cn_key + IdentitiesOnly yes + ServerAliveInterval 15 + ServerAliveCountMax 3 + ConnectTimeout 30 + SSHCONF + # 注入实际 Host/User(避免 heredoc 内插值泄露) + sed -i "1a\\ HostName ${{ secrets.ZY_CN_LLM_HOST }}" ~/.ssh/config + sed -i "2a\\ User ${{ secrets.ZY_CN_LLM_USER }}" ~/.ssh/config + chmod 600 ~/.ssh/config + + # 扫描主机公钥(不静默·便于排查) + echo "═══ 扫描目标主机公钥 ═══" + ssh-keyscan -T 10 ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>&1 || echo "⚠️ ssh-keyscan 未返回主机密钥(可能被安全组拦截)" + echo "known_hosts 条目数: $(wc -l < ~/.ssh/known_hosts)" + + - name: 🔗 SSH连接测试 + run: | + echo "═══ SSH连接测试(verbose模式) ═══" + ssh -vvv -o BatchMode=yes -o ConnectTimeout=15 \ + -i ~/.ssh/cn_key \ + ${{ secrets.ZY_CN_LLM_USER }}@${{ secrets.ZY_CN_LLM_HOST }} \ + "echo '✅ SSH连接成功 · $(hostname) · $(date)'" \ + 2>&1 || { + echo "" + echo "═══ SSH连接失败 · 排查方向 ═══" + echo "1. 检查广州服务器 ~/.ssh/authorized_keys 是否包含对应公钥" + echo "2. 检查权限: chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys" + echo "3. 检查 /etc/ssh/sshd_config: PubkeyAuthentication yes" + echo "4. 检查腾讯云安全组是否放行 GitHub Actions IP 的 22 端口" + echo "5. 查看服务器 SSH 日志: journalctl -u sshd -n 50" + exit 1 + } - name: 📦 同步代码到广州 run: | rsync -avz --delete \ - -e "ssh -i ~/.ssh/cn_key" \ + -e "ssh -i ~/.ssh/cn_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=30" \ --exclude='node_modules' \ --exclude='.env.relay' \ --exclude='logs' \ @@ -130,14 +178,14 @@ jobs: env: SSH_KEY: ${{ secrets.ZY_CN_LLM_KEY }} run: | - mkdir -p ~/.ssh - echo "$SSH_KEY" > ~/.ssh/cn_key + mkdir -p ~/.ssh && chmod 700 ~/.ssh + printf '%s\n' "$SSH_KEY" > ~/.ssh/cn_key chmod 600 ~/.ssh/cn_key - ssh-keyscan -H ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>/dev/null + ssh-keyscan -T 10 ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>&1 || true - name: 🩺 检查服务状态 run: | - ssh -i ~/.ssh/cn_key \ + ssh -i ~/.ssh/cn_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 \ ${{ secrets.ZY_CN_LLM_USER }}@${{ secrets.ZY_CN_LLM_HOST }} << 'CMD' echo "═══ PM2 状态 ═══" pm2 list @@ -158,14 +206,14 @@ jobs: env: SSH_KEY: ${{ secrets.ZY_CN_LLM_KEY }} run: | - mkdir -p ~/.ssh - echo "$SSH_KEY" > ~/.ssh/cn_key + mkdir -p ~/.ssh && chmod 700 ~/.ssh + printf '%s\n' "$SSH_KEY" > ~/.ssh/cn_key chmod 600 ~/.ssh/cn_key - ssh-keyscan -H ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>/dev/null + ssh-keyscan -T 10 ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>&1 || true - name: 🔄 重启 run: | - ssh -i ~/.ssh/cn_key \ + ssh -i ~/.ssh/cn_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 \ ${{ secrets.ZY_CN_LLM_USER }}@${{ secrets.ZY_CN_LLM_HOST }} << 'CMD' cd /opt/cn-llm-relay pm2 restart cn-llm-relay diff --git a/.github/workflows/deploy-to-zhuyuan-server.yml b/.github/workflows/deploy-to-zhuyuan-server.yml index 51c40f5a..5ac28f5d 100644 --- a/.github/workflows/deploy-to-zhuyuan-server.yml +++ b/.github/workflows/deploy-to-zhuyuan-server.yml @@ -415,7 +415,7 @@ jobs: curl -sf http://localhost:3100/health || echo "⚠️ MCP Server健康检查失败,等待更长时间..." sleep 5 curl -sf http://localhost:3800/api/health && echo "✅ 主应用已上线 (3800)" || echo "❌ 主应用启动失败 (3800)" - curl -sf http://localhost:3801/api/health && echo "✅ 预览进程已上线 (3801)" || echo "❌ 预览进程启动失败 (3801) · guanghulab.online 可能502" + curl -sf http://localhost:3801/api/health && echo "✅ 预览进程已上线 (3801)" || echo "❌ 预览进程启动失败 (3801) · 若 ZY_DOMAIN_PREVIEW 域名指向此端口则该域名可能502" curl -sf http://localhost:3100/health && echo "✅ MCP Server已上线 (3100)" || echo "❌ MCP Server启动失败 (3100)" # 记录部署操作 diff --git a/server/nginx/zhuyuan-sovereign.conf b/server/nginx/zhuyuan-sovereign.conf index 781ecadd..6807c5b3 100644 --- a/server/nginx/zhuyuan-sovereign.conf +++ b/server/nginx/zhuyuan-sovereign.conf @@ -19,6 +19,8 @@ # ─── §1 主域名 · 正式对外网站 ─── # 部署时由 deploy workflow 自动将 ZY_DOMAIN_MAIN_PLACEHOLDER 替换为实际域名 # 替换源: GitHub Secrets → ZY_DOMAIN_MAIN +# ⚠️ 重要: guanghulab.online 必须配置为 ZY_DOMAIN_MAIN(不是 ZY_DOMAIN_PREVIEW) +# 否则 /api/* 请求会被路由到 §2 预览站的 3801 端口而非 3800 → 导致 502 server { listen 80 default_server; server_name ZY_DOMAIN_MAIN_PLACEHOLDER 43.134.16.246 localhost 127.0.0.1;