feat(deploy): 8080 收 loopback + 关 8080 防火墙 + 健康检查改本地/隧道(退役明文控制口)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013nMthbVEmQquxBRKb9Fj8u
This commit is contained in:
@@ -164,7 +164,7 @@ cat > "$ETC/server.env" <<EOF
|
||||
DB_DRIVER=sqlite
|
||||
DB_DSN=$DB_FILE
|
||||
REDIS_ADDR=127.0.0.1:6379
|
||||
ADDR=:$HTTP_PORT
|
||||
ADDR=127.0.0.1:$HTTP_PORT
|
||||
JWT_PRIVATE_KEY_PATH=$ETC/jwt_private.pem
|
||||
JWT_KEY_ID=node-key-1
|
||||
JWT_PUBLIC_KEYS=node-key-1:$ETC/jwt_public.pem
|
||||
@@ -287,11 +287,7 @@ log "启用 sing-box + 启动 agent ..."
|
||||
systemctl enable sing-box.service
|
||||
systemctl enable --now pangolin-agent.service
|
||||
|
||||
# 放行控制面 API 端口(若 ufw 启用)。⚠️ 明文,生产应前置 TLS。
|
||||
if command -v ufw >/dev/null 2>&1 && ufw status 2>/dev/null | grep -q "Status: active"; then
|
||||
ufw allow "${HTTP_PORT}/tcp" >/dev/null 2>&1 || true
|
||||
log "ufw 放行 ${HTTP_PORT}/tcp(控制面 API,明文)"
|
||||
fi
|
||||
# 控制面 API 已绑 127.0.0.1(经 cloudflared 隧道对外),不放行 8080/tcp。
|
||||
|
||||
# ── cloudflared:按需启用(需 /etc/pangolin/cloudflared.env 提供 TUNNEL_TOKEN)───
|
||||
if [ -f /etc/pangolin/cloudflared.env ]; then
|
||||
|
||||
@@ -54,6 +54,8 @@ systemctl start pangolin-server
|
||||
systemctl is-active pangolin-server
|
||||
REMOTE
|
||||
|
||||
curl -fsS -m 10 --retry 5 --retry-connrefused "http://${DEPLOY_HOST}:8080/healthz" >/dev/null && echo "healthz OK"
|
||||
# 8080 现仅 loopback(经 cloudflared 隧道对外):ssh 内本地校验 + 经隧道校验对外真实可达。
|
||||
$SSH "root@${DEPLOY_HOST}" 'curl -fsS -m 10 --retry 5 --retry-connrefused http://127.0.0.1:8080/healthz >/dev/null && echo "healthz(local) OK"'
|
||||
curl -fsS -m 10 --retry 5 "https://api.yanmeiai.com/healthz" >/dev/null && echo "healthz(tunnel) OK"
|
||||
|
||||
echo "==> deploy-server: done"
|
||||
|
||||
Reference in New Issue
Block a user