a96306fba2
- Install python-telegram-bot dependency - Start Telegram bot service successfully - Confirm correct group ID (MOMO PRO - small shrimp group) - Bot now running with all commands and button interface functional - Natural language processing restored with keyword matching Fixes issue where Telegram group could not communicate using natural language.
227 lines
7.1 KiB
Bash
Executable File
227 lines
7.1 KiB
Bash
Executable File
#!/bin/bash
|
||
# =============================================================================
|
||
# MOMO Pro System - 防火牆白名單配置
|
||
# 功能:設定 UAT ↔ GCP 互相白名單,限制外部訪問
|
||
# 版本:1.0.0
|
||
# 日期:2026-02-14
|
||
# =============================================================================
|
||
|
||
# ============================================
|
||
# 白名單 IP 定義
|
||
# ============================================
|
||
|
||
# UAT IP (UAT VM IP - actual server IP)
|
||
UAT_IP="114.32.151.246"
|
||
|
||
# GCP IP (GCP VM IP)
|
||
GCP_IP="35.194.233.141"
|
||
|
||
# 辦公室/家庭 IP (需要能訪問監控服務的 IP)
|
||
# 請根據實際情況更新
|
||
ALLOWED_EXTERNAL_IPS=(
|
||
"114.32.151.246" # WOOO 辦公室 IP (範例)
|
||
"1.160.0.0/16" # 中華電信 ADSL 範圍 (範例)
|
||
"192.168.1.0/24" # 新增家庭網路範圍
|
||
"10.0.0.0/8" # 新增內網範圍
|
||
"172.16.0.0/12" # 新增內網範圍
|
||
"192.168.0.0/16" # 新增家庭網路範圍
|
||
"10.10.0.0/16" # 新增內網範圍
|
||
"172.20.0.0/14" # 新增內網範圍
|
||
)
|
||
|
||
# GCP 專案資訊
|
||
GCP_PROJECT="astral-gateway-484913-d7"
|
||
GCP_VM="momo-pro-gcp"
|
||
GCP_ZONE="asia-east1-b"
|
||
|
||
# ============================================
|
||
# UAT 防火牆配置 (UFW)
|
||
# ============================================
|
||
configure_uat_firewall() {
|
||
echo "=========================================="
|
||
echo "配置 UAT 防火牆白名單"
|
||
echo "=========================================="
|
||
|
||
ssh wooo@${UAT_IP} "
|
||
# 重置 UFW
|
||
sudo ufw --force reset
|
||
|
||
# 預設策略:拒絕入站,允許出站
|
||
sudo ufw default deny incoming
|
||
sudo ufw default allow outgoing
|
||
|
||
# 允許 SSH(所有 IP,但有 Fail2Ban 保護)
|
||
sudo ufw allow 22/tcp
|
||
|
||
# 允許 HTTP/HTTPS(公開,但僅有 Nginx 監聽)
|
||
sudo ufw allow 80/tcp
|
||
sudo ufw allow 443/tcp
|
||
|
||
# 允許 GCP 訪問內部服務(用於監控/同步)
|
||
sudo ufw allow from ${GCP_IP} to any port 5678 comment 'GCP -> n8n'
|
||
sudo ufw allow from ${GCP_IP} to any port 8929 comment 'GCP -> GitLab'
|
||
sudo ufw allow from ${GCP_IP} to any port 9090 comment 'GCP -> Prometheus'
|
||
|
||
# 允許內網訪問所有服務
|
||
sudo ufw allow from 192.168.0.0/24 comment 'Local Network'
|
||
|
||
# 允許指定外部 IP 訪問監控服務
|
||
$(for ip in "${ALLOWED_EXTERNAL_IPS[@]}"; do
|
||
echo "sudo ufw allow from ${ip} to any port 30030 comment 'External -> Grafana'"
|
||
echo "sudo ufw allow from ${ip} to any port 8929 comment 'External -> GitLab'"
|
||
done)
|
||
|
||
# 啟用防火牆
|
||
sudo ufw --force enable
|
||
sudo ufw status verbose
|
||
"
|
||
}
|
||
|
||
# ============================================
|
||
# GCP 防火牆配置 (gcloud)
|
||
# ============================================
|
||
configure_gcp_firewall() {
|
||
echo "=========================================="
|
||
echo "配置 GCP 防火牆白名單"
|
||
echo "=========================================="
|
||
|
||
# 刪除過於寬鬆的規則
|
||
gcloud compute firewall-rules delete allow-momo-ports --project=${GCP_PROJECT} --quiet 2>/dev/null || true
|
||
|
||
# 創建嚴格的規則
|
||
|
||
# 1. 允許 HTTP/HTTPS(公開,Web 服務)
|
||
gcloud compute firewall-rules create momo-allow-web \
|
||
--project=${GCP_PROJECT} \
|
||
--direction=INGRESS \
|
||
--priority=1000 \
|
||
--network=default \
|
||
--action=ALLOW \
|
||
--rules=tcp:80,tcp:443 \
|
||
--source-ranges=0.0.0.0/0 \
|
||
--description="Allow HTTP/HTTPS from anywhere" \
|
||
2>/dev/null || echo "Rule momo-allow-web already exists"
|
||
|
||
# 2. 允許 SSH 僅從 UAT IP
|
||
gcloud compute firewall-rules create momo-allow-ssh-from-uat \
|
||
--project=${GCP_PROJECT} \
|
||
--direction=INGRESS \
|
||
--priority=1000 \
|
||
--network=default \
|
||
--action=ALLOW \
|
||
--rules=tcp:22 \
|
||
--source-ranges=${UAT_IP}/32 \
|
||
--description="Allow SSH only from UAT" \
|
||
2>/dev/null || echo "Rule momo-allow-ssh-from-uat already exists"
|
||
|
||
# 3. 允許 K8s API 僅從 UAT IP
|
||
gcloud compute firewall-rules create momo-allow-k8s-from-uat \
|
||
--project=${GCP_PROJECT} \
|
||
--direction=INGRESS \
|
||
--priority=1000 \
|
||
--network=default \
|
||
--action=ALLOW \
|
||
--rules=tcp:6443 \
|
||
--source-ranges=${UAT_IP}/32 \
|
||
--description="Allow K8s API only from UAT" \
|
||
2>/dev/null || echo "Rule momo-allow-k8s-from-uat already exists"
|
||
|
||
# 4. 拒絕其他所有入站流量(GCP 預設已有此規則)
|
||
|
||
echo ""
|
||
echo "GCP 防火牆規則:"
|
||
gcloud compute firewall-rules list --project=${GCP_PROJECT} \
|
||
--filter="name~momo" \
|
||
--format="table(name,direction,sourceRanges,allowed)"
|
||
}
|
||
|
||
# ============================================
|
||
# Nginx 白名單配置
|
||
# ============================================
|
||
configure_nginx_whitelist() {
|
||
echo "=========================================="
|
||
echo "配置 Nginx 白名單(監控服務)"
|
||
echo "=========================================="
|
||
|
||
# 創建白名單配置文件
|
||
ssh wooo@${UAT_IP} "
|
||
cat > /tmp/allowed_ips.conf << 'EOF'
|
||
# 允許的 IP 白名單
|
||
# UAT 內網
|
||
allow 192.168.0.0/24;
|
||
|
||
# GCP 正式環境
|
||
allow ${GCP_IP};
|
||
|
||
# 辦公室/家庭 IP
|
||
$(for ip in "${ALLOWED_EXTERNAL_IPS[@]}"; do
|
||
echo "allow ${ip};"
|
||
done)
|
||
|
||
# 拒絕其他所有
|
||
deny all;
|
||
EOF
|
||
|
||
sudo mv /tmp/allowed_ips.conf /etc/nginx/snippets/allowed_ips.conf
|
||
echo '白名單配置已寫入 /etc/nginx/snippets/allowed_ips.conf'
|
||
"
|
||
|
||
echo ""
|
||
echo "請在需要限制訪問的 Nginx location 中加入:"
|
||
echo " include snippets/allowed_ips.conf;"
|
||
}
|
||
|
||
# ============================================
|
||
# 顯示當前狀態
|
||
# ============================================
|
||
show_status() {
|
||
echo "=========================================="
|
||
echo "當前防火牆狀態"
|
||
echo "=========================================="
|
||
|
||
echo ""
|
||
echo "--- UAT UFW 狀態 ---"
|
||
ssh wooo@${UAT_IP} "sudo ufw status numbered" 2>/dev/null || echo "UAT 連線失敗"
|
||
|
||
echo ""
|
||
echo "--- GCP 防火牆規則 ---"
|
||
gcloud compute firewall-rules list --project=${GCP_PROJECT} \
|
||
--format="table(name,direction,sourceRanges,allowed)" 2>/dev/null || echo "GCP 連線失敗"
|
||
}
|
||
|
||
# ============================================
|
||
# 主程式
|
||
# ============================================
|
||
main() {
|
||
case "${1:-status}" in
|
||
uat)
|
||
configure_uat_firewall
|
||
;;
|
||
gcp)
|
||
configure_gcp_firewall
|
||
;;
|
||
nginx)
|
||
configure_nginx_whitelist
|
||
;;
|
||
all)
|
||
configure_uat_firewall
|
||
configure_gcp_firewall
|
||
configure_nginx_whitelist
|
||
;;
|
||
status)
|
||
show_status
|
||
;;
|
||
*)
|
||
echo "用法: $0 [uat|gcp|nginx|all|status]"
|
||
echo ""
|
||
echo " uat - 配置 UAT 防火牆 (UFW)"
|
||
echo " gcp - 配置 GCP 防火牆 (gcloud)"
|
||
echo " nginx - 配置 Nginx IP 白名單"
|
||
echo " all - 配置所有防火牆"
|
||
echo " status - 顯示當前狀態(預設)"
|
||
;;
|
||
esac
|
||
}
|
||
|
||
main "$@"
|