Guanghu Domestic Migration d1e47f4565
Some checks are pending
自动更新代码和重启 / update-and-restart (push) Waiting to run
CI检查 + 自动部署 / check (push) Waiting to run
CI检查 + 自动部署 / deploy (push) Blocked by required conditions
重启聊天服务 / restart (push) Waiting to run
chore: import sanitized domestic snapshot for REPO-002
Source snapshot: ca48d3ddf926d79aa138306164169baf764bb829
2026-07-17 15:54:41 +08:00

130 lines
7.7 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"id": "ZY-PROJ-002",
"name": "语言保护罩 · ZY-SVR-006 智库节点部署",
"guardian": "铸渊 · ICE-GL-ZY001",
"copyright": "国作登字-2026-A-00037559",
"background": {
"bingshuo_requirement": "ZY-SVR-006是智能小说系统的宿主·在部署小说系统之前先要有防护层·不然一上线就被扫烂了",
"zhuyuan_understanding": "三层IP隐身架构·L1出站代理池·L2蜜罐·L3 fail2ban自动封禁·nginx防护配置·冰朔称其为语言保护罩"
},
"architecture": {
"layers": [
"L1 出站代理池: 爬取下载时用代理·不暴露本机IP",
"L2 蜜罐入口: 扫描者看到自己的镜像·心理威慑+信息收集",
"L3 fail2ban自动封禁: 路径扫描/高频请求/SSH暴力破解→TARPIT耗尽资源"
],
"nginx_config": "server/nginx/novel-mirror-shield.conf",
"fail2ban_jails": [
"novel-nginx-limit-req: 5分钟10次429→ban 6小时",
"novel-path-scan: 5分钟3次路径扫描→ban 24小时",
"novel-sshd: 10分钟3次SSH失败→ban 12小时",
"novel-nginx-404: 10分钟5次40x→ban 1小时"
],
"why": "ZY-SVR-006是新加坡节点·公网暴露·没有防护层直接部署小说系统必然遭暴力扫描"
},
"phases": [
{
"id": "ZY-PROJ-002-PHASE-1",
"name": "防护配置文件准备",
"status": "completed",
"completed_at": "2026-04-16",
"content": [
"novel-mirror-shield.conf: Nginx防护配置蜜罐+速率限制)",
"fail2ban-novel.conf: 4个jail配置nginx+ssh",
"fail2ban-filter-novel-scan.conf: 路径扫描正则过滤规则",
"fail2ban-action-ban-log.conf: 封禁日志动作",
"deploy-novel-mirror-shield.yml: 4动作部署workflow"
],
"verified": "配置文件语法正确·workflow可触发"
},
{
"id": "ZY-PROJ-002-PHASE-2",
"name": "服务器实际部署 + SSL证书 + Phase 2 三大引擎",
"status": "code_complete",
"blocked_reason": null,
"started_at": "2026-04-16",
"content": [
"服务器基础环境: nginx + fail2ban + certbot",
"nginx防护配置上线SSL鸡蛋问题已修复创建占位文件引导→certonly --webroot申请真实证书",
"fail2ban jail启动4个jail: nginx-limit-req/path-scan/sshd/4xx",
"SSL证书申请Let's Encrypt · webroot方式",
"Phase 2 三大引擎后端 API 已完成:",
" - 下载引擎: /api/zhiku/download/* (5端点·任务创建/列表/状态/书籍/统计)",
" - 智能分章: /api/zhiku/chapter/* (5端点·分章/列表/详情/章节内容/统计)",
" - 在线阅读器: /api/zhiku/reader/* (9端点·书架/进度/偏好/统计)",
" - 综合统计: /api/zhiku/stats",
"前端 zhiku.html 已联动全部 API (搜索/下载/自动分章/在线阅读/进度存储)",
"",
"Phase 3 团队书库 + 成员Agent 后端 API 已完成:",
" - 团队书库: /api/zhiku/library/* (7端点·列表/添加/详情/评分/评论/分类/统计)",
" - 成员Agent: /api/zhiku/agent/* (10端点·注册/详情/对话/记忆/笔记/统计)",
"前端 zhiku.html Phase 3 已联动 (团队书库分区筛选+Agent对话面板)"
],
"next_step": "合并PR后触发 deploy-novel-mirror-shield.yml 的 deploy 动作"
},
{
"id": "ZY-PROJ-002-PHASE-3",
"name": "验证防护效果 + 健康监控",
"status": "pending",
"content": [
"触发health动作验证三层防护正常运行",
"测试fail2ban封禁是否生效",
"确认/var/log/novel-shield-bans.log有写入",
"确认HTTPS正常"
]
}
],
"fixes": [
{
"id": "ZY-PROJ-002-FIX-1",
"date": "2026-04-16",
"problem": "certbot --nginx申请证书失败·全新服务器上/etc/letsencrypt/options-ssl-nginx.conf不存在",
"root_cause": "novel-mirror-shield.conf在ssl server块中引用了letsencrypt的nginx配置文件·这些文件只有certbot成功运行一次后才存在·但certbot运行前需要nginx配置有效·循环依赖",
"fix": "已实现1)在启用站点步骤中·检查letsencrypt文件是否存在·若不存在则创建临时占位文件(options-ssl-nginx.conf + ssl-dhparams.pem + 自签名证书)让nginx -t通过并启动nginx 2)certbot申请步骤改用certonly --webroot方式·不依赖nginx插件·不触发nginx -t 3)certbot申请成功后真实证书替换占位文件·nginx reload激活 4)setup-ssl独立动作同样改为certonly --webroot",
"files_changed": [".github/workflows/deploy-novel-mirror-shield.yml"],
"result": "implemented"
},
{
"id": "ZY-PROJ-002-FIX-2",
"date": "2026-04-16",
"problem": "fail2ban novel-nginx-404 jail使用了错误的filter·nginx-http-auth只匹配401认证失败·不匹配400/403/404",
"root_cause": "Sonnet开发时直接引用了内置filter名nginx-http-auth·该filter的failregex只匹配HTTP Basic Auth失败(401)·不匹配通用40x状态码",
"fix": "新建fail2ban-filter-novel-4xx.conf·匹配400/403/404/405状态码·同时忽略favicon和robots正常请求·jail名改为novel-nginx-4xx·部署workflow添加上传该filter文件的scp步骤",
"files_changed": [
"server/novel-db/security/fail2ban-filter-novel-4xx.conf",
"server/novel-db/security/fail2ban-novel.conf",
".github/workflows/deploy-novel-mirror-shield.yml"
],
"result": "implemented"
},
{
"id": "ZY-PROJ-002-FIX-3",
"date": "2026-04-16",
"problem": "nginx蜜罐块重复定义ACME challenge路径·root路径不一致(/var/www/html vs /var/www/certbot)",
"root_cause": "蜜罐server块(default_server)和novel.guanghuyaoming.com server块都定义了/.well-known/acme-challenge/·root路径不同·如果蜜罐块先被匹配则certbot验证失败",
"fix": "删除蜜罐块中的重复ACME location·只保留novel.guanghuyaoming.com块中的定义(root /var/www/certbot)·因为certbot只对指定域名验证",
"files_changed": ["server/nginx/novel-mirror-shield.conf"],
"result": "implemented"
},
{
"id": "ZY-PROJ-002-FIX-4",
"date": "2026-04-16",
"problem": "setup-ssl job 运行 certbot 时 nginx -t 失败·/etc/letsencrypt/options-ssl-nginx.conf 不存在",
"root_cause": "setup-ssl job 安装了 python3-certbot-nginx 后 certbot 自动尝试 nginx 插件验证·触发 nginx -t·但 SSL 占位文件只在 deploy job 中创建·setup-ssl 单独运行时无占位文件。deploy job 从未成功执行(push 触发时 paths 不匹配·workflow_dispatch 只选了 setup-ssl)。",
"fix": "1) setup-ssl job 增加与 deploy job 相同的 SSL 占位文件创建逻辑 2) 改为只安装 certbot 不安装 python3-certbot-nginx 避免 nginx 插件干扰 3) 添加 --preferred-challenges http 强制 HTTP-01 验证 4) deploy job 的 certbot 步骤同样添加 --preferred-challenges http 5) setup-ssl 添加自动续期 cron",
"files_changed": [".github/workflows/deploy-novel-mirror-shield.yml"],
"result": "implemented"
}
],
"server/nginx/novel-mirror-shield.conf",
"server/novel-db/security/fail2ban-novel.conf",
"server/novel-db/security/fail2ban-filter-novel-scan.conf",
"server/novel-db/security/fail2ban-filter-novel-4xx.conf",
"server/novel-db/security/fail2ban-action-ban-log.conf",
".github/workflows/deploy-novel-mirror-shield.yml"
],
"next_step": "合并PR后→冰朔在GitHub Actions页面手动触发 deploy-novel-mirror-shield.yml(action=deploy)→部署完成后再触发setup-ssl→最后触发health验证。注意合并PR不会自动触发deploy(paths不匹配)必须手动workflow_dispatch",
"status": "in_progress",
"current_phase": "ZY-PROJ-002-PHASE-2"
}