102 lines
5.7 KiB
Markdown
102 lines
5.7 KiB
Markdown
# IwoooS Public Gateway Live Conf 匯出請求包
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-14 |
|
||
| 狀態 | `live_conf_export_request_ready_not_dispatched` |
|
||
| 工具 | `scripts/security/public-gateway-live-conf-export-request.py` |
|
||
| 輸入 | `docs/security/public-gateway-preflight-inventory.snapshot.json` |
|
||
| Snapshot | `docs/security/public-gateway-live-conf-export-request.snapshot.json` |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
Nginx public gateway 是公開網站、API、Webhook、ACME 與 WebSocket 的共同入口。若 live Nginx conf 常被手動修改,IwoooS 不能直接 SSH 去讀或覆寫 live conf;第一步應先建立 owner-provided live conf 匯出請求包,明確規定只能收脫敏 export ref,且不得保存 raw live conf。
|
||
|
||
本文件只定義匯出請求草稿、脫敏規則與送後不變條件。它不是 request sent、不是 live conf received、不是 rendered diff ready、不是 `nginx -t`、不是 reload、不是 route smoke,也不是 production write 或 runtime gate 授權。
|
||
|
||
## 2. 摘要
|
||
|
||
| 指標 | 值 | 說明 |
|
||
|------|----|------|
|
||
| export request count | `3` | 188 all sites、188 internal tools HTTPS、110 Ollama proxy |
|
||
| C0 export request count | `2` | 188 all sites 與 188 internal tools HTTPS |
|
||
| export request field count | `12` | 每份匯出請求的 handoff 欄位 |
|
||
| redaction rule count | `8` | raw live conf 與敏感資訊拒收規則 |
|
||
| request sent | `0` | 尚未送出匯出請求 |
|
||
| recipient confirmed | `0` | 尚未確認 owner / recipient |
|
||
| redacted export received | `0` | 尚未收到脫敏 export ref |
|
||
| raw live conf stored | `0` | 不允許保存 |
|
||
| rendered diff / nginx -t / route smoke | `0 / 0 / 0` | 尚未批准且未執行 |
|
||
| runtime gate / action button | `0 / 0` | 未開啟 |
|
||
|
||
## 3. Redaction Policy
|
||
|
||
1. 只收 owner 提供的脫敏 live conf export ref,不收 raw live conf。
|
||
2. 不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。
|
||
3. 若 upstream URL 含 credential,必須整段遮罩為 `redacted_upstream_credential`。
|
||
4. 若路徑含 private credential、query token 或 webhook secret,必須整段遮罩。
|
||
5. 允許保留 server name、listen、location、proxy pass host / port、ACME path、TLS certificate path metadata。
|
||
6. 不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。
|
||
7. 疑似敏感 payload 只能記 quarantine metadata,不得寫入 repo、LOGBOOK 或前端。
|
||
8. 匯出請求不等於 `nginx -t`、reload、route smoke、DNS / TLS probe 或 production write 授權。
|
||
|
||
## 4. 匯出請求欄位
|
||
|
||
| 欄位 | 內容規則 |
|
||
|------|----------|
|
||
| `export_request_id` | 固定對應 public gateway live conf export,不建立 runtime action id |
|
||
| `config_id` | 對應 public gateway preflight row |
|
||
| `host` | 只記 host scope;不代表可 SSH |
|
||
| `live_path` | 只記 owner 需提供的 live path metadata;不代表已讀取 |
|
||
| `export_owner_role_or_team` | 只填 role / team,不填私人憑證或聯絡資訊 |
|
||
| `export_method` | 固定 `owner_provided_redacted_export_only` |
|
||
| `redaction_policy_ref` | 指向本文件脫敏規則 |
|
||
| `redacted_live_conf_ref` | 未收到前為空;收到後只可填脫敏 ref |
|
||
| `source_snapshot_ref` | 指向 repo-only preflight snapshot |
|
||
| `intended_use` | 固定 `rendered_diff_and_route_change_preflight_only` |
|
||
| `followup_owner` | 後續補證或審查負責 role / team |
|
||
| `not_approval` | 必須為 `true` |
|
||
|
||
## 5. 三份請求
|
||
|
||
| Request | Control tier | Live path | 邊界 |
|
||
|---------|--------------|-----------|------|
|
||
| `public_gateway_live_conf_export:host188_all_sites` | `C0` | `/etc/nginx/sites-enabled/all-sites.conf` | 只請 owner 提供脫敏 export ref,不代表 SSH 讀取、rendered diff、`nginx -t` 或 reload |
|
||
| `public_gateway_live_conf_export:host188_internal_tools_https` | `C0` | `owner_confirmation_required` | 只請 owner 確認 live path 與脫敏 export ref,不代表 route change |
|
||
| `public_gateway_live_conf_export:host110_ollama_proxy` | `C1` | `/etc/nginx/sites-enabled/110-ollama-proxy.conf` | 只請 owner 提供脫敏 export ref,不代表 Ollama proxy 改動或重啟 |
|
||
|
||
## 6. 送後不變條件
|
||
|
||
即使未來人工送出請求,也只能在有可稽核送件 metadata 後另行記錄 request sent。收到脫敏 export ref 後,仍需先做敏感 payload 隔離檢查;通過後才可進 rendered diff。Rendered diff 成立仍不代表 `nginx -t`、reload、route smoke 或 public route change 已授權。
|
||
|
||
2026-06-14 P0-16 已新增 `docs/security/PUBLIC-GATEWAY-REDACTED-EXPORT-INTAKE-PREFLIGHT.md` 與 `docs/security/public-gateway-redacted-export-intake-preflight.snapshot.json`,將三份 export request 轉成 redacted export 收件預檢候選。該預檢仍保持 request sent、recipient confirmed、redacted export received、accepted、quarantine、rejected、rendered diff、`nginx -t`、reload、route smoke、runtime gate 全部為 `0`。
|
||
|
||
## 7. 指令
|
||
|
||
產生 committed snapshot:
|
||
|
||
```bash
|
||
python3 scripts/security/public-gateway-live-conf-export-request.py \
|
||
--root . \
|
||
--preflight-report docs/security/public-gateway-preflight-inventory.snapshot.json \
|
||
--output docs/security/public-gateway-live-conf-export-request.snapshot.json \
|
||
--generated-at 2026-06-14T19:05:00+08:00
|
||
```
|
||
|
||
驗證 guard:
|
||
|
||
```bash
|
||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||
```
|
||
|
||
## 8. 完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| live conf export request artifact | `100%` | 產生器、snapshot 與文件已固定 |
|
||
| request dispatch | `0%` | 尚未送出 |
|
||
| redacted export received | `0%` | 尚未收到 |
|
||
| rendered diff / nginx -t / route smoke | `0%` | 尚未批准且未執行 |
|
||
| runtime reload / host write | `0%` | 未授權且未執行 |
|