- 建立 Gitea Actions CD pipeline (.gitea/workflows/cd.yaml) - 部署模式: rsync Python 檔案至 188 → docker restart (volume mount) - Dockerfile/requirements 變動時自動重建 Docker image - 部署通知: Telegram (開始/成功/失敗) - 健康檢查: https://mo.wooo.work/health (最多 5 次重試) - 同步最新 CLAUDE.md / ADR-008 / memory (2026-04-19) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
220
scripts/security/firewall-whitelist.sh
Executable file
220
scripts/security/firewall-whitelist.sh
Executable file
@@ -0,0 +1,220 @@
|
||||
#!/bin/bash
|
||||
# =============================================================================
|
||||
# MOMO Pro System - 防火牆白名單配置
|
||||
# 功能:設定 UAT ↔ GCP 互相白名單,限制外部訪問
|
||||
# 版本:1.0.0
|
||||
# 日期:2026-02-14
|
||||
# =============================================================================
|
||||
|
||||
# ============================================
|
||||
# 白名單 IP 定義
|
||||
# ============================================
|
||||
|
||||
# UAT 主機 IP (內網)
|
||||
UAT_IP="192.168.0.110"
|
||||
|
||||
# GCP 主機 IP (外網)
|
||||
GCP_IP="35.194.233.141"
|
||||
|
||||
# 辦公室/家庭 IP (需要能訪問監控服務的 IP)
|
||||
# 請根據實際情況更新
|
||||
ALLOWED_EXTERNAL_IPS=(
|
||||
"114.32.151.246" # WOOO 辦公室 IP (範例)
|
||||
"1.160.0.0/16" # 中華電信 ADSL 範圍 (範例)
|
||||
)
|
||||
|
||||
# GCP 專案資訊
|
||||
GCP_PROJECT="astral-gateway-484913-d7"
|
||||
GCP_VM="momo-pro-gcp"
|
||||
GCP_ZONE="asia-east1-b"
|
||||
|
||||
# ============================================
|
||||
# UAT 防火牆配置 (UFW)
|
||||
# ============================================
|
||||
configure_uat_firewall() {
|
||||
echo "=========================================="
|
||||
echo "配置 UAT 防火牆白名單"
|
||||
echo "=========================================="
|
||||
|
||||
ssh wooo@${UAT_IP} "
|
||||
# 重置 UFW
|
||||
sudo ufw --force reset
|
||||
|
||||
# 預設策略:拒絕入站,允許出站
|
||||
sudo ufw default deny incoming
|
||||
sudo ufw default allow outgoing
|
||||
|
||||
# 允許 SSH(所有 IP,但有 Fail2Ban 保護)
|
||||
sudo ufw allow 22/tcp
|
||||
|
||||
# 允許 HTTP/HTTPS(公開,但僅有 Nginx 監聽)
|
||||
sudo ufw allow 80/tcp
|
||||
sudo ufw allow 443/tcp
|
||||
|
||||
# 允許 GCP 訪問內部服務(用於監控/同步)
|
||||
sudo ufw allow from ${GCP_IP} to any port 5678 comment 'GCP -> n8n'
|
||||
sudo ufw allow from ${GCP_IP} to any port 8929 comment 'GCP -> GitLab'
|
||||
sudo ufw allow from ${GCP_IP} to any port 9090 comment 'GCP -> Prometheus'
|
||||
|
||||
# 允許內網訪問所有服務
|
||||
sudo ufw allow from 192.168.0.0/24 comment 'Local Network'
|
||||
|
||||
# 允許指定外部 IP 訪問監控服務
|
||||
$(for ip in "${ALLOWED_EXTERNAL_IPS[@]}"; do
|
||||
echo "sudo ufw allow from ${ip} to any port 30030 comment 'External -> Grafana'"
|
||||
echo "sudo ufw allow from ${ip} to any port 8929 comment 'External -> GitLab'"
|
||||
done)
|
||||
|
||||
# 啟用防火牆
|
||||
sudo ufw --force enable
|
||||
sudo ufw status verbose
|
||||
"
|
||||
}
|
||||
|
||||
# ============================================
|
||||
# GCP 防火牆配置 (gcloud)
|
||||
# ============================================
|
||||
configure_gcp_firewall() {
|
||||
echo "=========================================="
|
||||
echo "配置 GCP 防火牆白名單"
|
||||
echo "=========================================="
|
||||
|
||||
# 刪除過於寬鬆的規則
|
||||
gcloud compute firewall-rules delete allow-momo-ports --project=${GCP_PROJECT} --quiet 2>/dev/null || true
|
||||
|
||||
# 創建嚴格的規則
|
||||
|
||||
# 1. 允許 HTTP/HTTPS(公開,Web 服務)
|
||||
gcloud compute firewall-rules create momo-allow-web \
|
||||
--project=${GCP_PROJECT} \
|
||||
--direction=INGRESS \
|
||||
--priority=1000 \
|
||||
--network=default \
|
||||
--action=ALLOW \
|
||||
--rules=tcp:80,tcp:443 \
|
||||
--source-ranges=0.0.0.0/0 \
|
||||
--description="Allow HTTP/HTTPS from anywhere" \
|
||||
2>/dev/null || echo "Rule momo-allow-web already exists"
|
||||
|
||||
# 2. 允許 SSH 僅從 UAT IP
|
||||
gcloud compute firewall-rules create momo-allow-ssh-from-uat \
|
||||
--project=${GCP_PROJECT} \
|
||||
--direction=INGRESS \
|
||||
--priority=1000 \
|
||||
--network=default \
|
||||
--action=ALLOW \
|
||||
--rules=tcp:22 \
|
||||
--source-ranges=${UAT_IP}/32 \
|
||||
--description="Allow SSH only from UAT" \
|
||||
2>/dev/null || echo "Rule momo-allow-ssh-from-uat already exists"
|
||||
|
||||
# 3. 允許 K8s API 僅從 UAT IP
|
||||
gcloud compute firewall-rules create momo-allow-k8s-from-uat \
|
||||
--project=${GCP_PROJECT} \
|
||||
--direction=INGRESS \
|
||||
--priority=1000 \
|
||||
--network=default \
|
||||
--action=ALLOW \
|
||||
--rules=tcp:6443 \
|
||||
--source-ranges=${UAT_IP}/32 \
|
||||
--description="Allow K8s API only from UAT" \
|
||||
2>/dev/null || echo "Rule momo-allow-k8s-from-uat already exists"
|
||||
|
||||
# 4. 拒絕其他所有入站流量(GCP 預設已有此規則)
|
||||
|
||||
echo ""
|
||||
echo "GCP 防火牆規則:"
|
||||
gcloud compute firewall-rules list --project=${GCP_PROJECT} \
|
||||
--filter="name~momo" \
|
||||
--format="table(name,direction,sourceRanges,allowed)"
|
||||
}
|
||||
|
||||
# ============================================
|
||||
# Nginx 白名單配置
|
||||
# ============================================
|
||||
configure_nginx_whitelist() {
|
||||
echo "=========================================="
|
||||
echo "配置 Nginx 白名單(監控服務)"
|
||||
echo "=========================================="
|
||||
|
||||
# 創建白名單配置文件
|
||||
ssh wooo@${UAT_IP} "
|
||||
cat > /tmp/allowed_ips.conf << 'EOF'
|
||||
# 允許的 IP 白名單
|
||||
# UAT 內網
|
||||
allow 192.168.0.0/24;
|
||||
|
||||
# GCP 正式環境
|
||||
allow ${GCP_IP};
|
||||
|
||||
# 辦公室/家庭 IP
|
||||
$(for ip in "${ALLOWED_EXTERNAL_IPS[@]}"; do
|
||||
echo "allow ${ip};"
|
||||
done)
|
||||
|
||||
# 拒絕其他所有
|
||||
deny all;
|
||||
EOF
|
||||
|
||||
sudo mv /tmp/allowed_ips.conf /etc/nginx/snippets/allowed_ips.conf
|
||||
echo '白名單配置已寫入 /etc/nginx/snippets/allowed_ips.conf'
|
||||
"
|
||||
|
||||
echo ""
|
||||
echo "請在需要限制訪問的 Nginx location 中加入:"
|
||||
echo " include snippets/allowed_ips.conf;"
|
||||
}
|
||||
|
||||
# ============================================
|
||||
# 顯示當前狀態
|
||||
# ============================================
|
||||
show_status() {
|
||||
echo "=========================================="
|
||||
echo "當前防火牆狀態"
|
||||
echo "=========================================="
|
||||
|
||||
echo ""
|
||||
echo "--- UAT UFW 狀態 ---"
|
||||
ssh wooo@${UAT_IP} "sudo ufw status numbered" 2>/dev/null || echo "UAT 連線失敗"
|
||||
|
||||
echo ""
|
||||
echo "--- GCP 防火牆規則 ---"
|
||||
gcloud compute firewall-rules list --project=${GCP_PROJECT} \
|
||||
--format="table(name,direction,sourceRanges,allowed)" 2>/dev/null || echo "GCP 連線失敗"
|
||||
}
|
||||
|
||||
# ============================================
|
||||
# 主程式
|
||||
# ============================================
|
||||
main() {
|
||||
case "${1:-status}" in
|
||||
uat)
|
||||
configure_uat_firewall
|
||||
;;
|
||||
gcp)
|
||||
configure_gcp_firewall
|
||||
;;
|
||||
nginx)
|
||||
configure_nginx_whitelist
|
||||
;;
|
||||
all)
|
||||
configure_uat_firewall
|
||||
configure_gcp_firewall
|
||||
configure_nginx_whitelist
|
||||
;;
|
||||
status)
|
||||
show_status
|
||||
;;
|
||||
*)
|
||||
echo "用法: $0 [uat|gcp|nginx|all|status]"
|
||||
echo ""
|
||||
echo " uat - 配置 UAT 防火牆 (UFW)"
|
||||
echo " gcp - 配置 GCP 防火牆 (gcloud)"
|
||||
echo " nginx - 配置 Nginx IP 白名單"
|
||||
echo " all - 配置所有防火牆"
|
||||
echo " status - 顯示當前狀態(預設)"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
main "$@"
|
||||
86
scripts/security/harden_ollama_server.sh
Normal file
86
scripts/security/harden_ollama_server.sh
Normal file
@@ -0,0 +1,86 @@
|
||||
#!/bin/bash
|
||||
# ==========================================================
|
||||
# 192.168.0.188 (Ollama Server) 安全加固腳本
|
||||
#
|
||||
# 使用方式:
|
||||
# ssh ollama@192.168.0.188
|
||||
# sudo bash harden_ollama_server.sh
|
||||
# ==========================================================
|
||||
|
||||
set -e
|
||||
|
||||
echo "=========================================="
|
||||
echo " Ollama Server 安全加固腳本"
|
||||
echo "=========================================="
|
||||
|
||||
# 1. 安裝並配置 Fail2Ban
|
||||
echo ""
|
||||
echo "=== 1. 安裝 Fail2Ban (SSH 防暴力破解) ==="
|
||||
apt-get update -qq
|
||||
apt-get install -y fail2ban
|
||||
|
||||
cat > /etc/fail2ban/jail.local << 'JAIL'
|
||||
[DEFAULT]
|
||||
bantime = 3600
|
||||
findtime = 600
|
||||
maxretry = 3
|
||||
ignoreip = 127.0.0.1/8 192.168.0.0/24
|
||||
|
||||
[sshd]
|
||||
enabled = true
|
||||
port = ssh
|
||||
filter = sshd
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = 3
|
||||
JAIL
|
||||
|
||||
systemctl enable fail2ban
|
||||
systemctl restart fail2ban
|
||||
echo "✅ Fail2Ban 已安裝並啟用"
|
||||
|
||||
# 2. 設定 UFW 防火牆
|
||||
echo ""
|
||||
echo "=== 2. 設定 UFW 防火牆 ==="
|
||||
apt-get install -y ufw
|
||||
|
||||
# 重置並設定預設規則
|
||||
ufw --force reset
|
||||
ufw default deny incoming
|
||||
ufw default allow outgoing
|
||||
|
||||
# 允許必要的服務
|
||||
ufw allow 22/tcp comment 'SSH'
|
||||
ufw allow 80/tcp comment 'HTTP'
|
||||
ufw allow 443/tcp comment 'HTTPS'
|
||||
ufw allow from 192.168.0.0/24 to any port 11434 comment 'Ollama API (內網)'
|
||||
ufw allow from 192.168.0.0/24 to any port 3000 comment 'Open WebUI (內網)'
|
||||
ufw allow from 192.168.0.0/24 to any port 5678 comment 'n8n (內網)'
|
||||
ufw allow from 192.168.0.0/24 to any port 8080 comment 'SearXNG (內網)'
|
||||
|
||||
# 啟用防火牆
|
||||
ufw --force enable
|
||||
echo "✅ UFW 防火牆已設定"
|
||||
|
||||
# 3. 修改 Docker 容器端口綁定 (n8n 改為只允許內網)
|
||||
echo ""
|
||||
echo "=== 3. 檢查 Docker Compose 配置 ==="
|
||||
echo "⚠️ 請手動修改 docker-compose.yml 將以下服務改為內網綁定:"
|
||||
echo " n8n: 5678:5678 → 192.168.0.188:5678:5678"
|
||||
echo " searxng: 8080:8080 → 192.168.0.188:8080:8080"
|
||||
|
||||
# 4. 顯示最終狀態
|
||||
echo ""
|
||||
echo "=========================================="
|
||||
echo " 安全加固完成!"
|
||||
echo "=========================================="
|
||||
echo ""
|
||||
echo "Fail2Ban 狀態:"
|
||||
fail2ban-client status sshd 2>/dev/null || echo " (啟動中...)"
|
||||
echo ""
|
||||
echo "UFW 防火牆規則:"
|
||||
ufw status verbose
|
||||
echo ""
|
||||
echo "⚠️ 注意事項:"
|
||||
echo " 1. 外部訪問 Ollama API/n8n/SearXNG 已被限制為內網 (192.168.0.0/24)"
|
||||
echo " 2. 如需從外部訪問,請透過 Nginx 反向代理並加入認證"
|
||||
echo " 3. 建議定期檢查 fail2ban-client status sshd"
|
||||
91
scripts/security/setup-monitor-whitelist.sh
Executable file
91
scripts/security/setup-monitor-whitelist.sh
Executable file
@@ -0,0 +1,91 @@
|
||||
#!/bin/bash
|
||||
# =============================================================================
|
||||
# MOMO Pro System - 監控服務白名單設定
|
||||
# 功能:限制監控/報表服務只允許白名單 IP 訪問
|
||||
# 執行方式:在 UAT 主機上以 root 或 sudo 執行
|
||||
# =============================================================================
|
||||
|
||||
set -e
|
||||
|
||||
echo "=========================================="
|
||||
echo "🔒 監控服務白名單設定"
|
||||
echo "=========================================="
|
||||
|
||||
# Step 1: 創建白名單配置
|
||||
echo ""
|
||||
echo "Step 1: 創建白名單配置..."
|
||||
|
||||
cat > /etc/nginx/snippets/monitor_whitelist.conf << 'EOF'
|
||||
# =============================================================================
|
||||
# 監控服務白名單 (monitor.wooo.work)
|
||||
# 只允許以下 IP 訪問 Superset, Metabase, Grafana, n8n 等服務
|
||||
# 更新日期: 2026-02-14
|
||||
# =============================================================================
|
||||
|
||||
# ----- 內部網路 -----
|
||||
# UAT 內網
|
||||
allow 192.168.0.0/24;
|
||||
|
||||
# ----- 伺服器間通訊 -----
|
||||
# GCP 正式環境 (momo.wooo.work 需要訪問 BI 服務)
|
||||
allow 35.194.233.141;
|
||||
|
||||
# Ollama AI 伺服器
|
||||
allow 192.168.0.188;
|
||||
|
||||
# ----- 辦公室/家庭 IP (請依實際情況添加) -----
|
||||
# 範例:allow 114.32.151.246;
|
||||
|
||||
# ----- 拒絕其他所有 -----
|
||||
deny all;
|
||||
EOF
|
||||
|
||||
echo "✅ 白名單配置已創建: /etc/nginx/snippets/monitor_whitelist.conf"
|
||||
|
||||
# Step 2: 備份現有 Nginx 配置
|
||||
echo ""
|
||||
echo "Step 2: 備份現有配置..."
|
||||
cp /etc/nginx/sites-enabled/monitor /etc/nginx/sites-enabled/monitor.backup.$(date +%Y%m%d_%H%M%S)
|
||||
echo "✅ 備份完成"
|
||||
|
||||
# Step 3: 修改 monitor 配置,加入白名單
|
||||
echo ""
|
||||
echo "Step 3: 修改 monitor.wooo.work 配置..."
|
||||
|
||||
# 檢查是否已包含白名單
|
||||
if grep -q "monitor_whitelist.conf" /etc/nginx/sites-enabled/monitor; then
|
||||
echo "⚠️ 白名單已配置,跳過修改"
|
||||
else
|
||||
# 在 server 塊開頭加入白名單
|
||||
sed -i '/server_name monitor.wooo.work;/a\ # 白名單限制\n include snippets/monitor_whitelist.conf;' /etc/nginx/sites-enabled/monitor
|
||||
echo "✅ 已加入白名單引用"
|
||||
fi
|
||||
|
||||
# Step 4: 測試 Nginx 配置
|
||||
echo ""
|
||||
echo "Step 4: 測試 Nginx 配置..."
|
||||
nginx -t
|
||||
|
||||
# Step 5: 重載 Nginx
|
||||
echo ""
|
||||
echo "Step 5: 重載 Nginx..."
|
||||
systemctl reload nginx
|
||||
echo "✅ Nginx 已重載"
|
||||
|
||||
# Step 6: 驗證
|
||||
echo ""
|
||||
echo "=========================================="
|
||||
echo "🎉 設定完成!"
|
||||
echo "=========================================="
|
||||
echo ""
|
||||
echo "白名單 IP:"
|
||||
grep "^allow" /etc/nginx/snippets/monitor_whitelist.conf
|
||||
echo ""
|
||||
echo "測試訪問:"
|
||||
echo " ✅ 從內網: curl https://monitor.wooo.work/superset/"
|
||||
echo " ✅ 從 GCP: curl https://monitor.wooo.work/superset/"
|
||||
echo " ❌ 從外網: 應返回 403 Forbidden"
|
||||
echo ""
|
||||
echo "如需添加新的白名單 IP,請編輯:"
|
||||
echo " /etc/nginx/snippets/monitor_whitelist.conf"
|
||||
echo "然後執行: sudo systemctl reload nginx"
|
||||
Reference in New Issue
Block a user