[{"data":1,"prerenderedAt":574},["ShallowReactive",2],{"guide:zh:system-settings":3},{"id":4,"title":5,"body":6,"description":566,"extension":567,"meta":568,"navigation":569,"path":570,"seo":571,"stem":572,"__hash__":573},"guide_zh/zh/user/system-settings/index.md","系统设置",{"type":7,"value":8,"toc":542},"minimark",[9,12,16,20,23,28,43,47,51,58,61,64,76,84,87,90,100,117,123,136,139,148,158,168,177,180,190,200,206,209,219,229,234,240,246,249,252,255,264,277,280,301,307,313,317,325,333,341,349,357,360,366,372,378,381,438,442,473,476,479,485,491,500,506,512,518,524,527,533,536,539],[10,11,5],"h1",{"id":5},[13,14,15],"p",{},"系统设置控制应用程序范围内的行为、安全参数和部署配置。本节涵盖安全架构、应用程序配置以及替代部署模型。",[17,18,19],"h2",{"id":19},"安全架构",[13,21,22],{},"Aptli采用四层安全模型，强制实施服务器端渲染（SSR）：",[24,25,27],"h3",{"id":26},"第一层身份验证您是谁-在访问前验证用户身份-基于密码的登录含复杂度要求-oauth提供商githubgoogle-双因素认证totp-需邮箱验证-带过期机制的会话管理-连续登录失败后强制锁定","第一层：身份验证您是谁 - 在访问前验证用户身份。- 基于密码的登录（含复杂度要求）- OAuth提供商（GitHub、Google）- 双因素认证（TOTP）- 需邮箱验证- 带过期机制的会话管理- 连续登录失败后强制锁定",[13,29,30,31,35,36,35,39,42],{},"第二层：管理员权限（开放式）可修改内容：- 显式权限授予- 按模型创建/更新/删除权限- 超级权限：",[32,33,34],"code",{},"appSettingSchemasModify","、",[32,37,38],{},"adminRightsModify",[32,40,41],{},"viewDeleted","- 作用域限定为操作（可创建但不可删除）- 默认：仅查看权限",[24,44,46],{"id":45},"第三层角色限制限制性您无法查看的内容-字段级数据过滤器-模型-字段-比较-值过滤器-在数据库查询前于服务器端应用-无法通过api调用导出或截图绕过-多重限制组合and逻辑","第三层：角色限制（限制性）您无法查看的内容：- 字段级数据过滤器- 模型 + 字段 + 比较 + 值过滤器- 在数据库查询前于服务器端应用- 无法通过API调用、导出或截图绕过- 多重限制组合（AND逻辑）",[24,48,50],{"id":49},"第四层api层强制服务器端渲染ssr-未授权用户确实无法访问数据-所有查询均在服务器端过滤nuxt服务器api-角色限制在mongodb查询前生效-无客户端过滤无法绕过-api对未授权记录返回404即使攻击者知晓id","第四层：API层强制服务器端渲染（SSR）- 未授权用户确实无法访问数据- 所有查询均在服务器端过滤（Nuxt服务器API）- 角色限制在MongoDB查询前生效- 无客户端过滤（无法绕过）- API对未授权记录返回404（即使攻击者知晓ID）",[13,52,53,57],{},[54,55,56],"strong",{},"SSR为何重要：","- **客户端过滤：**数据发送至浏览器后，通过JavaScript隐藏（可通过开发工具绕过）- **服务器端过滤：**数据绝不发送给未经授权的用户（安全可靠）",[13,59,60],{},"Aptli采用服务器端渲染（SSR）技术——未经授权的数据永远不会到达客户端。",[17,62,63],{"id":63},"应用程序设置",[13,65,66,71,72],{},[67,68],"img",{"alt":69,"src":70},"应用设置概览","/guide/system-settings/app-settings-overview.png"," ",[73,74,75],"em",{},"应用设置页面展示配置选项与安全参数",[13,77,78,71,81,83],{},[54,79,80],{},"所需权限：",[32,82,34],{}," 管理员权限",[13,85,86],{},"导航至：管理员 → 应用设置",[24,88,89],{"id":89},"身份验证设置",[13,91,92,95,96,99],{},[54,93,94],{},"允许的域名：","- 可注册账户的电子邮件域名列表- 示例：",[32,97,98],{},"[\"company.com\", \"contractor.com\"]","- 仅允许来自这些域名的电子邮件注册- 默认值：您的部署域名",[13,101,102,105,106,109,110,113,114,116],{},[54,103,104],{},"允许注册：","- ",[32,107,108],{},"true"," - 用户可自行注册（需域名匹配）- ",[32,111,112],{},"false"," - 管理员必须手动创建账户- 默认值：",[32,115,112],{},"（受控访问）",[13,118,119,122],{},[54,120,121],{},"可用登录方式：","- 用户名/密码（复选框）- GitHub OAuth（复选框）- Google OAuth（复选框）- 至少需启用一种登录方式- 默认设置：仅限用户名/密码登录",[13,124,125,105,128,130,131,133,134],{},[54,126,127],{},"要求启用双因素认证：",[32,129,108],{}," - 所有用户必须启用双因素认证（可配置宽限期）- ",[32,132,112],{}," - 双因素认证可选- 默认值：",[32,135,112],{},[24,137,138],{"id":138},"会话安全",[13,140,141,144,145],{},[54,142,143],{},"最大登录尝试次数：","- 硬锁定前的失败登录次数- 有效范围：3-10次尝试- 默认值：",[32,146,147],{},"5",[13,149,150,153,154,157],{},[54,151,152],{},"自动注销时间：","- 闲置超时时间（秒）- 读写数据将重置倒计时- 有效范围：1小时 - 7天- 默认值：",[32,155,156],{},"86400","（1天）",[13,159,160,163,164,167],{},[54,161,162],{},"CSRF 令牌过期设置：","- 服务器会话超时时间（分钟）- 强制重新登录（无论是否活跃）- 有效范围：1 小时 - 4 周- 默认值：",[32,165,166],{},"10080","（1 周）",[13,169,170,173,174,176],{},[54,171,172],{},"会话过期：","- 绝对最大会话时长- 单设备用户与CSRF令牌同步- 多设备用户可能存在不同过期时间- 默认值：",[32,175,166],{},"分钟（1周）",[24,178,179],{"id":179},"数据保留",[13,181,182,185,186,189],{},[54,183,184],{},"软删除保留期：","- 软删除记录在数据库中的保留时长- 选项：30天、90天、1年、无限期- 默认值：",[32,187,188],{},"90天","- 适用对象：任务、报告、用户、功能（当设置deletedAt时）",[13,191,192,195,196,199],{},[54,193,194],{},"版本压缩计划：","- 压缩旧功能版本的频率- 选项：每周、每月、每季度- 默认值：",[32,197,198],{},"每月","- 压缩后的版本仍可还原（无损压缩）",[13,201,202,205],{},[54,203,204],{},"交易记录：","- 库存交易永不删除（不可篡改的审计轨迹）- 可归档至独立数据库（高级配置）",[24,207,208],{"id":208},"新用户默认设置",[13,210,211,214,215,218],{},[54,212,213],{},"新用户角色：","- 自动分配的角色ID数组- 空数组表示无自动限制- 默认值：",[32,216,217],{},"[]","（管理员手动分配）",[13,220,221,224,225,228],{},[54,222,223],{},"新用户管理员权限：","- 对象权限授予- 空对象 = 仅查看权限- 默认值：",[32,226,227],{},"{}","（无写入权限）",[13,230,231],{},[54,232,233],{},"示例配置：",[13,235,236,237],{},"现场工作人员默认设置：",[32,238,239],{},"json {    \"roles\": [\"field_worker_role_id\"],    \"adminRights\": {        \"reportsCreate\": true    }}",[13,241,242,243],{},"办公室协调员默认设置：",[32,244,245],{},"json {    \"roles\": [],    \"adminRights\": {        \"assignmentsCreate\": true,        \"ordersCreate\": true,        \"stockItemsView\": true    }}",[17,247,248],{"id":248},"自托管部署",[13,250,251],{},"Aptli支持自托管部署（需在自托管模式下获取许可证）。",[13,253,254],{},"部署模式",[13,256,257,71,260,263],{},[54,258,259],{},"SaaS 模式（默认）：",[32,261,262],{},"bash NUXT_REQUIRE_LICENSE=false "," - 无需许可证验证 - Aptli 管理基础设施 - 自动更新 - 包含专业支持",[13,265,266,269,272,273,276],{},[54,267,268],{},"自主托管模式：",[32,270,271],{},"bash NUXT_REQUIRE_LICENSE=true NUXT_LICENSE_PUBLIC_KEY=\"-----BEGIN PUBLIC KEY-----...\"","- 需进行许可证验证- 客户自行管理基础设施- 手动更新（替换",[32,274,275],{},".output","文件夹）- 需获取Aptli提供的许可证密钥",[24,278,279],{"id":279},"许可系统",[13,281,282,283,286,287,292,293,296,297,300],{},"**工作原理：**1. 将 ",[32,284,285],{},".output/"," 文件夹部署至服务器2. 服务器生成唯一部署ID（硬件指纹 + 主机名）3. 自动启动30天试用期4. 将部署ID发送至 ",[288,289,291],"a",{"href":290},"mailto:license@aptli.com","license@aptli.com","\n5. Aptli生成包含授权部署ID的JWT许可证 6. 通过",[32,294,295],{},"/admin/license","页面或",[32,298,299],{},"NUXT_LICENSE_KEY","环境变量激活",[13,302,303,306],{},[54,304,305],{},"多部署：","- 每台服务器拥有唯一的部署ID- 许可证列出所有授权部署ID- 无法在未获取新许可证的情况下克隆服务器- 防止未经授权的分发",[13,308,309,312],{},[54,310,311],{},"许可证验证：","- 服务器启动时检查- 许可证无效 = 应用程序无法启动- 试用期到期 = 7天内显示警告，之后阻止运行- 通过电子邮件续订许可证",[24,314,316],{"id":315},"环境变量自托管","环境变量（自托管）",[13,318,319,71,322],{},[54,320,321],{},"必填：",[32,323,324],{},"bash NUXT_MONGODB_URI=mongodb://localhost:27017/aptli NUXT_SESSION_PASSWORD=min-32-char-random-string ",[13,326,327,330],{},[54,328,329],{},"可选 - OAuth：",[32,331,332],{},"bash NUXT_OAUTH_GITHUB_CLIENT_ID=... NUXT_OAUTH_GITHUB_CLIENT_SECRET=... NUXT_OAUTH_GOOGLE_CLIENT_ID=... NUXT_OAUTH_GOOGLE_CLIENT_SECRET=... ",[13,334,335,338],{},[54,336,337],{},"可选 - 电子邮件：",[32,339,340],{},"bash NUXT_RESEND_API_KEY=... NUXT_EMAIL_FROM=noreply@your-domain.com ",[13,342,343,71,346],{},[54,344,345],{},"可选 - 文件扫描：",[32,347,348],{},"bash NUXT_ENABLE_FILE_SCAN=true NUXT_CLAMAV_HOST=localhost NUXT_CLAMAV_PORT=3310 ",[13,350,351,71,354],{},[54,352,353],{},"可选 - 许可证：",[32,355,356],{},"bash NUXT_REQUIRE_LICENSE=true NUXT_LICENSE_PUBLIC_KEY=\"-----BEGIN PUBLIC KEY-----...\" NUXT_LICENSE_KEY=eyJhbGc... (auto-activate) ",[24,358,359],{"id":359},"基础设施要求",[13,361,362,365],{},[54,363,364],{},"最低要求：","- 2 个 CPU 核心- 4GB 内存- 20GB 存储空间（随数据增长）- MongoDB 5.0 及以上版本- Node.js 20 及以上版本",[13,367,368,371],{},[54,369,370],{},"推荐配置：","- 4个CPU核心- 8GB内存- 100GB固态硬盘存储- MongoDB副本集（高可用性）- 负载均衡器（水平扩展）",[13,373,374,377],{},[54,375,376],{},"可选服务：","- ClamAV守护进程（文件扫描）- Redis（会话缓存——性能提升）- SMTP服务器（邮件通知）",[13,379,380],{},"部署步骤",[382,383,384,393,401,411,419,429,435],"ol",{},[385,386,387,390],"li",{},[54,388,389],{},"构建应用程序：",[32,391,392],{},"bash npm run build ",[385,394,395,71,398],{},[54,396,397],{},"输出内容：",[32,399,400],{},"bash scp -r .output/ user@server:/aptli/ ",[385,402,403,406,407,410],{},[54,404,405],{},"设置环境变量："," 在 ",[32,408,409],{},"/aptli/.env"," 中创建所需变量",[385,412,413,416],{},[54,414,415],{},"启动服务器：",[32,417,418],{},"bashcd /aptli/.outputnode server/index.mjs",[385,420,421,424,425,428],{},[54,422,423],{},"激活许可证：","- 访问 ",[32,426,427],{},"https://your-domain/admin/license","- 复制部署ID- 发送邮件至 license@aptli.com- 粘贴收到的许可证密钥- 点击\"激活\"",[385,430,431,434],{},[54,432,433],{},"配置反向代理："," Nginx/Apache 将端口 3000 代理转发至 HTTPS",[385,436,437],{},"**配置进程管理器：**使用 PM2 或 systemd 确保服务器持续运行",[24,439,441],{"id":440},"更新自托管","更新（自托管）",[13,443,444,445,448,449,452,453,455,456,459,460,462,463,465,466,469,470,472],{},"手动更新流程：1. 备份数据库：",[32,446,447],{},"mongodump","\n2. 备份 ",[32,450,451],{},".env"," 文件 3. 从 Aptli 下载新的 ",[32,454,285],{}," 文件夹 4. 停止服务器：",[32,457,458],{},"pm2 stop aptli"," 5. 替换 ",[32,461,285],{}," 文件夹 6. 恢复 ",[32,464,451],{}," 文件 7. 启动服务器：",[32,467,468],{},"pm2 start aptli"," 8. 验证：检查 ",[32,471,295],{}," 中的版本信息",[13,474,475],{},"Aptli 提供：- 包含重大变更的版本说明- 迁移脚本（若涉及数据库变更）- 回滚操作指南- 更新过程中的专业支持",[17,477,478],{"id":478},"安全最佳实践",[13,480,481,484],{},[54,482,483],{},"SSL/TLS 要求：","- 生产环境使用 HTTPS（而非 HTTP）- 免费证书：Let's Encrypt- 拒绝 HTTP 连接（重定向至 HTTPS）",[13,486,487,490],{},[54,488,489],{},"防火墙配置：","- 允许：HTTPS（443）、SSH（22）- 拒绝：来自公共互联网的MongoDB端口（27017）- 限制：管理页面仅限VPN或IP白名单访问",[13,492,493,105,496,499],{},[54,494,495],{},"会话安全：",[32,497,498],{},"NUXT_SESSION_PASSWORD"," - 至少32个随机字符- 每季度轮换会话密码- 高安全环境下采用短会话时限",[13,501,502,505],{},[54,503,504],{},"数据库安全：","- 启用MongoDB身份验证- 独立用户凭证（非root用户）- 加密连接（MongoDB TLS）- 定期备份（自动化，已测试恢复功能）",[13,507,508,511],{},[54,509,510],{},"OAuth 密钥管理要点：","- 存储于环境变量（而非代码中）- 每季度轮换密钥- 撤销未使用的 OAuth 应用",[13,513,514,517],{},[54,515,516],{},"文件上传安全：","- 生产环境启用ClamAV扫描- 强制执行文件大小限制- 限制允许的文件类型- 可疑文件存储隔离",[13,519,520,523],{},[54,521,522],{},"监控：","- 登录失败尝试（检测暴力破解）- 授权失败（检测未经授权的访问尝试）- 异常的API使用模式- 数据库连接失败",[17,525,526],{"id":526},"合规考量",[13,528,529,532],{},[54,530,531],{},"数据驻留："," 自托管模式可控制数据位置：- 在特定地理区域托管- 满足法规要求（GDPR、HIPAA等）- 物理控制数据访问",[13,534,535],{},"**审计日志：**Aptli为以下操作维护审计日志：- 身份验证尝试（成功/失败）- 管理权限使用（谁修改了什么）- 角色限制变更- 交易记录（库存变动）- 版本历史记录（功能变更）- 软删除（谁在何时删除了什么）",[13,537,538],{},"**数据导出：**所有数据均可导出以满足合规要求：- 非地理数据支持CSV格式导出- 地理特征支持GeoJSON格式导出（通过地图工具栏中的\"数据传输\"按钮操作）- 交易报告（库存审计）- 用户访问日志",[13,540,541],{},"**数据保留：**可配置的保留策略：- 软删除保留期- 版本压缩（无损）- 交易记录（不可变 - 永不删除）- 审计日志（可配置归档）",{"title":543,"searchDepth":544,"depth":544,"links":545},"",2,[546,552,558,564,565],{"id":19,"depth":544,"text":19,"children":547},[548,550,551],{"id":26,"depth":549,"text":27},3,{"id":45,"depth":549,"text":46},{"id":49,"depth":549,"text":50},{"id":63,"depth":544,"text":63,"children":553},[554,555,556,557],{"id":89,"depth":549,"text":89},{"id":138,"depth":549,"text":138},{"id":179,"depth":549,"text":179},{"id":208,"depth":549,"text":208},{"id":248,"depth":544,"text":248,"children":559},[560,561,562,563],{"id":279,"depth":549,"text":279},{"id":315,"depth":549,"text":316},{"id":359,"depth":549,"text":359},{"id":440,"depth":549,"text":441},{"id":478,"depth":544,"text":478},{"id":526,"depth":544,"text":526},"安全架构、应用程序配置和部署选项","md",{},true,"/zh/user/system-settings",{"title":5,"description":566},"zh/user/system-settings/index","3NIFcG20Evxn29lI492fTjWnBOM4UZssw-vX7SJzCSs",1780539281572]