Files
ewoooc/scripts/security/setup-monitor-whitelist.sh
ogt 1b4f3a7bbe
Some checks failed
CD Pipeline / deploy (push) Failing after 59s
feat: EwoooC 初始化 — 完整專案推版至 Gitea
- 建立 Gitea Actions CD pipeline (.gitea/workflows/cd.yaml)
- 部署模式: rsync Python 檔案至 188 → docker restart (volume mount)
- Dockerfile/requirements 變動時自動重建 Docker image
- 部署通知: Telegram (開始/成功/失敗)
- 健康檢查: https://mo.wooo.work/health (最多 5 次重試)
- 同步最新 CLAUDE.md / ADR-008 / memory (2026-04-19)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-19 01:21:13 +08:00

92 lines
2.8 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# =============================================================================
# MOMO Pro System - 監控服務白名單設定
# 功能:限制監控/報表服務只允許白名單 IP 訪問
# 執行方式:在 UAT 主機上以 root 或 sudo 執行
# =============================================================================
set -e
echo "=========================================="
echo "🔒 監控服務白名單設定"
echo "=========================================="
# Step 1: 創建白名單配置
echo ""
echo "Step 1: 創建白名單配置..."
cat > /etc/nginx/snippets/monitor_whitelist.conf << 'EOF'
# =============================================================================
# 監控服務白名單 (monitor.wooo.work)
# 只允許以下 IP 訪問 Superset, Metabase, Grafana, n8n 等服務
# 更新日期: 2026-02-14
# =============================================================================
# ----- 內部網路 -----
# UAT 內網
allow 192.168.0.0/24;
# ----- 伺服器間通訊 -----
# GCP 正式環境 (momo.wooo.work 需要訪問 BI 服務)
allow 35.194.233.141;
# Ollama AI 伺服器
allow 192.168.0.188;
# ----- 辦公室/家庭 IP (請依實際情況添加) -----
# 範例allow 114.32.151.246;
# ----- 拒絕其他所有 -----
deny all;
EOF
echo "✅ 白名單配置已創建: /etc/nginx/snippets/monitor_whitelist.conf"
# Step 2: 備份現有 Nginx 配置
echo ""
echo "Step 2: 備份現有配置..."
cp /etc/nginx/sites-enabled/monitor /etc/nginx/sites-enabled/monitor.backup.$(date +%Y%m%d_%H%M%S)
echo "✅ 備份完成"
# Step 3: 修改 monitor 配置,加入白名單
echo ""
echo "Step 3: 修改 monitor.wooo.work 配置..."
# 檢查是否已包含白名單
if grep -q "monitor_whitelist.conf" /etc/nginx/sites-enabled/monitor; then
echo "⚠️ 白名單已配置,跳過修改"
else
# 在 server 塊開頭加入白名單
sed -i '/server_name monitor.wooo.work;/a\ # 白名單限制\n include snippets/monitor_whitelist.conf;' /etc/nginx/sites-enabled/monitor
echo "✅ 已加入白名單引用"
fi
# Step 4: 測試 Nginx 配置
echo ""
echo "Step 4: 測試 Nginx 配置..."
nginx -t
# Step 5: 重載 Nginx
echo ""
echo "Step 5: 重載 Nginx..."
systemctl reload nginx
echo "✅ Nginx 已重載"
# Step 6: 驗證
echo ""
echo "=========================================="
echo "🎉 設定完成!"
echo "=========================================="
echo ""
echo "白名單 IP"
grep "^allow" /etc/nginx/snippets/monitor_whitelist.conf
echo ""
echo "測試訪問:"
echo " ✅ 從內網: curl https://monitor.wooo.work/superset/"
echo " ✅ 從 GCP: curl https://monitor.wooo.work/superset/"
echo " ❌ 從外網: 應返回 403 Forbidden"
echo ""
echo "如需添加新的白名單 IP請編輯"
echo " /etc/nginx/snippets/monitor_whitelist.conf"
echo "然後執行: sudo systemctl reload nginx"