shuangyan-notebook/第五域 · Fifth Domain/⚒️ 铸渊·协作指令|GitHub ↔ Notion 桥接协议/⚡ 铸渊补充指令(下卷)|子域名沙箱部署 + 全链路冒烟测试 + 天眼部署后扫描 + 状态同步 + 009c74dcb53c45198c50e7bd1816c0a1.md
Guanghu Domestic Migration a27e87cb99 chore: import sanitized domestic snapshot for REPO-007
Source snapshot: 97d7f0fae96dc04b7ddad56fc1db6a108ed662cc

[SEC-CLEAN] · pre-push-clean v1.0 · 109处敏感信息已自动转乱码
2026-07-17 15:59:55 +08:00

7.6 KiB
Raw Permalink Blame History

belongs_to
belongs_to
INDEX · 铸渊·协作指令GitHub ↔ Notion 桥接协议

铸渊补充指令(下卷)|子域名沙箱部署 + 全链路冒烟测试 + 天眼部署后扫描 + 状态同步 + 回执ZY-AGEOS-TOWER-2026-0326-001-S1· 霜砚签发 · 冰朔授权

指令编号ZY-AGEOS-TOWER-2026-0326-001-S1下卷

接续上卷 Phase S0 / S1 / S1.5,本卷从 Phase S2 开始。


Phase S2 · 子域名沙箱服务器部署

S2-1 · 前置验证(全部通过才能继续)

#!/bin/bash
# 前置验证 · 任一失败则中止
DNS=$(dig +short dev-004.guanghulab.com A)
[ "$DNS" = "8.155.62.235" ] && echo "✅ DNS OK" || { echo "❌ DNS 失败"; exit 1; }

[ -f /etc/letsencrypt/live/guanghulab.com/fullchain.pem ] && echo "✅ SSL OK" || { echo "❌ SSL 证书不存在"; exit 1; }

MAIN=$(curl -so/dev/null -w"%{http_code}" --max-time 10 https://guanghulab.com/)
[ "$MAIN" = "200" ] && echo "✅ 主站 OK" || { echo "❌ 主站异常 HTTP $MAIN"; exit 1; }

echo "===== ✅ 前置全部通过 ====="

S2-2 · 创建沙箱目录

#!/bin/bash
mkdir -p /var/www/sandbox
for ID in dev-002 dev-004 dev-005 dev-009 dev-010 dev-011 dev-012 dev-013 dev-014; do
  mkdir -p /var/www/sandbox/$ID
  cat > /var/www/sandbox/$ID/index.html << 'EOF'
<!DOCTYPE html>
<html lang="zh"><head><meta charset="UTF-8"><title>开发者沙箱</title>
<style>body{font-family:system-ui;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#1a1a2e;color:#e0e0e0}.c{text-align:center;padding:3rem;border-radius:16px;background:rgba(255,255,255,.05)}</style>
</head><body><div class="c"><h1>🏗️ 开发者沙箱</h1><p>子域名已激活 · 等待项目部署</p><p style="color:#7fba42">✅ DNS + SSL + Nginx 就绪</p></div></body></html>
EOF
  echo "✅ /var/www/sandbox/$ID 已创建"
done
chown -R root:root /var/www/sandbox && chmod -R 755 /var/www/sandbox

S2-3 · 部署 Nginx 子域名配置

#!/bin/bash
# Step 1: 备份
BK="/etc/nginx/conf.d/backup-$(date +%Y%m%d%H%M%S)"
mkdir -p "$BK" && cp -a /etc/nginx/conf.d/*.conf "$BK/" 2>/dev/null
echo "✅ 已备份到 $BK"

# Step 2: 写入 dev-sandbox.conf
cat > /etc/nginx/conf.d/dev-sandbox.conf << 'CONF'
# 开发者子域名沙箱 · ZY-AGEOS-TOWER-2026-0326-001-S1
# 铸渊统一管理 · 人类不得手动修改
server {
    listen 80;
    server_name ~^(?<devid>dev-\d{3})\.guanghulab\.com$;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name ~^(?<devid>dev-\d{3})\.guanghulab\.com$;
    ssl_certificate /etc/letsencrypt/live/guanghulab.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/guanghulab.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    root /var/www/sandbox/$devid;
    index index.html;
    location / { try_files $uri $uri/ /index.html; }
    add_header X-Sandbox-DevId $devid;
    access_log /var/log/nginx/sandbox-$devid-access.log;
    error_log /var/log/nginx/sandbox-error.log;
}
CONF
echo "✅ dev-sandbox.conf 已写入"

# Step 3: 语法检测(安全门)
nginx -t 2>&1
if [ $? -ne 0 ]; then
  echo "❌ nginx -t 失败!回滚!"
  rm -f /etc/nginx/conf.d/dev-sandbox.conf
  cp -a "$BK/"*.conf /etc/nginx/conf.d/ 2>/dev/null
  exit 1
fi
echo "✅ nginx -t 通过"

# Step 4: 优雅重载
nginx -s reload && echo "✅ nginx reload 成功"

# Step 5: 立即验证主站
MAIN=$(curl -so/dev/null -w"%{http_code}" --max-time 10 https://guanghulab.com/)
if [ "$MAIN" != "200" ]; then
  echo "🚨 主站异常 HTTP $MAIN!紧急回滚!"
  rm -f /etc/nginx/conf.d/dev-sandbox.conf
  cp -a "$BK/"*.conf /etc/nginx/conf.d/ 2>/dev/null
  nginx -t && nginx -s reload
  exit 1
fi
echo "✅ 主站安全 HTTP $MAIN"

S2 完成标准沙箱目录已创建nginx 已重载,主站安全验证通过。


Phase S3 · 全链路冒烟测试

#!/bin/bash
echo "===== 全链路冒烟测试 ====="

# 主站安全(首检)
curl -so/dev/null -w"主站: HTTP %{http_code}\n" --max-time 10 https://guanghulab.com/

# 子域名逐个测试
for ID in dev-002 dev-004 dev-005 dev-010; do
  echo "--- $ID.guanghulab.com ---"
  curl -so/dev/null -w"  HTTPS: %{http_code}\n" --max-time 10 https://$ID.guanghulab.com/
  curl -so/dev/null -w"  HTTP->HTTPS: %{http_code}\n" -L --max-time 10 http://$ID.guanghulab.com/
  echo | openssl s_client -servername $ID.guanghulab.com -connect $ID.guanghulab.com:443 2>/dev/null | grep 'subject='
done

# 沙箱隔离验证
curl -so/dev/null -w"路径穿越: HTTP %{http_code}\n" --max-time 10 "https://dev-004.guanghulab.com/../../dev-002/index.html"

# 主站安全(尾检)
curl -so/dev/null -w"主站尾检: HTTP %{http_code}\n" --max-time 10 https://guanghulab.com/
echo "===== 完成 ====="

判定标准

  • 主站 200 + 子域名 HTTPS 200 + HTTP→3xx + SSL正确 + 隔离有效 → PASS
  • 主站异常 → 立即回滚
  • 部分子域名失败 → 检查沙箱目录,三次修复闭环

S3 完成标准:主站首尾双检通过,子域名 HTTPS + 跳转 + SSL + 隔离全部验证。


Phase S4 · 天眼部署后扫描 + 全局状态同步

天眼部署后扫描

  • 重新运行 Guard 全局扫描,确认部署未引入新问题
  • 检查 Nginx 错误日志有无新增异常
  • 扫描结果写入 signal-log/skyeye-post-deploy-S1.json

GitHub 侧同步

  • memory.json 更新:subdomain_sandbox: "active"
  • dev-status.json 添加子域名状态字段
  • signal-log/ 写入完整部署报告

Notion 侧同步

清理提醒

  • signal-log 记录:之之在阿里云添加的 _acme-challenge TXT 记录可在方便时删除P3不阻塞

S4 完成标准:天眼扫描无新增 REDGitHub + Notion 双端状态已同步,开发者已通知。


Phase S5 · SYSLOG 回执

{
  "syslog_id": "ZY-AGEOS-TOWER-2026-0326-001-S1-RECEIPT",
  "parent": "ZY-AGEOS-TOWER-2026-0326-001",
  "executor": "AG-ZY-01",
  "results": {
    "S0_skyeye_boot": { "status": "pending", "red_alerts": 0 },
    "S1_membrane_audit": { "status": "pending", "branch_protection": "pending" },
    "S1.5_pipeline_fix": { "status": "pending", "syslog_pipeline_fixed": false },
    "S2_server_deploy": { "dns": "pending", "ssl": "pending", "nginx_deployed": false, "main_site_safe": "pending" },
    "S3_smoke_test": { "subdomains_pass": "pending", "isolation_verified": "pending" },
    "S4_sync": { "notion_synced": false, "github_synced": false, "devs_notified": false }
  },
  "merge_membrane": { "all_via_pr": true, "skyeye_passed": true, "no_direct_push": true },
  "main_site_impact": "NONE"
}

写回路径:

  1. signal-log/syslog-ageos-tower-S1-20260326.json
  2. Notion 运行日志
  3. 任何 Phase 失败 → 三次修复闭环 → 三次失败则创建 P0 工单 + 邮件告警