chore: initial baseline with P0-safety .gitignore
This commit is contained in:
Simon
@@ -0,0 +1,114 @@
|
||||
# WAF 转发配置申请
|
||||
|
||||
## 问题描述
|
||||
|
||||
`itsupport.servyou.com.cn` 域名无法访问,浏览器超时。需 WAF 配置转发规则。
|
||||
|
||||
---
|
||||
|
||||
## 证据链
|
||||
|
||||
### 1. 服务器本地 — 服务正常 ✅
|
||||
|
||||
```
|
||||
# HTTP 已强制跳转 HTTPS(nginx 配置 301 重定向)
|
||||
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl http://localhost/itdesk/health
|
||||
<html><head><title>301 Moved Permanently</title></head>...nginx/1.27.5</html>
|
||||
|
||||
# HTTPS 正常响应
|
||||
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -k https://127.0.0.1/itdesk/health -H "Host: itsupport.servyou.com.cn"
|
||||
healthy
|
||||
```
|
||||
|
||||
### 2. SSL 证书 — 有效 ✅
|
||||
|
||||
```
|
||||
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# echo | openssl s_client -connect 127.0.0.1:443 -servername itsupport.servyou.com.cn
|
||||
CONNECTED(00000003)
|
||||
depth=2 C=US, O=DigiCert Inc, CN=DigiCert Global Root G2
|
||||
depth=1 C=US, O=DigiCert, Inc., CN=GeoTrust G2 TLS CN RSA4096 SHA256 2022 CA1
|
||||
depth=0 C=CN, ST=浙江省, L=杭州市, O=税友软件集团股份有限公司, CN=*.servyou.com.cn
|
||||
Verification: OK
|
||||
Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384
|
||||
Verify return code: 0 (ok)
|
||||
```
|
||||
|
||||
证书信息:
|
||||
- 主体:`CN=*.servyou.com.cn`(通配符证书)
|
||||
- 颁发者:`GeoTrust G2 TLS CN RSA4096 SHA256 2022 CA1`
|
||||
- 有效期:2025-12-23 ~ 2027-01-12
|
||||
|
||||
### 3. DNS 解析 — 指向 WAF ✅
|
||||
|
||||
```
|
||||
# 服务器 DNS 解析到 WAF 公网 IP
|
||||
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# ping -c 1 itsupport.servyou.com.cn
|
||||
PING itsupport.servyou.com.cn (115.236.188.3): 56(84) bytes of data.
|
||||
--- itsupport.servyou.com.cn ping statistics ---
|
||||
1 packets transmitted, 0 received, 100% packet loss
|
||||
```
|
||||
|
||||
- 解析结果:`115.236.188.3`(WAF 公网 IP)
|
||||
- ping 100% 丢失(WAF 禁 ICMP,正常)
|
||||
|
||||
### 4. WAF 转发 — 不通 ❌
|
||||
|
||||
```
|
||||
# 从服务器通过域名访问 HTTP(超时)
|
||||
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -v http://itsupport.servyou.com.cn/itdesk/health
|
||||
* Trying 115.236.188.3:80...
|
||||
^C(超时无响应)
|
||||
|
||||
# 从服务器通过域名访问 HTTPS(超时)
|
||||
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -v https://itsupport.servyou.com.cn/itdesk/health
|
||||
* Trying 115.236.188.3:443...
|
||||
^C(超时无响应)
|
||||
```
|
||||
|
||||
### 5. 服务器外网连通性 — 正常 ✅
|
||||
|
||||
```
|
||||
# 企微 API 可达
|
||||
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -s https://qyapi.weixin.qq.com/cgi-bin/gettoken
|
||||
{"errcode":41004,"errmsg":"corpsecret missing", "from ip": "218.75.34.87"}
|
||||
|
||||
# PyPI 镜像可达
|
||||
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -s https://pypi.tuna.tsinghua.edu.cn/
|
||||
<html><head><title>302 Found</title></head>...nginx/1.22.1</html>
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 结论
|
||||
|
||||
| 环节 | 状态 |
|
||||
|------|------|
|
||||
| 服务器(10.90.5.110) | ✅ HTTP/HTTPS 服务正常 |
|
||||
| SSL 证书(*.servyou.com.cn) | ✅ 有效,TLSv1.3 |
|
||||
| DNS 解析 | ✅ 指向 WAF(115.236.188.3) |
|
||||
| 服务器外网连通性 | ✅ 企微 API / PyPI 均可达 |
|
||||
| **WAF 转发到后端** | **❌ 未配置 — 流量未到达 10.90.5.110** |
|
||||
|
||||
---
|
||||
|
||||
## 需要配置
|
||||
|
||||
请 WAF/网络团队配置转发规则:
|
||||
|
||||
```
|
||||
域名:itsupport.servyou.com.cn
|
||||
源端口:80(HTTP)/ 443(HTTPS)
|
||||
转发目标:10.90.5.110:80
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 服务器信息
|
||||
|
||||
| 项目 | 值 |
|
||||
|------|-----|
|
||||
| 服务器 IP | 10.90.5.110 |
|
||||
| 服务端口 | 80(HTTP→HTTPS 重定向)+ 443(HTTPS) |
|
||||
| 域名 | itsupport.servyou.com.cn |
|
||||
| SSL 证书 | *.servyou.com.cn(DigiCert,有效期至 2027-01-12) |
|
||||
| 系统 | Linux(Docker 部署,nginx 反向代理) |
|
||||
Reference in New Issue
Block a user