From 87e904b97ec79e7549d1c1a5f929850209474a52 Mon Sep 17 00:00:00 2001
From: WangDL <wangdl2900@163.com>
Date: Mon, 18 May 2026 14:46:16 +0800
Subject: [PATCH] fix: add backend health check + HTTPS nginx config with SSL
 support

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yml | 42 +++++++++++++++++++++++--
 nginx/longde.cloud-ssl.conf | 61 +++++++++++++++++++++++++++++++++++++
 2 files changed, 100 insertions(+), 3 deletions(-)
 create mode 100644 nginx/longde.cloud-ssl.conf

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 3c2e314..f853e74 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -23,11 +23,10 @@ jobs:
             -w /app \
             node:22-alpine sh -c "npm install && npm run build"
 
-      - name: Install Nginx config
+      - name: Install Nginx config (HTTP)
         run: |
           mkdir -p /etc/nginx/conf.d 2>/dev/null
           cp /tmp/web-projects/nginx/longde.cloud.conf /etc/nginx/conf.d/longde.cloud.conf
-          # fallback for sites-enabled style
           mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled 2>/dev/null
           cp /tmp/web-projects/nginx/longde.cloud.conf /etc/nginx/sites-available/longde.cloud.conf 2>/dev/null
           ln -sf /etc/nginx/sites-available/longde.cloud.conf /etc/nginx/sites-enabled/longde.cloud.conf 2>/dev/null
@@ -37,5 +36,42 @@ jobs:
           rm -rf /var/www/longde.cloud/*
           cp -r /tmp/web-projects/dist/* /var/www/longde.cloud/
 
+      - name: Ensure API backend is running
+        run: |
+          # Start MySQL + Redis via docker compose (try common locations)
+          for dir in /opt/zhixi /root/zhixi /home/*/zhixi; do
+            if [ -f "$dir/docker-compose.yml" ]; then
+              cd "$dir" && docker compose up -d mysql redis 2>/dev/null || true
+              break
+            fi
+          done
+
+          # Create shared network if missing
+          docker network inspect zhixi-net >/dev/null 2>&1 || docker network create zhixi-net
+
+          # Restart API container if not running
+          if ! docker ps --format '{{.Names}}' | grep -q '^zhixi-api$'; then
+            echo "[deploy] zhixi-api is down, attempting restart..."
+            docker start zhixi-api 2>/dev/null || true
+            sleep 5
+          fi
+
+          # Health check
+          if curl -sf http://localhost:3001/health; then
+            echo "[deploy] Backend health OK"
+          else
+            echo "[deploy] WARNING: Backend health check failed"
+            docker ps --format 'table {{.Names}}\t{{.Status}}' 2>/dev/null | grep -i zhixi || true
+          fi
+
+      - name: Install Nginx config (HTTPS)
+        run: |
+          if [ -f /etc/letsencrypt/live/longde.cloud/fullchain.pem ]; then
+            cp /tmp/web-projects/nginx/longde.cloud-ssl.conf /etc/nginx/conf.d/longde.cloud-ssl.conf
+          else
+            echo "[deploy] No SSL cert found, skipping HTTPS config"
+            rm -f /etc/nginx/conf.d/longde.cloud-ssl.conf
+          fi
+
       - name: Reload Nginx
-        run: nginx -s reload
+        run: nginx -s reload || nginx -t 2>&1
diff --git a/nginx/longde.cloud-ssl.conf b/nginx/longde.cloud-ssl.conf
new file mode 100644
index 0000000..548217f
--- /dev/null
+++ b/nginx/longde.cloud-ssl.conf
@@ -0,0 +1,61 @@
+server {
+    listen 443 ssl http2;
+    server_name longde.cloud www.longde.cloud;
+
+    ssl_certificate /etc/letsencrypt/live/longde.cloud/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/longde.cloud/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/longde.cloud/chain.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+
+    root /var/www/longde.cloud;
+    index index.html;
+
+    # Gzip
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 5;
+    gzip_min_length 256;
+    gzip_types application/json text/plain text/css application/javascript image/svg+xml;
+
+    # API proxy to NestJS backend (Docker container on port 3001)
+    location /api/ {
+        proxy_pass http://localhost:3001/api/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 90s;
+        proxy_connect_timeout 10s;
+        client_max_body_size 10m;
+    }
+
+    # Swagger docs
+    location /api-docs {
+        proxy_pass http://localhost:3001/api-docs;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /api-docs-json {
+        proxy_pass http://localhost:3001/api-docs-json;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Frontend — SPA fallback
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}