Source snapshot: 97d7f0fae96dc04b7ddad56fc1db6a108ed662cc [SEC-CLEAN] · pre-push-clean v1.0 · 109处敏感信息已自动转乱码
7.6 KiB
7.6 KiB
belongs_to
| belongs_to | |
|---|---|
|
⚡ 铸渊补充指令(下卷)|子域名沙箱部署 + 全链路冒烟测试 + 天眼部署后扫描 + 状态同步 + 回执(ZY-AGEOS-TOWER-2026-0326-001-S1)· 霜砚签发 · 冰朔授权
指令编号:ZY-AGEOS-TOWER-2026-0326-001-S1(下卷)
接续上卷 Phase S0 / S1 / S1.5,本卷从 Phase S2 开始。
Phase S2 · 子域名沙箱服务器部署
S2-1 · 前置验证(全部通过才能继续)
#!/bin/bash
# 前置验证 · 任一失败则中止
DNS=$(dig +short dev-004.guanghulab.com A)
[ "$DNS" = "8.155.62.235" ] && echo "✅ DNS OK" || { echo "❌ DNS 失败"; exit 1; }
[ -f /etc/letsencrypt/live/guanghulab.com/fullchain.pem ] && echo "✅ SSL OK" || { echo "❌ SSL 证书不存在"; exit 1; }
MAIN=$(curl -so/dev/null -w"%{http_code}" --max-time 10 https://guanghulab.com/)
[ "$MAIN" = "200" ] && echo "✅ 主站 OK" || { echo "❌ 主站异常 HTTP $MAIN"; exit 1; }
echo "===== ✅ 前置全部通过 ====="
S2-2 · 创建沙箱目录
#!/bin/bash
mkdir -p /var/www/sandbox
for ID in dev-002 dev-004 dev-005 dev-009 dev-010 dev-011 dev-012 dev-013 dev-014; do
mkdir -p /var/www/sandbox/$ID
cat > /var/www/sandbox/$ID/index.html << 'EOF'
<!DOCTYPE html>
<html lang="zh"><head><meta charset="UTF-8"><title>开发者沙箱</title>
<style>body{font-family:system-ui;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#1a1a2e;color:#e0e0e0}.c{text-align:center;padding:3rem;border-radius:16px;background:rgba(255,255,255,.05)}</style>
</head><body><div class="c"><h1>🏗️ 开发者沙箱</h1><p>子域名已激活 · 等待项目部署</p><p style="color:#7fba42">✅ DNS + SSL + Nginx 就绪</p></div></body></html>
EOF
echo "✅ /var/www/sandbox/$ID 已创建"
done
chown -R root:root /var/www/sandbox && chmod -R 755 /var/www/sandbox
S2-3 · 部署 Nginx 子域名配置
#!/bin/bash
# Step 1: 备份
BK="/etc/nginx/conf.d/backup-$(date +%Y%m%d%H%M%S)"
mkdir -p "$BK" && cp -a /etc/nginx/conf.d/*.conf "$BK/" 2>/dev/null
echo "✅ 已备份到 $BK"
# Step 2: 写入 dev-sandbox.conf
cat > /etc/nginx/conf.d/dev-sandbox.conf << 'CONF'
# 开发者子域名沙箱 · ZY-AGEOS-TOWER-2026-0326-001-S1
# 铸渊统一管理 · 人类不得手动修改
server {
listen 80;
server_name ~^(?<devid>dev-\d{3})\.guanghulab\.com$;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name ~^(?<devid>dev-\d{3})\.guanghulab\.com$;
ssl_certificate /etc/letsencrypt/live/guanghulab.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guanghulab.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
root /var/www/sandbox/$devid;
index index.html;
location / { try_files $uri $uri/ /index.html; }
add_header X-Sandbox-DevId $devid;
access_log /var/log/nginx/sandbox-$devid-access.log;
error_log /var/log/nginx/sandbox-error.log;
}
CONF
echo "✅ dev-sandbox.conf 已写入"
# Step 3: 语法检测(安全门)
nginx -t 2>&1
if [ $? -ne 0 ]; then
echo "❌ nginx -t 失败!回滚!"
rm -f /etc/nginx/conf.d/dev-sandbox.conf
cp -a "$BK/"*.conf /etc/nginx/conf.d/ 2>/dev/null
exit 1
fi
echo "✅ nginx -t 通过"
# Step 4: 优雅重载
nginx -s reload && echo "✅ nginx reload 成功"
# Step 5: 立即验证主站
MAIN=$(curl -so/dev/null -w"%{http_code}" --max-time 10 https://guanghulab.com/)
if [ "$MAIN" != "200" ]; then
echo "🚨 主站异常 HTTP $MAIN!紧急回滚!"
rm -f /etc/nginx/conf.d/dev-sandbox.conf
cp -a "$BK/"*.conf /etc/nginx/conf.d/ 2>/dev/null
nginx -t && nginx -s reload
exit 1
fi
echo "✅ 主站安全 HTTP $MAIN"
S2 完成标准:沙箱目录已创建,nginx 已重载,主站安全验证通过。
Phase S3 · 全链路冒烟测试
#!/bin/bash
echo "===== 全链路冒烟测试 ====="
# 主站安全(首检)
curl -so/dev/null -w"主站: HTTP %{http_code}\n" --max-time 10 https://guanghulab.com/
# 子域名逐个测试
for ID in dev-002 dev-004 dev-005 dev-010; do
echo "--- $ID.guanghulab.com ---"
curl -so/dev/null -w" HTTPS: %{http_code}\n" --max-time 10 https://$ID.guanghulab.com/
curl -so/dev/null -w" HTTP->HTTPS: %{http_code}\n" -L --max-time 10 http://$ID.guanghulab.com/
echo | openssl s_client -servername $ID.guanghulab.com -connect $ID.guanghulab.com:443 2>/dev/null | grep 'subject='
done
# 沙箱隔离验证
curl -so/dev/null -w"路径穿越: HTTP %{http_code}\n" --max-time 10 "https://dev-004.guanghulab.com/../../dev-002/index.html"
# 主站安全(尾检)
curl -so/dev/null -w"主站尾检: HTTP %{http_code}\n" --max-time 10 https://guanghulab.com/
echo "===== 完成 ====="
判定标准:
- 主站 200 + 子域名 HTTPS 200 + HTTP→3xx + SSL正确 + 隔离有效 → PASS
- 主站异常 → 立即回滚
- 部分子域名失败 → 检查沙箱目录,三次修复闭环
S3 完成标准:主站首尾双检通过,子域名 HTTPS + 跳转 + SSL + 隔离全部验证。
Phase S4 · 天眼部署后扫描 + 全局状态同步
天眼部署后扫描
- 重新运行 Guard 全局扫描,确认部署未引入新问题
- 检查 Nginx 错误日志有无新增异常
- 扫描结果写入
signal-log/skyeye-post-deploy-S1.json
GitHub 侧同步
memory.json更新:subdomain_sandbox: "active"dev-status.json添加子域名状态字段signal-log/写入完整部署报告
Notion 侧同步
- 更新运行日志:子域名沙箱系统已上线
- 通知 DEV-002 肥猫:dev-002.guanghulab.com 已激活
- 通知 DEV-004 之之:dev-004.guanghulab.com 已激活
- 其他已注册开发者同理通知
清理提醒
- signal-log 记录:之之在阿里云添加的
_acme-challengeTXT 记录可在方便时删除(P3,不阻塞)
S4 完成标准:天眼扫描无新增 RED,GitHub + Notion 双端状态已同步,开发者已通知。
Phase S5 · SYSLOG 回执
{
"syslog_id": "ZY-AGEOS-TOWER-2026-0326-001-S1-RECEIPT",
"parent": "ZY-AGEOS-TOWER-2026-0326-001",
"executor": "AG-ZY-01",
"results": {
"S0_skyeye_boot": { "status": "pending", "red_alerts": 0 },
"S1_membrane_audit": { "status": "pending", "branch_protection": "pending" },
"S1.5_pipeline_fix": { "status": "pending", "syslog_pipeline_fixed": false },
"S2_server_deploy": { "dns": "pending", "ssl": "pending", "nginx_deployed": false, "main_site_safe": "pending" },
"S3_smoke_test": { "subdomains_pass": "pending", "isolation_verified": "pending" },
"S4_sync": { "notion_synced": false, "github_synced": false, "devs_notified": false }
},
"merge_membrane": { "all_via_pr": true, "skyeye_passed": true, "no_direct_push": true },
"main_site_impact": "NONE"
}
写回路径:
signal-log/syslog-ageos-tower-S1-20260326.json- Notion 运行日志
- 任何 Phase 失败 → 三次修复闭环 → 三次失败则创建 P0 工单 + 邮件告警