iven/base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: initialize ERP base platform (extracted from HMS)

Browse Source 
- Stripped 11 business crates (health, ai, dialysis, plugins)
- Cleaned AppState, AppConfig, main.rs from business coupling
- Reduced migrations from 169 to 53 (base-only)
- Removed health_provider trait from erp-core
- Removed business integration tests
- Removed gateway rate limiting middleware
- Base capabilities: auth, RBAC, JWT, config, workflow, message, plugin, audit, crypto, RLS, multi-tenant

Cargo check: OK
Cargo test: OK
This commit is contained in:
iven
2026-05-31 20:35:57 +08:00
commit 59856ac2fc
639 changed files with 124710 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
docker/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,96 @@
upstream hms_backend {
server app:3000;
keepalive 32;
}
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name _;
# ── TLS ──
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# ── 安全头 ──
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self' wss:; frame-ancestors 'none'" always;
# ── 日志 ──
access_log /var/log/nginx/hms_access.log;
error_log /var/log/nginx/hms_error.log warn;
# ── 上传文件(化验单/体检报告)──
location /uploads/ {
proxy_pass http://hms_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 大文件上传限制
client_max_body_size 50m;
}
# ── SSE消息推送/AI 分析)──
location ~ ^/api/v1/(message|ai)/.*sse {
proxy_pass http://hms_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 86400s;
chunked_transfer_encoding on;
}
# ── API 反代 ──
location /api/ {
proxy_pass http://hms_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
client_max_body_size 50m;
}
# ── 健康检查 ──
location /health {
proxy_pass http://hms_backend/api/v1/health;
access_log off;
}
# ── 指标(仅内网可访问)──
location /metrics {
# 生产环境应限制为 Prometheus 访问
allow 172.16.0.0/12;
allow 10.0.0.0/8;
deny all;
proxy_pass http://hms_backend:9090/metrics;
access_log off;
}
location / {
return 404;
}
}

3
docker/nginx/ssl/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
*
!.gitkeep
!.gitignore

8
docker/nginx/ssl/.gitkeep Normal file
View File

@@ -0,0 +1,8 @@
# 将 SSL 证书放置在此目录
# 必需文件: fullchain.pem + privkey.pem
# 生产环境建议使用 Let's Encrypt 或云服务商证书管理
#
# Let's Encrypt 示例:
# certbot certonly --standalone -d your-domain.com
# cp /etc/letsencrypt/live/your-domain.com/fullchain.pem .
# cp /etc/letsencrypt/live/your-domain.com/privkey.pem .