Ensure pinned comments stay at top of post timeline

修复手机网页iframe的视频标签超出容器的问题

.env.example

@@ -93,7 +93,7 @@ NUXT_PUBLIC_WEBSITE_BASE_URL=http://localhost:3000
 # 线上 & 本地均可使用
 NUXT_PUBLIC_GOOGLE_CLIENT_ID=777830451304-nt8afkkap18gui4f9entcha99unal744.apps.googleusercontent.com
 # 线上
-NUXT_PUBLIC_GITHUB_CLIENT_ID=Ov23liOlrZnPKRF7s7NN
+NUXT_PUBLIC_GITHUB_CLIENT_ID=Ov23liVkO1NPAX5JyWxJ
 # 本地
 # NUXT_PUBLIC_GITHUB_CLIENT_ID=Ov23liOlrZnPKRF7s7NN
 # 线上 & 本地均可使用

.github/workflows/deploy-staging.yml

@@ -23,7 +23,7 @@ jobs:
           host: ${{ secrets.SSH_HOST }}
           username: root
           key: ${{ secrets.SSH_KEY }}
-          script: bash /opt/openisle/deploy-staging.sh
+          script: bash /opt/openisle/OpenIsle/deploy/deploy_staging.sh
 
   deploy-docs:
     needs: build-and-deploy

.github/workflows/deploy.yml

@@ -2,8 +2,8 @@ name: CI & CD
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: "0 19 * * *" # 每天 UTC 19:00，相当于北京时间凌晨3点
+  # schedule:
+  #   - cron: "0 19 * * *" # 每天 UTC 19:00，相当于北京时间凌晨3点
 
 jobs:
   build-and-deploy:
@@ -19,4 +19,4 @@ jobs:
           host: ${{ secrets.SSH_HOST }}
           username: root
           key: ${{ secrets.SSH_KEY }}
-          script: bash /opt/openisle/deploy.sh
+          script: bash /opt/openisle/OpenIsle/deploy/deploy.sh

CONTRIBUTING.md

@@ -1,25 +1,19 @@
 - [前置工作](#前置工作)
+- [前端极速调试（Docker 全量环境）](#前端极速调试docker-全量环境)
 - [启动后端服务](#启动后端服务)
   - [本地 IDEA](#本地-idea)
     - [配置环境变量](#配置环境变量)
     - [配置 IDEA 参数](#配置-idea-参数)
-    - [配置 MySQL](#配置-mysql)
-    - [配置 Redis](#配置-redis)
-    - [配置 RabbitMQ](#配置-rabbitmq)
-  - [Docker 环境](#docker-环境)
-    - [配置环境变量](#配置环境变量-1)
-    - [构建并启动镜像](#构建并启动镜像)
 - [启动前端服务](#启动前端服务)
-  - [配置环境变量](#配置环境变量-2)
-  - [安装依赖和运行](#安装依赖和运行)
+  - [连接预发或正式环境](#连接预发或正式环境)
 - [其他配置](#其他配置)
-  - [配置第三方登录以GitHub为例](#配置第三方登录以GitHub为例)
-  - [配置Resend邮箱服务](#配置Resend邮箱服务)
+  - [配置第三方登录以GitHub为例](#配置第三方登录以github为例)
+  - [配置Resend邮箱服务](#配置resend邮箱服务)
 - [API文档](#api文档)
   - [OpenAPI文档](#openapi文档)
   - [部署时间线以及文档时效性](#部署时间线以及文档时效性)
-  - [OpenAPI文档使用](#OpenAPI文档使用)
-  - [OpenAPI文档应用场景](#OpenAPI文档应用场景)
+  - [OpenAPI文档使用](#openapi文档使用)
+  - [OpenAPI文档应用场景](#openapi文档应用场景)
 
 ## 前置工作
 
@@ -35,6 +29,52 @@ cd OpenIsle
 - 前端开发环境
   - Node.JS 20+
 
+## 前端极速调试（Docker 全量环境）
+
+想要最快速地同时体验前端和后端，可直接使用仓库提供的 Docker Compose。该方案会一次性拉起数据库、消息队列、搜索、后端、WebSocket 以及前端 Dev Server，适合需要全链路联调的场景。
+
+1. 准备环境变量文件：
+   ```shell
+   cp .env.example .env
+   ```
+   `.env.example` 是模板，可在 `.env` 中按需覆盖如端口、密钥等配置。确保 `NUXT_PUBLIC_API_BASE_URL`、`NUXT_PUBLIC_WEBSOCKET_URL` 等仍指向 `localhost`，方便前端直接访问容器映射端口。
+2. 启动 Dev Profile：
+   ```shell
+   docker compose \
+     -f docker/docker-compose.yaml \
+     --env-file .env \
+     --profile dev build
+   ```
+
+   ```shell
+   docker compose \
+     -f docker/docker-compose.yaml \
+     --env-file .env \
+     --profile dev up -d
+   ```
+   该命令会创建名为 `frontend_dev` 的容器并运行 `npm run dev`，浏览器访问 http://127.0.0.1:3000 即可查看页面。
+
+   修改代码后，可以强制重新创建所有容器，执行：
+
+   ```shell
+   docker compose \
+     -f docker/docker-compose.yaml \
+     --env-file .env \
+     --profile dev up -d --force-recreate
+   ```
+
+3. 查看服务状态：
+   ```shell
+   docker compose -f docker/docker-compose.yaml --env-file .env ps
+   docker compose -f docker/docker-compose.yaml --env-file .env logs -f frontend_dev
+   ```
+4. 停止所有容器：
+   ```shell
+   docker compose -f docker/docker-compose.yaml --env-file .env --profile dev down
+   ```
+
+如需自定义 Node 依赖缓存、数据库持久化等，可参考 `docker/docker-compose.yaml` 中各卷的定义进行调整。
+
 ## 启动后端服务
 
 启动后端服务有多种方式，选择一种即可。
@@ -52,37 +92,26 @@ IDEA 打开 `backend/` 文件夹。
 
 #### 配置环境变量
 
-1. 生成环境变量文件
-
+1. 生成环境变量文件：
    ```shell
    cp open-isle.env.example open-isle.env
    ```
+   `open-isle.env` 才是实际被读取的文件。可在其中补充数据库、第三方服务等配置，`open-isle.env` 已被 Git 忽略，放心修改。
+2. 在 IDEA 中配置「Environment file」：将 `Run/Debug Configuration` 的 `Environment variables` 指向刚刚复制的 `open-isle.env`，即可让 IDE 读取该文件。
+3. 需要调整端口或功能开关时，优先修改 `open-isle.env`，例如：
+   ```ini
+   SERVER_PORT=8081
+   LOG_LEVEL=DEBUG
+   ```
 
-   `open-isle.env.example` 是环境变量模板，`open-isle.env` 才是真正读取的内容
-
-2. 修改环境变量，留下需要的，比如你要开发 Google 登录业务，就需要谷歌相关的变量，数据库是一定要的
-
-   ![环境变量](assets/contributing/backend_img_7.png)
-
-3. 应用环境文件，选择刚刚的 `open-isle.env`
-
-可以在 `open-isle.env` 按需填写个性化的配置，该文件不会被 Git 追踪。比如你想把服务跑在 `8082`（默认为 `8080`），那么直接改 `open-isle.env` 即可：
-
-```ini
-SERVER_PORT=8082
-```
-
-另一种方式是修改 `.properities` 文件（但不建议），位于 `src/main/application.properties`，该配置同样来源于 `open-isle.env`，但修改 `.properties` 文件会被 Git 追踪。
+也可以修改 `src/main/resources/application.properties`，但该文件会被 Git 追踪，通常不推荐。
 
 ![配置数据库](assets/contributing/backend_img_5.png)
 
 #### 配置 IDEA 参数
 
-- 设置 JDK 版本为 java 17
-
-- 设置 VM Option，最好运行在其他端口，非 `8080`，这里设置 `8081`
-  若上面在环境变量中设置了端口，那这里就不需要再额外设置
-
+- 设置 JDK 版本为 Java 17。
+- 设置 VM Option，最好运行在其他端口（例如 `8081`）。若已经在 `open-isle.env` 中调整端口，可省略此步骤。
   ```shell
   -Dserver.port=8081
   ```
@@ -91,191 +120,22 @@ SERVER_PORT=8082
 
 ![配置2](assets/contributing/backend_img_2.png)
 
-#### 配置 MySQL
-
-> [!TIP]
-> 如果不知道怎么配置数据库可以参考 [Docker 环境](#docker-环境) 章节
-
-1. 本机配置 MySQL 服务（网上很多教程，忽略）
-   - 可以用 Laragon，自带 MySQL 包括 Nodejs，版本建议 `6.x`，`7` 以后需要 Lisence
-   - [下载地址](https://github.com/leokhoa/laragon/releases)
-
-2. 填写环境变量
-
-   ![环境变量](assets/contributing/backend_img_6.png)
-
-   ```ini
-   MYSQL_URL=jdbc:mysql://<数据库地址>:<端口>/<数据库名>?useUnicode=yes&characterEncoding=UTF-8&useInformationSchema=true&useSSL=false&serverTimezone=UTC
-   MYSQL_USER=<数据库用户名>
-   MYSQL_PASSWORD=<数据库密码>
-   ```
-
-3. 执行 [`db/init/init_script.sql`](backend/src/main/resources/db/init/init_script.sql) 脚本，导入基本的数据
-   管理员：**admin/123456**
-   普通用户1：**user1/123456**
-   普通用户2：**user2/123456**
-
-   ![初始化脚本](assets/contributing/resources_img.png)
-
-#### 配置 Redis
-
-后端的登录态缓存、访问频控等都依赖 Redis，请确保本地有可用的 Redis 实例。
-
-1. **启动 Redis 服务**（已有服务可跳过）
-
-   ```bash
-   docker run --name openisle-redis -p 6379:6379 -d redis:7-alpine
-   ```
-
-   该命令会在本机暴露 `6379` 端口。若你已有其他端口的 Redis，可以根据实际情况调整映射关系。
-
-2. **在 `backend/open-isle.env` 中填写连接信息**
-
-   ```ini
-   REDIS_HOST=127.0.0.1
-   REDIS_PORT=6379
-   # 可选：若需要切换逻辑库，可新增此变量，默认使用 0 号库
-   REDIS_DATABASE=0
-   ```
-
-   `application.properties` 中的默认值为 `localhost:6379`、数据库 `0`，如果你的环境恰好一致，也可以不额外填写；显式声明可以避免 IDE/运行时读取到意外配置。
-
-3. **验证连接**
-
-   ```bash
-   redis-cli -h 127.0.0.1 -p 6379 ping
-   ```
-
-   启动后端后，日志中会出现 `Redis connection established ...`（来自 `RedisConnectionLogger`），说明已成功连通。
-
-#### 配置 RabbitMQ
-
-消息通知和 WebSocket 推送链路依赖 RabbitMQ。后端会自动声明交换机与队列，确保本地 RabbitMQ 可用即可。
-
-1. **启动 RabbitMQ 服务**（推荐包含管理界面）
-
-   ```bash
-   docker run --name openisle-rabbitmq \
-     -e RABBITMQ_DEFAULT_USER=openisle \
-     -e RABBITMQ_DEFAULT_PASS=openisle \
-     -p 5672:5672 -p 15672:15672 \
-     -d rabbitmq:3.13-management
-   ```
-
-   管理界面位于 http://127.0.0.1:15672 ，可用于查看队列、交换机等资源。
-
-2. **同步填写后端与 WebSocket 服务的环境变量**
-
-   ```ini
-   # backend/open-isle.env
-   RABBITMQ_HOST=127.0.0.1
-   RABBITMQ_PORT=5672
-   RABBITMQ_USERNAME=openisle
-   RABBITMQ_PASSWORD=openisle
-
-   # 如果需要启动 websocket_service，也需要在 websocket_service.env 中保持一致
-   ```
-
-   如果沿用 RabbitMQ 默认的 `guest/guest`，可以不显式设置，Spring Boot 会回退到 `application.properties` 中的默认值 (`localhost:5672`、`guest/guest`、虚拟主机 `/`)。
-
-3. **确认自动声明的资源**
-
-   - 交换机：`openisle-exchange`
-   - 旧版兼容队列：`notifications-queue`
-   - 分片队列：`notifications-queue-0` ~ `notifications-queue-f`（共 16 个，对应路由键 `notifications.shard.0` ~ `notifications.shard.f`）
-   - 队列持久化默认开启，来自 `rabbitmq.queue.durable=true`，如需仅在本地短暂测试，可在 `application.properties` 中调整该配置。
-
-   启动后端时可在日志中看到 `=== 开始主动声明 RabbitMQ 组件 ===` 与后续的声明结果，也可以在管理界面中查看是否创建成功。
-
-完成 Redis 与 RabbitMQ 配置后，即可继续启动后端服务。
+完成环境变量和运行参数设置后，即可启动 Spring Boot 应用。
 
 ![运行画面](assets/contributing/backend_img_4.png)
 
-### Docker 环境
+## 前端连接预发或正式环境
 
-#### 配置环境变量
+前端默认读取 `.env` 中的接口地址，可通过修改以下变量快速切换到预发或正式环境：
 
-```shell
-cd docker/
-```
+1. 按需覆盖关键变量：
 
-主要配置两个 `.env` 文件
+   ```ini
+   NUXT_PUBLIC_API_BASE_URL=https://www.staging.open-isle.com
+   NUXT_PUBLIC_WEBSOCKET_URL=https://www.staging.open-isle.com
+   ```
+   将 `staging` 替换为 `www` 即可连接正式环境。其他变量（如 OAuth Client ID、站点地址等）可根据需求调整。
 
-- `backend/open-isle.env`：后端环境变量，配置同上，见 [配置环境变量](#配置环境变量)。
-- `docker/.env`：Docker Compose 环境变量，主要配置 MySQL 相关
-  ```shell
-  cp .env.example .env
-  ```
-
-> [!TIP]
-> 使用单独的 `.env` 文件是为了兼容线上环境或已启用 MySQL 服务的情况，如果只是想快速体验或者启动统一的环境，则推荐使用本方式。
-
-在指定 `docker/.env` 后，`backend/open-isle.env` 中以下配置会被覆盖，这样就确保使用了同一份配置。
-
-```ini
-MYSQL_URL=
-MYSQL_USER=
-MYSQL_PASSWORD=
-```
-
-#### 构建并启动镜像
-
-```shell
-docker compose up -d
-```
-
-如果想了解启动过程发生了什么可以查看日志
-
-```shell
-docker compose logs
-```
-
-## 启动前端服务
-
-> [!IMPORTANT]
-> **⚠️ 环境要求：Node.js 版本最低 20.0.0（因为 Nuxt 框架要求）**
-
-```shell
-cd frontend_nuxt/
-```
-
-### 配置环境变量
-
-前端可以依赖本机部署的后端，也可以直接调用线上的后端接口。
-
-- 利用预发环境：**（⚠️ 强烈推荐只开发前端的朋友使用该环境）**
-
-  ```shell
-  cp .env.staging.example .env
-  ```
-
-- 利用生产环境
-
-  ```shell
-  cp .env.production.example .env
-  ```
-
-- 利用本地环境
-
-  ```shell
-  cp .env.dev.example .env
-  ```
-
-若依赖本机部署的后端，需要修改 `.env` 中的 `NUXT_PUBLIC_API_BASE_URL` 值与后端服务端口一致
-
-### 安装依赖和运行
-
-前端安装依赖并启动服务。
-
-```shell
-# 安装依赖
-npm install --verbose
-
-# 运行前端服务
-npm run dev
-```
-
-如此一来，浏览器访问 http://127.0.0.1:3000 即可访问前端页面。
 
 ## 其他配置
 
@@ -334,7 +194,7 @@ https://docs.open-isle.com
 
 ### OpenAPI文档使用
 
-- 预发环境/正式环境切换，可以通过如下位置切换API环境
+- 预发环境/正式环境切换，以通过如下位置切换API环境
 
 ![CleanShot 2025-09-10 at 12 .08.00@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/f9fb7a0f020d4a0e94159d7820783224.png)
 

backend/src/main/java/com/openisle/config/SecurityConfig.java

@@ -234,6 +234,7 @@ public class SecurityConfig {
             uri.startsWith("/api/channels") ||
             uri.startsWith("/api/sitemap.xml") ||
             uri.startsWith("/api/medals") ||
+            uri.startsWith("/actuator") ||
             uri.startsWith("/api/rss"));
 
         if (authHeader != null && authHeader.startsWith("Bearer ")) {

backend/src/main/java/com/openisle/controller/CommentController.java

@@ -15,6 +15,7 @@ import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.List;
@@ -131,6 +132,7 @@ public class CommentController {
             c.getId(),
             "comment",
             c.getCreatedAt(),
+            c.getPinnedAt(),
             c // payload 是 CommentDto
           )
         )
@@ -145,17 +147,39 @@ public class CommentController {
             l.getId(),
             "log",
             l.getTime(), // 注意字段名不一样
+            null,
             l // payload 是 PostChangeLogDto
           )
         )
         .toList()
     );
     // 排序
-    Comparator<TimelineItemDto<?>> comparator = Comparator.comparing(TimelineItemDto::getCreatedAt);
+    Comparator<TimelineItemDto<?>> pinnedOrderComparator = (a, b) -> {
+      LocalDateTime aPinned = a.getPinnedAt();
+      LocalDateTime bPinned = b.getPinnedAt();
+      if (aPinned == null && bPinned == null) {
+        return 0;
+      }
+      if (aPinned == null) {
+        return 1;
+      }
+      if (bPinned == null) {
+        return -1;
+      }
+      return bPinned.compareTo(aPinned);
+    };
+
+    Comparator<TimelineItemDto<?>> comparator = Comparator.<TimelineItemDto<?>, Boolean>comparing(
+      item -> item.getPinnedAt() == null
+    ).thenComparing(pinnedOrderComparator);
+
+    Comparator<TimelineItemDto<?>> createdAtComparator = Comparator.comparing(
+      TimelineItemDto::getCreatedAt
+    );
     if (CommentSort.NEWEST.equals(sort)) {
-      comparator = comparator.reversed();
+      createdAtComparator = createdAtComparator.reversed();
     }
-    itemDtoList.sort(comparator);
+    itemDtoList.sort(comparator.thenComparing(createdAtComparator));
     log.debug("listComments returning {} comments", itemDtoList.size());
     return itemDtoList;
   }

backend/src/main/java/com/openisle/dto/TimelineItemDto.java

@@ -15,5 +15,6 @@ public class TimelineItemDto<T> {
   private Long id;
   private String kind; // "comment" | "log"
   private LocalDateTime createdAt;
+  private LocalDateTime pinnedAt;
   private T payload; // 泛型，具体类型由外部决定
 }

backend/src/main/resources/application.properties

@@ -4,7 +4,7 @@ server.port=${SERVER_PORT:8080}
 # for mysql
 logging.level.root=${LOG_LEVEL:INFO}
 logging.level.com.openisle.service.CosImageUploader=DEBUG
-spring.datasource.url=jdbc:mysql://${MYSQL_HOST}:3306/${MYSQL_DATABASE}
+spring.datasource.url=jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT}/${MYSQL_DATABASE}?useUnicode=yes&characterEncoding=UTF-8&useInformationSchema=true&useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
 spring.datasource.username=${MYSQL_USER:root}
 spring.datasource.password=${MYSQL_PASSWORD:password}
 spring.jpa.hibernate.ddl-auto=update

backend/src/main/resources/db/init/02_seed_data.sql

@@ -6,15 +6,17 @@ DELETE FROM `tags`;
 DELETE FROM `categories`;
 DELETE FROM `users`;
 
-INSERT INTO `users` (`id`,`approved`,`avatar`,`created_at`,`display_medal`,`email`,`experience`,`introduction`,`password`,`password_reset_code`,`point`,`register_reason`,`role`,`username`,`verification_code`,`verified`) VALUES
-(1,b'1','', '2025-09-01 16:08:17.426430','PIONEER','adminmail@openisle.com',70,NULL,'$2a$10$dux.NXwW09cCsdZ05BgcnOtxVqqjcmnbj3.8xcxGl/iiIlv06y7Oe',NULL,110,'测试测试测试……','ADMIN','admin',NULL,b'1'),
-(2,b'1','', '2025-09-03 16:08:17.426430','PIONEER','usermail2@openisle.com',70,NULL,'$2a$10$dux.NXwW09cCsdZ05BgcnOtxVqqjcmnbj3.8xcxGl/iiIlv06y7Oe',NULL,110,'测试测试测试……','USER','user1',NULL,b'1'),
-(3,b'1','', '2025-09-02 17:21:21.617666','PIONEER','usermail1@openisle.com',40,NULL,'$2a$10$dux.NXwW09cCsdZ05BgcnOtxVqqjcmnbj3.8xcxGl/iiIlv06y7Oe',NULL,40,'测试测试测试……','USER','user2',NULL,b'1');
+-- 插入用户，两个普通用户，一个管理员
+-- username:admin/user1/user2 password:123456
+INSERT INTO `users` (`id`, `approved`, `avatar`, `created_at`, `display_medal`, `email`, `experience`, `introduction`, `password`, `password_reset_code`, `point`, `register_reason`, `role`, `username`, `verification_code`, `verified`) VALUES
+(1, b'1', 'https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png', '2025-09-01 16:08:17.426430', 'PIONEER', 'adminmail@openisle.com', 70, NULL, '$2a$10$x7HXjUyJTmrvqjnBlBQZH.vmfsC56NzTSWqQ6WqZqRjUO859EhviS', NULL, 110, '测试测试测试……', 'ADMIN', 'admin', NULL, b'1'),
+(2, b'1', 'https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png', '2025-09-03 16:08:17.426430', 'PIONEER', 'usermail2@openisle.com', 70, NULL, '$2a$10$x7HXjUyJTmrvqjnBlBQZH.vmfsC56NzTSWqQ6WqZqRjUO859EhviS', NULL, 110, '测试测试测试……', 'USER', 'user1', NULL, b'1'),
+(3, b'1', 'https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png', '2025-09-02 17:21:21.617666', 'PIONEER', 'usermail1@openisle.com', 40, NULL, '$2a$10$x7HXjUyJTmrvqjnBlBQZH.vmfsC56NzTSWqQ6WqZqRjUO859EhviS', NULL, 40, '测试测试测试……', 'USER', 'user2', NULL, b'1');
 
 INSERT INTO `categories` (`id`,`description`,`icon`,`name`,`small_icon`) VALUES
-(1,'测试用分类1','1','测试用分类1',NULL),
-(2,'测试用分类2','2','测试用分类2',NULL),
-(3,'测试用分类3','3','测试用分类3',NULL);
+(1,'测试用分类1','star','测试用分类1',NULL),
+(2,'测试用分类2','star','测试用分类2',NULL),
+(3,'测试用分类3','star','测试用分类3',NULL);
 
 INSERT INTO `tags` (`id`,`approved`,`created_at`,`description`,`icon`,`name`,`small_icon`,`creator_id`) VALUES
 (1,b'1','2025-09-02 10:51:56.000000','测试用标签1',NULL,'测试用标签1',NULL,NULL),

deploy/deploy.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# 可用法：
+#   ./deploy.sh
+#   ./deploy.sh feature/docker
+deploy_branch="${1:-main}"
+
+repo_dir="/opt/openisle/OpenIsle"
+compose_file="${repo_dir}/docker/docker-compose.yaml"
+env_file="${repo_dir}/.env"
+project="openisle"
+
+echo "👉 Enter repo..."
+cd "$repo_dir"
+
+echo "👉 Syncing code & switching to branch: $deploy_branch"
+git fetch --all --prune
+git checkout -B "$deploy_branch" "origin/$deploy_branch"
+git reset --hard "origin/$deploy_branch"
+
+echo "👉 Ensuring env file: $env_file"
+if [ ! -f "$env_file" ]; then
+  echo "❌ ${env_file} not found. Create it based on .env.example (with domains)."
+  exit 1
+fi
+
+export COMPOSE_PROJECT_NAME="$project"
+# 供 compose 内各 service 的 env_file 使用
+export ENV_FILE="$env_file"
+
+echo "👉 Validate compose..."
+docker compose -f "$compose_file" --env-file "$env_file" config >/dev/null
+
+echo "👉 Pull base images (for image-based services)..."
+docker compose -f "$compose_file" --env-file "$env_file" pull --ignore-pull-failures
+
+echo "👉 Build images ..."
+# 前端 + OpenSearch 都是自建镜像；--pull 更新其基础镜像
+docker compose -f "$compose_file" --env-file "$env_file" \
+  build --pull \
+  --build-arg NUXT_ENV=production \
+  frontend_service
+
+echo "👉 Recreate & start all target services (no dev profile)..."
+docker compose -f "$compose_file" --env-file "$env_file" \
+  up -d --force-recreate --remove-orphans --no-deps \
+  mysql redis rabbitmq websocket-service springboot frontend_service
+
+echo "👉 Current status:"
+docker compose -f "$compose_file" --env-file "$env_file" ps
+
+echo "👉 Pruning dangling images..."
+docker image prune -f
+
+echo "✅ Stack deployed at $(date)"

deploy/deploy_staging.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# 可用法：
+#   ./deploy-staging.sh
+#   ./deploy-staging.sh feature/docker
+deploy_branch="${1:-main}"
+
+repo_dir="/opt/openisle/OpenIsle-staging"
+compose_file="${repo_dir}/docker/docker-compose.yaml"
+env_file="${repo_dir}/.env"
+project="openisle_staging"
+
+echo "👉 Enter repo..."
+cd "$repo_dir"
+
+echo "👉 Syncing code & switching to branch: $deploy_branch"
+git fetch --all --prune
+git checkout -B "$deploy_branch" "origin/$deploy_branch"
+git reset --hard "origin/$deploy_branch"
+
+echo "👉 Ensuring env file: $env_file"
+if [ ! -f "$env_file" ]; then
+  echo "❌ ${env_file} not found. Create it based on .env.example (with staging domains)."
+  exit 1
+fi
+
+export COMPOSE_PROJECT_NAME="$project"
+# 供 compose 内各 service 的 env_file 使用
+export ENV_FILE="$env_file"
+
+echo "👉 Validate compose..."
+docker compose -f "$compose_file" --env-file "$env_file" config >/dev/null
+
+echo "👉 Pull base images (for image-based services)..."
+docker compose -f "$compose_file" --env-file "$env_file" pull --ignore-pull-failures
+
+echo "👉 Build images (staging)..."
+# 前端 + OpenSearch 都是自建镜像；--pull 更新其基础镜像
+docker compose -f "$compose_file" --env-file "$env_file" \
+  build --pull \
+  --build-arg NUXT_ENV=staging \
+  frontend_service
+
+echo "👉 Recreate & start all target services (no dev profile)..."
+docker compose -f "$compose_file" --env-file "$env_file" \
+  up -d --force-recreate --remove-orphans --no-deps \
+  mysql redis rabbitmq websocket-service springboot frontend_service
+
+echo "👉 Current status:"
+docker compose -f "$compose_file" --env-file "$env_file" ps
+
+echo "👉 Pruning dangling images..."
+docker image prune -f
+
+echo "✅ Staging stack deployed at $(date)"

docker/docker-compose.yaml

@@ -2,10 +2,10 @@ services:
   # MySQL service
   mysql:
     image: mysql:8.0
-    container_name: openisle-mysql
+    container_name: ${COMPOSE_PROJECT_NAME}-openisle-mysql
     restart: always
     env_file:
-      - ../.env
+      - ${ENV_FILE:-../.env}
     command: >
       --character-set-server=utf8mb4
       --collation-server=utf8mb4_0900_ai_ci
@@ -26,13 +26,13 @@ services:
       retries: 30
       start_period: 20s
 
-
   # OpenSearch Service
   opensearch:
+    user: "1000:1000"
     build:
       context: .
       dockerfile: opensearch.Dockerfile
-    container_name: opensearch
+    container_name: ${COMPOSE_PROJECT_NAME}-opensearch
     environment:
       - cluster.name=os-single
       - node.name=os-node-1
@@ -45,18 +45,16 @@ services:
       memlock: { soft: -1, hard: -1 }
       nofile: { soft: 65536, hard: 65536 }
     volumes:
-      - ./data:/usr/share/opensearch/data
-      - ./snapshots:/snapshots
+      - opensearch-data:/usr/share/opensearch/data
+      - opensearch-snapshots:/snapshots
     ports:
       - "${OPENSEARCH_PORT:-9200}:9200"
       - "${OPENSEARCH_METRICS_PORT:-9600}:9600"
     restart: unless-stopped
     healthcheck:
       test:
-        [
-          "CMD-SHELL",
-          "curl -fsS http://127.0.0.1:9200/_cluster/health >/dev/null",
-        ]
+        - CMD-SHELL
+        - curl -fsS http://127.0.0.1:9200/_cluster/health >/dev/null
       interval: 10s
       timeout: 5s
       retries: 30
@@ -66,10 +64,10 @@ services:
 
   dashboards:
     image: opensearchproject/opensearch-dashboards:3.0.0
-    container_name: os-dashboards
+    container_name: ${COMPOSE_PROJECT_NAME}-os-dashboards
     environment:
-      - OPENSEARCH_HOSTS=["http://opensearch:9200"]
-      - DISABLE_SECURITY_DASHBOARDS_PLUGIN=true
+      OPENSEARCH_HOSTS: '["http://opensearch:9200"]'
+      DISABLE_SECURITY_DASHBOARDS_PLUGIN: "true"
     ports:
       - "${OPENSEARCH_DASHBOARDS_PORT:-5601}:5601"
     depends_on:
@@ -80,10 +78,10 @@ services:
 
   rabbitmq:
     image: rabbitmq:3.13-management
-    container_name: openisle-rabbitmq
+    container_name: ${COMPOSE_PROJECT_NAME}-openisle-rabbitmq
     restart: unless-stopped
     environment:
-      RABBITMQ_DEFAULT_VHOST: ${RABBITMQ_VHOST:-/}
+      RABBITMQ_DEFAULT_VHOST: "${RABBITMQ_VHOST:-/}"
     ports:
       - "${RABBITMQ_PORT:-5672}:5672"
       - "${RABBITMQ_MANAGEMENT_PORT:-15672}:15672"
@@ -103,10 +101,10 @@ services:
 
   redis:
     image: redis:7
-    container_name: openisle-redis
+    container_name: ${COMPOSE_PROJECT_NAME}-openisle-redis
     restart: unless-stopped
     env_file:
-      - ../.env
+      - ${ENV_FILE:-../.env}
     ports:
       - "${REDIS_PORT:-6379}:6379"
     volumes:
@@ -114,16 +112,22 @@ services:
     networks:
       - openisle-network
 
-  # Java spring boot service
+  # Java spring boot service (开发便捷镜像，后续可换成打包镜像)
   springboot:
     image: maven:3.9-eclipse-temurin-17
-    container_name: openisle-springboot
+    container_name: ${COMPOSE_PROJECT_NAME}-openisle-springboot
     working_dir: /app
     env_file:
-      - ../.env
+      - ${ENV_FILE:-../.env}
     environment:
+      TZ: "Asia/Shanghai"  
       SPRING_HEALTH_PATH: ${SPRING_HEALTH_PATH:-/actuator/health}
       SERVER_PORT: ${SERVER_PORT:-8080}
+      RABBITMQ_PORT: 5672
+      OPENSEARCH_PORT: 9200
+      MYSQL_PORT: 3306
+      REDIS_PORT: 6379
+      JAVA_OPTS: "-Duser.timezone=Asia/Shanghai"
     ports:
       - "${SERVER_PORT:-8080}:${SERVER_PORT:-8080}"
     volumes:
@@ -144,11 +148,7 @@ services:
       sh -c "apt-get update && apt-get install -y --no-install-recommends curl &&
              mvn clean spring-boot:run -Dmaven.test.skip=true"
     healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "curl -fsS http://127.0.0.1:${SERVER_PORT:-8080}${SPRING_HEALTH_PATH:-/actuator/health} || exit 1",
-        ]
+      test: ["CMD-SHELL", "curl -fsS http://127.0.0.1:${SERVER_PORT:-8080}${SPRING_HEALTH_PATH:-/actuator/health} || exit 1"]
       interval: 10s
       timeout: 5s
       retries: 30
@@ -158,14 +158,15 @@ services:
 
   websocket-service:
     image: maven:3.9-eclipse-temurin-17
-    container_name: openisle-websocket
+    container_name: ${COMPOSE_PROJECT_NAME}-openisle-websocket
     working_dir: /app
     env_file:
-      - ../.env
+      - ${ENV_FILE:-../.env}
     environment:
       WS_HEALTH_PATH: ${WS_HEALTH_PATH:-/actuator/health}
       WEBSOCKET_PORT: ${WEBSOCKET_PORT:-8082}
       SERVER_PORT: ${WEBSOCKET_PORT:-8082}
+      RABBITMQ_PORT: 5672
     ports:
       - "${WEBSOCKET_PORT:-8082}:${WEBSOCKET_PORT:-8082}"
     volumes:
@@ -178,11 +179,7 @@ services:
       sh -c "apt-get update && apt-get install -y --no-install-recommends curl &&
              mvn clean spring-boot:run -Dmaven.test.skip=true"
     healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "curl -fsS http://127.0.0.1:${WEBSOCKET_PORT:-8082}${WS_HEALTH_PATH:-/actuator/health} || exit 1",
-        ]
+      test: ["CMD-SHELL", "curl -fsS http://127.0.0.1:${WEBSOCKET_PORT:-8082}${WS_HEALTH_PATH:-/actuator/health} || exit 1"]
       interval: 10s
       timeout: 5s
       retries: 30
@@ -192,10 +189,10 @@ services:
 
   frontend_dev:
     image: node:20
-    container_name: openisle-frontend-dev
+    container_name: ${COMPOSE_PROJECT_NAME}-openisle-frontend-dev
     working_dir: /app
     env_file:
-      - ../.env
+      - ${ENV_FILE:-../.env}
     command: sh -c "npm install && npm run dev"
     volumes:
       - ../frontend_nuxt:/app
@@ -215,39 +212,31 @@ services:
   frontend_service:
     build:
       context: ..
-      dockerfile: frontend-service.Dockerfile
-    container_name: openisle-frontend-service
-    working_dir: /app
+      dockerfile: docker/frontend-service.Dockerfile
+      args:
+        NUXT_ENV: ${NUXT_ENV:-staging}
+    container_name: ${COMPOSE_PROJECT_NAME}-openisle-frontend
     env_file:
-      - ../.env
-    volumes:
-      - ../frontend_nuxt:/app
-      - frontend-service-node-modules:/app/node_modules
-      - frontend-static:/var/www/openisle
+      - ${ENV_FILE:-../.env}
     ports:
-      - "${FRONTEND_SERVICE_PORT:-3001}:3000"
+      - "${FRONTEND_PORT:-3000}:3000"
     depends_on:
       springboot:
         condition: service_healthy
       websocket-service:
         condition: service_healthy
-    networks:
-      - openisle-network
-    profiles:
-      - service
+    restart: unless-stopped
 
   loopback_8080:
     image: alpine/socat
-    container_name: loopback-8080
+    container_name: ${COMPOSE_PROJECT_NAME}-loopback-8080
     # 监听“frontend_dev 容器自身的” 127.0.0.1:8080 → 转发到 springboot:8080
     command:
-      [
-        "-d",
-        "-d",
-        "-ly",
-        "TCP4-LISTEN:8080,bind=127.0.0.1,reuseaddr,fork",
-        "TCP4:springboot:8080",
-      ]
+      - -d
+      - -d
+      - -ly
+      - TCP4-LISTEN:8080,bind=127.0.0.1,reuseaddr,fork
+      - TCP4:springboot:8080
     depends_on:
       springboot:
         condition: service_healthy
@@ -262,16 +251,14 @@ services:
 
   loopback_8082:
     image: alpine/socat
-    container_name: loopback-8082
+    container_name: ${COMPOSE_PROJECT_NAME}-loopback-8082
     # 监听 127.0.0.1:8082 → 转发到 websocket-service:8082（WS 纯 TCP 可直接过）
     command:
-      [
-        "-d",
-        "-d",
-        "-ly",
-        "TCP4-LISTEN:8082,bind=127.0.0.1,reuseaddr,fork",
-        "TCP4:websocket-service:8082",
-      ]
+      - -d
+      - -d
+      - -ly
+      - TCP4-LISTEN:8082,bind=127.0.0.1,reuseaddr,fork
+      - TCP4:websocket-service:8082
     depends_on:
       websocket-service:
         condition: service_healthy
@@ -286,14 +273,27 @@ services:
 
 networks:
   openisle-network:
+    name: "${COMPOSE_PROJECT_NAME}_net"
     driver: bridge
 
 volumes:
   mysql-data:
+    name: "${COMPOSE_PROJECT_NAME}_mysql-data"
   maven-repo:
+    name: "${COMPOSE_PROJECT_NAME}_maven-repo"
   redis-data:
+    name: "${COMPOSE_PROJECT_NAME}_redis-data"
   rabbitmq-data:
+    name: "${COMPOSE_PROJECT_NAME}_rabbitmq-data"
   websocket-maven-repo:
+    name: "${COMPOSE_PROJECT_NAME}_websocket-maven-repo"
   frontend-node-modules:
+    name: "${COMPOSE_PROJECT_NAME}_frontend-node-modules"
   frontend-service-node-modules:
+    name: "${COMPOSE_PROJECT_NAME}_frontend-service-node-modules"
   frontend-static:
+    name: "${COMPOSE_PROJECT_NAME}_frontend-static"
+  opensearch-data:
+    name: "${COMPOSE_PROJECT_NAME}_opensearch-data"
+  opensearch-snapshots:
+    name: "${COMPOSE_PROJECT_NAME}_opensearch-snapshots"

docker/frontend-service-entrypoint.sh

@@ -1,62 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-cd /app
-
-echo "👉 Building frontend (Nuxt SSR)..."
-
-if [ -f .env.production.example ] && [ ! -f .env ]; then
-  echo "📄 Copying .env.production.example to .env"
-  cp .env.production.example .env
-fi
-
-npm ci
-npm run build
-
-echo "🧪 Smoke-testing: nuxt generate (artifacts will NOT be used)..."
-
-SSR_OUTPUT_DIR=".output"
-SSR_OUTPUT_BAK=".output-ssr-backup-$$"
-GEN_FAIL_MSG="❌ Generate smoke test failed"
-
-if [ ! -d "${SSR_OUTPUT_DIR}" ]; then
-  echo "❌ 未发现 ${SSR_OUTPUT_DIR}，请先确保 npm run build 成功执行"
-  exit 1
-fi
-
-mv "${SSR_OUTPUT_DIR}" "${SSR_OUTPUT_BAK}"
-
-restore_on_fail() {
-  if [ -d ".output" ]; then
-    mv .output ".output-generate-failed-$(date +%s)" || true
-  fi
-  mv "${SSR_OUTPUT_BAK}" "${SSR_OUTPUT_DIR}"
-}
-
-trap 'restore_on_fail; echo "${GEN_FAIL_MSG}: unexpected error"; exit 1' ERR
-
-NUXT_TELEMETRY_DISABLED=1 \
-NITRO_PRERENDER_FAIL_ON_ERROR=1 \
-npx nuxi generate --preset static
-
-if [ ! -d ".output/public" ]; then
-  restore_on_fail
-  echo "${GEN_FAIL_MSG}: .output/public not found"
-  exit 1
-fi
-
-rm -rf ".output"
-mv "${SSR_OUTPUT_BAK}" "${SSR_OUTPUT_DIR}"
-trap - ERR
-echo "✅ Generate smoke test passed."
-
-if [ -d ".output/public" ]; then
-  mkdir -p /var/www/openisle
-  rsync -a --delete .output/public/ /var/www/openisle/
-else
-  echo "❌ 未发现 .output/public；检查 nuxt.config.ts/nitro preset"
-  exit 1
-fi
-
-echo "🚀 Starting Nuxt SSR server..."
-exec node .output/server/index.mjs

docker/frontend-service.Dockerfile

@@ -1,12 +1,39 @@
-FROM node:20
-
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends rsync \
-    && rm -rf /var/lib/apt/lists/*
-
+# ==== builder ====
+FROM node:20-bullseye AS builder
 WORKDIR /app
 
-COPY docker/frontend-service-entrypoint.sh /usr/local/bin/frontend-service-entrypoint.sh
-RUN chmod +x /usr/local/bin/frontend-service-entrypoint.sh
+# 通过构建参数选择环境：staging / production（默认 staging）
+ARG NUXT_ENV=staging
+ENV NODE_ENV=production \
+    NUXT_TELEMETRY_DISABLED=1
 
-CMD ["frontend-service-entrypoint.sh"]
+# 复制源代码（假设仓库根目录包含 frontend_nuxt）
+# 构建上下文由 docker-compose 指向仓库根目录
+COPY ./frontend_nuxt/package*.json /app/
+RUN npm ci
+
+# 拷贝剩余代码
+COPY ./frontend_nuxt/ /app/
+
+# 若存在环境样例文件，则在构建期复制为 .env（你也可以用 --build-arg 覆盖）
+RUN if [ -f ".env.${NUXT_ENV}.example" ]; then cp ".env.${NUXT_ENV}.example" .env; fi
+
+# 构建 SSR：产物在 .output
+RUN npm run build
+
+# ==== runner ====
+FROM node:20-alpine AS runner
+WORKDIR /app
+ENV NODE_ENV=production \
+    NUXT_TELEMETRY_DISABLED=1 \
+    PORT=3000 \
+    HOST=0.0.0.0
+
+# 复制构建产物
+COPY --from=builder /app/.output /app/.output
+
+# 健康检查（简洁起见，探测首页）
+HEALTHCHECK --interval=10s --timeout=5s --retries=30 CMD wget -qO- http://127.0.0.1:${PORT}/ >/dev/null 2>&1 || exit 1
+
+EXPOSE 3000
+CMD ["node", ".output/server/index.mjs"]

frontend_nuxt/assets/global.css

@@ -341,6 +341,16 @@ body {
   .info-content-text pre {
     line-height: 1.5;
   }
+  
+  /*处理iframe视频标签*/
+  .info-content-text iframe {
+    width: 100%;
+    max-width: 100%;
+    height: auto;
+    aspect-ratio: 16 / 9; /* 保持 16:9 比例 */
+    border: none;
+    display: block;
+  }
 
   .d2h-file-name {
     font-size: 14px !important;

frontend_nuxt/components/AvatarCropper.vue

@@ -119,7 +119,7 @@ export default {
 
 .cropper-btn {
   padding: 6px 12px;
-  border-radius: 4px;
+  border-radius: 10px;
   color: var(--primary-color);
   border: none;
   background: transparent;
@@ -128,7 +128,7 @@ export default {
 
 .cropper-btn.primary {
   background: var(--primary-color);
-  color: var(--text-color);
+  color: #ffff;
   border-color: var(--primary-color);
 }
 

frontend_nuxt/pages/posts/[id]/index.vue

@@ -366,7 +366,11 @@ const changeLogIcon = (l) => {
       return 'unlock'
     }
   } else if (l.type === 'PINNED') {
-    return 'pin-icon'
+    if(l.newPinnedAt){
+      return 'pin'
+    }else{
+      return 'clear-icon'
+    }
   } else if (l.type === 'FEATURED') {
     if (l.newFeatured) {
       return 'star'

frontend_nuxt/utils/markdown.js

@@ -157,6 +157,7 @@ const SANITIZE_CFG = {
     'th',
     'video',
     'source',
+    'iframe',
   ],
   // 允许的属性
   allowedAttributes: {
@@ -180,6 +181,16 @@ const SANITIZE_CFG = {
       'crossorigin',
     ],
     source: ['src', 'type'],
+    iframe: [
+      'src',
+      'title',
+      'width',
+      'height',
+      'allow',
+      'allowfullscreen',
+      'frameborder',
+      'referrerpolicy',
+    ],
   },
   // 允许的类名（保留你的样式钩子）
   allowedClasses: {

nginx/openisle

@@ -0,0 +1,174 @@
+server {
+    listen 443 ssl;
+    server_name open-isle.com www.open-isle.com;
+
+    ssl_certificate     /etc/letsencrypt/live/open-isle.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/open-isle.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        add_header Cache-Control "no-store" always;
+        add_header X-Upstream $upstream_addr always;
+    }
+
+    location ^~ /api/ws {
+        proxy_pass         http://127.0.0.1:8080;
+        proxy_http_version 1.1;
+
+        # 升级所需
+        proxy_set_header   Upgrade              $http_upgrade;
+        proxy_set_header   Connection           $connection_upgrade;
+
+        # 统一透传这些头（你在 /api/ 有，/api/ws 也要有）
+        proxy_set_header   Host                 $host;
+        proxy_set_header   X-Real-IP            $remote_addr;
+        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto    $scheme;
+        proxy_set_header   X-Forwarded-Host     $host;
+
+        proxy_read_timeout 300s;
+        proxy_send_timeout 300s;
+        proxy_buffering    off;
+        proxy_cache        off;
+    }
+
+    # 2) SockJS（包含 /info、/iframe.html、/.../websocket 等）
+    location ^~ /api/sockjs {
+        proxy_pass         http://127.0.0.1:8080;
+        proxy_http_version 1.1;
+
+        proxy_set_header   Upgrade              $http_upgrade;
+        proxy_set_header   Connection           $connection_upgrade;
+
+        proxy_set_header   Host                 $host;
+        proxy_set_header   X-Real-IP            $remote_addr;
+        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto    $scheme;
+        proxy_set_header   X-Forwarded-Host     $host;
+
+        proxy_read_timeout 300s;
+        proxy_send_timeout 300s;
+        proxy_buffering    off;
+        proxy_cache        off;
+
+        # 如要同源 iframe 回退，下面两行二选一（或者交给 Spring Security 的 sameOrigin）
+        # proxy_hide_header  X-Frame-Options;
+        # add_header         X-Frame-Options "SAMEORIGIN" always;
+    }
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:8080/api/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
+        proxy_no_cache 1;
+        proxy_cache_bypass 1;
+    }
+
+    # 通过 https://open-isle.com/rabbitmq/ 访问管理界面
+    location ^~ /rabbitmq/ {
+        # 关键点：proxy_pass 以 "/" 结尾，保留后缀子路径映射
+        proxy_pass         http://127.0.0.1:15672/;
+        proxy_http_version 1.1;
+    
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    
+        proxy_read_timeout 300s;
+        proxy_send_timeout 300s;
+    
+        # 把上游返回的绝对重定向 /... 改写为 /rabbitmq/...
+        proxy_redirect ~^(/.*)$ /rabbitmq$1;
+    
+        # 为了做 HTML/CSS/JS 内绝对路径替换，需要关闭压缩
+        proxy_set_header   Accept-Encoding "";
+    
+        # 将页面中以 "/" 开头的 src/href 替换为 "/rabbitmq/..."
+        sub_filter_types text/html text/css application/javascript;
+        sub_filter 'href="/' 'href="/rabbitmq/';
+        sub_filter 'src="/'  'src="/rabbitmq/';
+        sub_filter_once off;
+    
+        # 建议对管理台再加一道保护（可选）
+        # auth_basic "RabbitMQ Console";
+        # auth_basic_user_file /etc/nginx/.htpasswd;
+    }
+
+    # 通过 https://open-isle.com/docker/ 访问 Portainer（上游是自签名 HTTPS）
+    location ^~ /docker/ {
+        proxy_pass         https://127.0.0.1:19000/;  # 末尾 / 保留子路径
+        proxy_http_version 1.1;
+
+        # 上游是自签证书，关闭校验（仅内网/自签场景）
+        proxy_ssl_verify   off;
+
+        # 透传头
+        proxy_set_header   Host                 $host;
+        proxy_set_header   X-Real-IP            $remote_addr;
+        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto    $scheme;
+        proxy_set_header   X-Forwarded-Host     $host;
+
+        # WebSocket/事件流（Portainer 某些功能会用到）
+        proxy_set_header   Upgrade              $http_upgrade;
+        proxy_set_header   Connection           $connection_upgrade;
+
+        proxy_read_timeout 300s;
+        proxy_send_timeout 300s;
+        proxy_buffering    off;
+        proxy_cache        off;
+
+        # 把上游返回的绝对重定向 /... 改写为 /docker/...
+        proxy_redirect     ~^(/.*)$ /docker$1;
+
+        # 为了替换 HTML/CSS/JS 中的绝对路径，需要关闭压缩
+        proxy_set_header   Accept-Encoding "";
+
+        # 将页面中以 "/" 开头的 src/href 替换为 "/docker/..."
+        sub_filter_types   text/html text/css application/javascript;
+        sub_filter         'href="/' 'href="/docker/';
+        sub_filter         'src="/'  'src="/docker/';
+        sub_filter_once    off;
+
+        # 可选：再加一道基本认证
+        # auth_basic "Portainer";
+        # auth_basic_user_file /etc/nginx/.htpasswd;
+    }
+
+
+    # ---------- WEBSOCKET GATEWAY TO :8082 ----------
+    location ^~ /websocket/ {
+        proxy_pass         http://127.0.0.1:8082/; 
+        proxy_http_version 1.1;
+
+        proxy_set_header   Upgrade              $http_upgrade;
+        proxy_set_header   Connection           $connection_upgrade;
+
+        proxy_set_header   Host                 $host;
+        proxy_set_header   X-Real-IP            $remote_addr;
+        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto    $scheme;
+        proxy_set_header   X-Forwarded-Host     $host;
+
+        proxy_read_timeout 300s;
+        proxy_send_timeout 300s;
+        proxy_buffering    off;
+        proxy_cache        off;
+        add_header         Cache-Control "no-store" always;
+    }
+}
+server {
+    listen 80;
+    server_name open-isle.com www.open-isle.com;
+    return 301 https://$host$request_uri;
+}

nginx/openisle-staging

@@ -0,0 +1,133 @@
+# 放在 http { } 里一次定义
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+server {
+    listen 443 ssl;
+    server_name staging.open-isle.com www.staging.open-isle.com;
+
+
+    ssl_certificate     /etc/letsencrypt/live/staging.open-isle.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/staging.open-isle.com/privkey.pem;
+    # ssl_certificate     /etc/letsencrypt/live/open-isle.com/fullchain.pem;
+    # ssl_certificate_key /etc/letsencrypt/live/open-isle.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    # ---------- SSR ----------
+    location / {
+        proxy_pass http://127.0.0.1:3001;
+        proxy_http_version 1.1;
+
+        # 正确的升级头（仅在有 Upgrade 时）
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        # 透传真实主机/协议/源 IP
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host  $host;
+
+        # 合理超时，避免 SSR 首屏慢查询导致 502/504
+        proxy_read_timeout 120s;
+        proxy_send_timeout 120s;
+
+        add_header Cache-Control "no-store" always;
+        add_header X-Upstream $upstream_addr always;
+    }
+
+    # 1) 原生 WebSocket
+    location ^~ /api/ws {
+        proxy_pass         http://127.0.0.1:8081;  # 不要尾随 /，保留原样 URI
+        proxy_http_version 1.1;
+
+        # 升级所需
+        proxy_set_header   Upgrade              $http_upgrade;
+        proxy_set_header   Connection           $connection_upgrade;
+
+        # 统一透传这些头（你在 /api/ 有，/api/ws 也要有）
+        proxy_set_header   Host                 $host;
+        proxy_set_header   X-Real-IP            $remote_addr;
+        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto    $scheme;
+        proxy_set_header   X-Forwarded-Host     $host;
+
+        proxy_read_timeout 300s;
+        proxy_send_timeout 300s;
+        proxy_buffering    off;
+        proxy_cache        off;
+    }
+
+    # 2) SockJS（包含 /info、/iframe.html、/.../websocket 等）
+    location ^~ /api/sockjs {
+        proxy_pass         http://127.0.0.1:8081;
+        proxy_http_version 1.1;
+
+        proxy_set_header   Upgrade              $http_upgrade;
+        proxy_set_header   Connection           $connection_upgrade;
+
+        proxy_set_header   Host                 $host;
+        proxy_set_header   X-Real-IP            $remote_addr;
+        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto    $scheme;
+        proxy_set_header   X-Forwarded-Host     $host;
+
+        proxy_read_timeout 300s;
+        proxy_send_timeout 300s;
+        proxy_buffering    off;
+        proxy_cache        off;
+
+        # 如要同源 iframe 回退，下面两行二选一（或者交给 Spring Security 的 sameOrigin）
+        # proxy_hide_header  X-Frame-Options;
+        # add_header         X-Frame-Options "SAMEORIGIN" always;
+    }    
+
+    # ---------- API ----------
+    location /api/ {
+        proxy_pass http://127.0.0.1:8081/api/;
+        proxy_http_version 1.1;
+
+    	proxy_set_header Upgrade $http_upgrade;
+    	proxy_set_header Connection $connection_upgrade;
+
+
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host  $host;
+
+        proxy_read_timeout 120s;
+        proxy_send_timeout 120s;
+
+        add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
+        proxy_no_cache 1;
+        proxy_cache_bypass 1;
+    }
+
+    # ---------- WEBSOCKET GATEWAY TO :8083 ----------
+    location ^~ /websocket/ {
+        proxy_pass         http://127.0.0.1:8083/;
+        proxy_http_version 1.1;
+
+        proxy_set_header   Upgrade              $http_upgrade;
+        proxy_set_header   Connection           $connection_upgrade;
+
+        proxy_set_header   Host                 $host;
+        proxy_set_header   X-Real-IP            $remote_addr;
+        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto    $scheme;
+        proxy_set_header   X-Forwarded-Host     $host;
+
+        proxy_read_timeout 300s;
+        proxy_send_timeout 300s;
+        proxy_buffering    off;
+        proxy_cache        off;
+        add_header         Cache-Control "no-store" always;
+    }
+
+}