wooo/ewoooc
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
1c03d213acfe01233dc17fac52734e9b8b48b708
ewoooc/scripts/security/firewall-whitelist.sh
ogt 1b4f3a7bbe
Some checks failed
CD Pipeline / deploy (push) Failing after 59s
Details
feat: EwoooC 初始化 — 完整專案推版至 Gitea 
- 建立 Gitea Actions CD pipeline (.gitea/workflows/cd.yaml)
- 部署模式: rsync Python 檔案至 188 → docker restart (volume mount)
- Dockerfile/requirements 變動時自動重建 Docker image
- 部署通知: Telegram (開始/成功/失敗)
- 健康檢查: https://mo.wooo.work/health (最多 5 次重試)
- 同步最新 CLAUDE.md / ADR-008 / memory (2026-04-19)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-19 01:21:13 +08:00

221 lines
6.8 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# =============================================================================
# MOMO Pro System - 防火牆白名單配置
# 功能:設定 UAT ↔ GCP 互相白名單,限制外部訪問
# 版本1.0.0
# 日期2026-02-14
# =============================================================================
# ============================================
# 白名單 IP 定義
# ============================================
# UAT 主機 IP (內網)
UAT_IP="192.168.0.110"
# GCP 主機 IP (外網)
GCP_IP="35.194.233.141"
# 辦公室/家庭 IP (需要能訪問監控服務的 IP)
# 請根據實際情況更新
ALLOWED_EXTERNAL_IPS=(
"114.32.151.246" # WOOO 辦公室 IP (範例)
"1.160.0.0/16" # 中華電信 ADSL 範圍 (範例)
)
# GCP 專案資訊
GCP_PROJECT="astral-gateway-484913-d7"
GCP_VM="momo-pro-gcp"
GCP_ZONE="asia-east1-b"
# ============================================
# UAT 防火牆配置 (UFW)
# ============================================
configure_uat_firewall() {
echo "=========================================="
echo "配置 UAT 防火牆白名單"
echo "=========================================="
ssh wooo@${UAT_IP} "
# 重置 UFW
sudo ufw --force reset
# 預設策略:拒絕入站,允許出站
sudo ufw default deny incoming
sudo ufw default allow outgoing
# 允許 SSH所有 IP但有 Fail2Ban 保護)
sudo ufw allow 22/tcp
# 允許 HTTP/HTTPS公開但僅有 Nginx 監聽)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# 允許 GCP 訪問內部服務(用於監控/同步)
sudo ufw allow from ${GCP_IP} to any port 5678 comment 'GCP -> n8n'
sudo ufw allow from ${GCP_IP} to any port 8929 comment 'GCP -> GitLab'
sudo ufw allow from ${GCP_IP} to any port 9090 comment 'GCP -> Prometheus'
# 允許內網訪問所有服務
sudo ufw allow from 192.168.0.0/24 comment 'Local Network'
# 允許指定外部 IP 訪問監控服務
$(for ip in "${ALLOWED_EXTERNAL_IPS[@]}"; do
echo "sudo ufw allow from ${ip} to any port 30030 comment 'External -> Grafana'"
echo "sudo ufw allow from ${ip} to any port 8929 comment 'External -> GitLab'"
done)
# 啟用防火牆
sudo ufw --force enable
sudo ufw status verbose
"
}
# ============================================
# GCP 防火牆配置 (gcloud)
# ============================================
configure_gcp_firewall() {
echo "=========================================="
echo "配置 GCP 防火牆白名單"
echo "=========================================="
# 刪除過於寬鬆的規則
gcloud compute firewall-rules delete allow-momo-ports --project=${GCP_PROJECT} --quiet 2>/dev/null || true
# 創建嚴格的規則
# 1. 允許 HTTP/HTTPS公開Web 服務)
gcloud compute firewall-rules create momo-allow-web \
--project=${GCP_PROJECT} \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=tcp:80,tcp:443 \
--source-ranges=0.0.0.0/0 \
--description="Allow HTTP/HTTPS from anywhere" \
2>/dev/null || echo "Rule momo-allow-web already exists"
# 2. 允許 SSH 僅從 UAT IP
gcloud compute firewall-rules create momo-allow-ssh-from-uat \
--project=${GCP_PROJECT} \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=tcp:22 \
--source-ranges=${UAT_IP}/32 \
--description="Allow SSH only from UAT" \
2>/dev/null || echo "Rule momo-allow-ssh-from-uat already exists"
# 3. 允許 K8s API 僅從 UAT IP
gcloud compute firewall-rules create momo-allow-k8s-from-uat \
--project=${GCP_PROJECT} \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=tcp:6443 \
--source-ranges=${UAT_IP}/32 \
--description="Allow K8s API only from UAT" \
2>/dev/null || echo "Rule momo-allow-k8s-from-uat already exists"
# 4. 拒絕其他所有入站流量GCP 預設已有此規則)
echo ""
echo "GCP 防火牆規則:"
gcloud compute firewall-rules list --project=${GCP_PROJECT} \
--filter="name~momo" \
--format="table(name,direction,sourceRanges,allowed)"
}
# ============================================
# Nginx 白名單配置
# ============================================
configure_nginx_whitelist() {
echo "=========================================="
echo "配置 Nginx 白名單(監控服務)"
echo "=========================================="
# 創建白名單配置文件
ssh wooo@${UAT_IP} "
cat > /tmp/allowed_ips.conf << 'EOF'
# 允許的 IP 白名單
# UAT 內網
allow 192.168.0.0/24;
# GCP 正式環境
allow ${GCP_IP};
# 辦公室/家庭 IP
$(for ip in "${ALLOWED_EXTERNAL_IPS[@]}"; do
echo "allow ${ip};"
done)
# 拒絕其他所有
deny all;
EOF
sudo mv /tmp/allowed_ips.conf /etc/nginx/snippets/allowed_ips.conf
echo '白名單配置已寫入 /etc/nginx/snippets/allowed_ips.conf'
"
echo ""
echo "請在需要限制訪問的 Nginx location 中加入:"
echo " include snippets/allowed_ips.conf;"
}
# ============================================
# 顯示當前狀態
# ============================================
show_status() {
echo "=========================================="
echo "當前防火牆狀態"
echo "=========================================="
echo ""
echo "--- UAT UFW 狀態 ---"
ssh wooo@${UAT_IP} "sudo ufw status numbered" 2>/dev/null || echo "UAT 連線失敗"
echo ""
echo "--- GCP 防火牆規則 ---"
gcloud compute firewall-rules list --project=${GCP_PROJECT} \
--format="table(name,direction,sourceRanges,allowed)" 2>/dev/null || echo "GCP 連線失敗"
}
# ============================================
# 主程式
# ============================================
main() {
case "${1:-status}" in
uat)
configure_uat_firewall
;;
gcp)
configure_gcp_firewall
;;
nginx)
configure_nginx_whitelist
;;
all)
configure_uat_firewall
configure_gcp_firewall
configure_nginx_whitelist
;;
status)
show_status
;;
*)
echo "用法: $0 [uat|gcp|nginx|all|status]"
echo ""
echo " uat - 配置 UAT 防火牆 (UFW)"
echo " gcp - 配置 GCP 防火牆 (gcloud)"
echo " nginx - 配置 Nginx IP 白名單"
echo " all - 配置所有防火牆"
echo " status - 顯示當前狀態(預設)"
;;
esac
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink