#!/bin/bash # ═══════════════════════════════════════════════════════════════ # deploy-sandbox-server.sh — 子域名沙箱服务器部署 # 指令:ZY-AGEOS-TOWER-2026-0326-001-S1 · Phase S2 # 版权:国作登字-2026-A-00037559 # 执行:AG-ZY-01 铸渊 # # 🛡️ 核心原则:绝对不能破坏主站 guanghulab.com # 所有操作内置安全回滚机制。 # # 用法: bash scripts/deploy-sandbox-server.sh # 必须在服务器上以 root 权限运行 # ═══════════════════════════════════════════════════════════════ set -euo pipefail echo "═══════════════════════════════════════════" echo " 铸渊 · 子域名沙箱部署 · Phase S2" echo " 指令: ZY-AGEOS-TOWER-2026-0326-001-S1" echo "═══════════════════════════════════════════" echo "" # ─── S2-1 · 前置验证(全部通过才能继续) ─── echo "===== S2-1 · 前置验证 =====" # DNS 检查 — 铸渊主权服务器 ZY-SVR-002 DNS=$(dig +short dev-004.guanghulab.com A 2>/dev/null || echo "") if [ "$DNS" = "43.134.16.246" ]; then echo "✅ DNS OK ($DNS) — 铸渊主权服务器" elif [ "$DNS" = "8.155.62.235" ]; then echo "⚠️ DNS 仍指向旧服务器 ($DNS),请更新 DNS 到 43.134.16.246" exit 1 else echo "❌ DNS 失败: dev-004.guanghulab.com → '$DNS' (期望 43.134.16.246)" exit 1 fi # SSL 证书检查 if [ -f /etc/letsencrypt/live/guanghulab.com/fullchain.pem ]; then echo "✅ SSL OK" else echo "❌ SSL 证书不存在: /etc/letsencrypt/live/guanghulab.com/fullchain.pem" exit 1 fi # 主站安全检查 MAIN=$(curl -so/dev/null -w"%{http_code}" --max-time 10 https://guanghulab.com/ 2>/dev/null || echo "000") if [ "$MAIN" = "200" ]; then echo "✅ 主站 OK (HTTP $MAIN)" else echo "❌ 主站异常 HTTP $MAIN" exit 1 fi echo "===== ✅ 前置全部通过 =====" echo "" # ─── S2-2 · 创建沙箱目录 ─── echo "===== S2-2 · 创建沙箱目录 =====" mkdir -p /var/www/sandbox for ID in dev-002 dev-004 dev-005 dev-009 dev-010 dev-011 dev-012 dev-013 dev-014; do mkdir -p /var/www/sandbox/$ID cat > /var/www/sandbox/$ID/index.html << 'EOF' 开发者沙箱

🏗️ 开发者沙箱

子域名已激活 · 等待项目部署

✅ DNS + SSL + Nginx 就绪

EOF echo "✅ /var/www/sandbox/$ID 已创建" done chown -R root:root /var/www/sandbox && chmod -R 755 /var/www/sandbox echo "===== ✅ 沙箱目录创建完成 =====" echo "" # ─── S2-3 · 部署 Nginx 子域名配置 ─── echo "===== S2-3 · 部署 Nginx 配置 =====" # Step 1: 备份 BK="/etc/nginx/conf.d/backup-$(date +%Y%m%d%H%M%S)" mkdir -p "$BK" && cp -a /etc/nginx/conf.d/*.conf "$BK/" 2>/dev/null echo "✅ 已备份到 $BK" # Step 2: 写入 dev-sandbox.conf cat > /etc/nginx/conf.d/dev-sandbox.conf << 'CONF' # 开发者子域名沙箱 · ZY-AGEOS-TOWER-2026-0326-001-S1 # 铸渊统一管理 · 人类不得手动修改 server { listen 80; server_name ~^(?dev-\d{3})\.guanghulab\.com$; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name ~^(?dev-\d{3})\.guanghulab\.com$; ssl_certificate /etc/letsencrypt/live/guanghulab.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/guanghulab.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; root /var/www/sandbox/$devid; index index.html; location / { try_files $uri $uri/ /index.html; } add_header X-Sandbox-DevId $devid; access_log /var/log/nginx/sandbox-$devid-access.log; error_log /var/log/nginx/sandbox-error.log; } CONF echo "✅ dev-sandbox.conf 已写入" # Step 3: 语法检测(安全门) echo "--- nginx -t ---" if ! nginx -t 2>&1; then echo "❌ nginx -t 失败!回滚!" rm -f /etc/nginx/conf.d/dev-sandbox.conf cp -a "$BK/"*.conf /etc/nginx/conf.d/ 2>/dev/null echo "🔙 已回滚到备份: $BK" exit 1 fi echo "✅ nginx -t 通过" # Step 4: 优雅重载 nginx -s reload && echo "✅ nginx reload 成功" # Step 5: 立即验证主站 MAIN=$(curl -so/dev/null -w"%{http_code}" --max-time 10 https://guanghulab.com/ 2>/dev/null || echo "000") if [ "$MAIN" != "200" ]; then echo "🚨 主站异常 HTTP $MAIN!紧急回滚!" rm -f /etc/nginx/conf.d/dev-sandbox.conf cp -a "$BK/"*.conf /etc/nginx/conf.d/ 2>/dev/null nginx -t && nginx -s reload echo "🔙 紧急回滚完成" exit 1 fi echo "✅ 主站安全 HTTP $MAIN" echo "" echo "═══════════════════════════════════════════" echo " ✅ Phase S2 完成" echo " 沙箱目录已创建 · Nginx 已重载 · 主站安全" echo "═══════════════════════════════════════════"