wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 5 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/DOMAIN-TLS-CERTBOT-INVENTORY.md
Your Name 6239712507
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
Details
CD Pipeline / post-deploy-checks (push) Has been cancelled
Details
CD Pipeline / tests (push) Has been cancelled
Details
Code Review / ai-code-review (push) Has been cancelled
Details
feat(security): 新增 public gateway preflight 只讀清冊
2026-06-12 01:25:04 +08:00

98 lines
3.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS DNS / TLS / certbot 只讀清冊
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-11 |
| 狀態 | `repo_only_inventory_ready` |
| 工具 | `scripts/security/domain-tls-certbot-inventory.py` |
| Snapshot | `docs/security/domain-tls-certbot-inventory.snapshot.json` |
| Schema | `docs/schemas/domain_tls_certbot_inventory_v1.schema.json` |
| runtime gate | `0` |
## 1. 目的
公開入口的風險不只在 Nginx conf 本身,也包含 domain、TLS certificate path、ACME challenge path、admin route、WebSocket 與 upstream 的對應關係。本清冊把這些關係從已提交的 Nginx source-of-truth 轉成可重跑的只讀證據,讓 owner review 有一致欄位。
本階段不做 DNS 查詢、不連線 TLS、不執行 certbot、不 SSH、不讀 TLS private key 內容、不 reload Nginx、不改主機。
## 2. 目前 repo-only 摘要
| 指標 | 值 |
|------|----|
| Nginx source config | `3` |
| managed domain | `14` |
| TLS certificate path | `10` |
| ACME challenge domain | `7` |
| 需要 owner 確認的 certificate path 關係 | `4` |
| admin route domain | `1` |
| WebSocket route domain | `6` |
| owner request / received / accepted | `0 / 0 / 0` |
| runtime gate | `0` |
## 3. 需要 owner 確認的項目
以下不是判定錯誤,也不是 live TLS 失效結論;它只表示 repo template 的 `server_name` 與 certificate path 目錄名稱不同,需 owner 確認是否由 SAN、wildcard 或共用憑證合法覆蓋。
| domain | certificate path domain | 狀態 |
|--------|--------------------------|------|
| `gitea.wooo.work` | `sentry.wooo.work` | 需 owner 確認 |
| `langfuse.wooo.work` | `sentry.wooo.work` | 需 owner 確認 |
| `signoz.wooo.work` | `sentry.wooo.work` | 需 owner 確認 |
| `tsenyang.com` | `www.tsenyang.com` | 需 owner 確認 |
## 4. owner response 欄位
任何 domain / TLS / certbot 變更或確認,都至少要具備:
1. `owner_role_or_team`
2. `decision`
3. `decision_reason`
4. `affected_scope`
5. `redacted_evidence_refs`
6. `followup_owner`
7. `rollback_owner`
8. `maintenance_window`
9. `validation_plan`
## 5. 指令
更新 snapshot
```bash
python3 scripts/security/domain-tls-certbot-inventory.py \
--root . \
--generated-at 2026-06-11T18:40:00+08:00 \
--output docs/security/domain-tls-certbot-inventory.snapshot.json
```
只輸出目前清冊:
```bash
python3 scripts/security/domain-tls-certbot-inventory.py --root .
```
## 6. 邊界
1. 本清冊不執行 DNS query。
2. 本清冊不做 live TLS probe。
3. 本清冊不執行 certbot renew。
4. 本清冊不讀 TLS private key 內容,只記錄 certificate / key path metadata。
5. 本清冊不 SSH、不 reload / restart Nginx、不修改主機、不改 DNS。
6. IwoooS UI 可顯示 domain / TLS 清冊,但不得把清冊可見視為 owner 已確認或 runtime 已授權。
## 7. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| repo-only domain / TLS 清冊 | `100%` | 已從 Nginx source-of-truth 產出 domain、cert path、ACME、admin、WebSocket 與 upstream 摘要 |
| owner confirmation queue | `100%` | 已列出 4 個需確認的 certificate path 關係 |
| IwoooS 前台只讀呈現 | `待本輪部署驗證` | 只顯示摘要與邊界,不提供操作按鈕 |
| live DNS / TLS validation | `0%` | 尚未批准;不得用本清冊替代 live probe |
| certbot renew / Nginx reload | `0%` | 未授權,未執行 |
## 8. Preflight 銜接
`docs/security/PUBLIC-GATEWAY-PREFLIGHT-INVENTORY.md` 會把本清冊中的 domain、TLS certificate path、ACME、admin route 與 WebSocket 影響面,轉成 public gateway reload / route change 前的 route smoke 與 owner check 條件。
此銜接仍不代表 DNS 查詢、TLS probe、certbot renew、Nginx reload 或主機寫入已授權。
Reference in New Issue View Git Blame Copy Permalink