整体架构 e 用户请求 ↓ 阿里云 SLB负载均衡 ↓ ECSNginx 反向代理 → Docker 容器 Hyperf ↓ RDS MySQL Tair Redis内网 --- 一、ECS 初始化1. 推荐配置 ┌──────┬─────────────────────────────┐ │ 项目 │ 推荐 │ ├──────┼─────────────────────────────┤ │ 系统 │ Ubuntu22.04LTS │ ├──────┼─────────────────────────────┤ │ 规格 │2核4G 起步生产4核8G │ ├──────┼─────────────────────────────┤ │ 磁盘 │ 系统盘 40G SSD数据盘按需 │ ├──────┼─────────────────────────────┤ │ 网络 │ 与 RDS/Redis 同 VPC、同地域 │ └──────┴─────────────────────────────┘2. 安全组规则 入方向80TCP0.0.0.0/0 HTTP443TCP0.0.0.0/0 HTTPS22TCP 你的办公IP SSH不要开放0.0.0.0/0 出方向全放通或按需限制3. 安装 Docker# Ubuntu 22.04curl-fsSLhttps://get.docker.com|bash# 配置阿里云镜像加速国内 ECS 必须mkdir-p/etc/dockercat/etc/docker/daemon.jsonEOF{registry-mirrors:[https://你的加速地址.mirror.aliyuncs.com],log-driver:json-file,log-opts:{max-size:100m,max-file:3}}EOF systemctl daemon-reloadsystemctl restartdockersystemctlenabledocker▎ 加速地址在阿里云控制台 → 容器镜像服务 → 镜像加速器 --- 二、项目 Dockerfile多阶段构建# Stage 1: 依赖安装 FROM hyperf/hyperf:8.1-alpine-v3.18-swoole AS builder WORKDIR /app COPY composer.json composer.lock ./# 只安装生产依赖跳过 devRUNcomposerinstall\--no-dev\--no-scripts\--no-autoloader\--prefer-dist\--optimize-autoloader COPY..RUNcomposerdump-autoload--optimize--no-dev# Stage 2: 生产镜像 FROM hyperf/hyperf:8.1-alpine-v3.18-swoole LABELmaintaineryour-teamWORKDIR /app# 从 builder 拷贝完整项目含 vendorCOPY--frombuilder /app.# 生成 IDE 辅助文件可选# RUN php bin/hyperf.php ide-helper:generate# 时区ENVTZAsia/Shanghai# 清理 Hyperf 注解缓存容器启动时重新生成RUN php bin/hyperf.php vendor:publish--idconfig2/dev/null||trueEXPOSE9501CMD[php,bin/hyperf.php,start]--- 三、docker-compose.ymlECS 上运行 version:3.8services: app: image: registry.cn-hangzhou.aliyuncs.com/your-ns/your-app:${APP_VERSION:-latest}container_name: hyperf_app restart: always ports: -9501:9501volumes: - ./storage/logs:/app/storage/logs - ./.env:/app/.env:ro environment: -APP_ENVproduction healthcheck: test:[CMD,curl,-f,http://localhost:9501/health]interval: 30s timeout: 5s retries:3start_period: 10s deploy: resources: limits: memory: 512M nginx: image: nginx:1.25-alpine container_name: nginx restart: always ports: -80:80-443:443volumes: - ./deploy/nginx/conf.d:/etc/nginx/conf.d:ro - ./deploy/nginx/ssl:/etc/nginx/ssl:ro - ./storage/logs/nginx:/var/log/nginx depends_on: - app networks: default: driver: bridge --- 四、Nginx 配置 deploy/nginx/conf.d/app.conf upstream hyperf{server app:9501;keepalive32;}# HTTP → HTTPS 跳转server{listen80;server_name your-domain.com;return301https://$host$request_uri;}server{listen443ssl http2;server_name your-domain.com;# 阿里云 SSL 证书从控制台下载 Nginx 格式ssl_certificate /etc/nginx/ssl/your-domain.pem;ssl_certificate_key /etc/nginx/ssl/your-domain.key;ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5;ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;# 安全头add_header X-Frame-Options SAMEORIGIN;add_header X-Content-Type-Options nosniff;add_header X-XSS-Protection1; modeblock;client_max_body_size 100m;location /{proxy_pass http://hyperf;proxy_http_version1.1;proxy_set_header Connection;proxy_set_header Host$host;proxy_set_header X-Real-IP$remote_addr;proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto$scheme;proxy_read_timeout 120s;proxy_connect_timeout 5s;}# 健康检查不记日志location/health{proxy_pass http://hyperf;access_log off;}access_log /var/log/nginx/access.log;error_log /var/log/nginx/error.log warn;}--- 五、Hyperf 健康检查接口 // app/Controller/HealthController.php?php declare(strict_types1);namespace App\Controller;use Hyperf\HttpServer\Annotation\Controller;use Hyperf\HttpServer\Annotation\GetMapping;#[Controller(prefix: /)]class HealthController extends AbstractController{#[GetMapping(path: health)]publicfunctioncheck(): array{return[statusok,timestamptime()];}}--- 六、CI/CD 流程推荐本地构建推 ACR6.1推送镜像到阿里云 ACR# 登录 ACR个人版免费企业版更稳定dockerlogin--usernameyour-aliyun-account\registry.cn-hangzhou.aliyuncs.com# 构建并打标签dockerbuild-tregistry.cn-hangzhou.aliyuncs.com/your-ns/your-app:v1.0.0.# 推送dockerpush registry.cn-hangzhou.aliyuncs.com/your-ns/your-app:v1.0.06.2ECS 上部署脚本 deploy/deploy.sh#!/bin/bashset-eAPP_VERSION${1:-latest}IMAGEregistry.cn-hangzhou.aliyuncs.com/your-ns/your-app:${APP_VERSION}echo 拉取镜像${IMAGE}dockerpull${IMAGE}echo 更新 docker-composeAPP_VERSION${APP_VERSION}docker-composeup-d--no-deps appecho 等待健康检查...sleep5curl-sfhttp://localhost:9501/healthecho 部署成功||echo 健康检查失败请检查日志echo 清理旧镜像dockerimage prune-f# 本地执行部署sshrootyour-ecs-ipcd /opt/app bash deploy/deploy.sh v1.0.0--- 七、Hyperf 生产配置要点 config/autoload/server.php — Worker 数量settings[worker_numswoole_cpu_num()*2, // CPU核数 ×2task_worker_numswoole_cpu_num(),max_request100000, // 防内存泄漏每个 Worker 处理10万请求后重启open_tcp_nodelaytrue,socket_buffer_size2*1024*1024,], config/autoload/logger.php — 日志default[handler[class\Monolog\Handler\RotatingFileHandler::class,constructor[filenameBASE_PATH./storage/logs/hyperf.log,maxFiles7,level\Monolog\Logger::INFO,],],formatter[class\Monolog\Formatter\JsonFormatter::class,],], .env 生产关键配置APP_ENVproductionAPP_DEBUGfalse# 扫描缓存生产必须开启大幅提升启动速度SCAN_CACHEABLEtrue --- 八、零停机更新 Hyperf 基于 Swoole支持信号平滑重启# 方式1Docker 滚动更新推荐docker-composeup-d--no-deps app# docker-compose 会先启动新容器健康检查通过后停止旧容器# 方式2容器内发送 SIGUSR1平滑重启 Worker不中断连接dockerexechyperf_appkill-SIGUSR11# 方式3完全重启有短暂中断配合 SLB 健康检查可无感docker-composerestart app --- 九、目录结构 /opt/app/ ├── docker-compose.yml ├── .env# 生产环境变量不进 Git├── deploy/ │ ├── nginx/ │ │ ├── conf.d/app.conf │ │ └── ssl/# 阿里云 SSL 证书│ └── deploy.sh └── storage/ └── logs/# 挂载日志目录--- 十、生产检查清单 - ECS 安全组只开放80/443SSH 限制来源 IP - .env 不进 Git通过 SCP 或密钥管理服务下发 -APP_DEBUGfalseSCAN_CACHEABLEtrue - Nginx 配置 HTTPSHTTP 强制跳转 - SSL 证书来自阿里云 SSL 证书服务免费 DV 证书可用 - Docker 日志限制大小max-size: 100m - max_request 设置防内存泄漏 - 挂载 storage/logs 到宿主机方便排查 - 配置 SLB 健康检查实现多实例无感更新 - ACR 镜像按版本打 tag不要只用 latest --- 核心链路多阶段 Dockerfile 构建精简镜像 → 推送 ACR → ECS 拉取运行 → Nginx 反向代理 → SLB 对外。SCAN_CACHEABLEtrue 和 max_request 是生产环境最容易忽略的两个关键配置。