deploy(M00-E): 补充API域名HTTPS检查

2026-06-15 16:34:36 +08:00
parent c51ba43fa9
commit f5445f16d7
19 changed files with 225 additions and 50 deletions
@@ -0,0 +1,27 @@
+$ErrorActionPreference = "Stop"
+
+$Domain = "api.txyundm.cn"
+$Origin = "https://$Domain"
+$Paths = @(
+  "/health",
+  "/app-api/health",
+  "/admin-api/health"
+)
+
+Write-Host "INFO: checking DNS for $Domain"
+try {
+  Resolve-DnsName -Name $Domain -ErrorAction Stop | Select-Object -First 3 | Format-Table -AutoSize
+} catch {
+  Write-Warning "DNS check failed from Windows: $($_.Exception.Message)"
+}
+
+foreach ($Path in $Paths) {
+  $Url = "$Origin$Path"
+  Write-Host "INFO: probing $Url"
+  try {
+    $Response = Invoke-WebRequest -Uri $Url -Method Head -TimeoutSec 10 -ErrorAction Stop
+    Write-Host "PASS: $Url -> $($Response.StatusCode)"
+  } catch {
+    Write-Warning "HTTPS probe failed for ${Url}: $($_.Exception.Message)"
+  }
+}
@@ -9,9 +9,10 @@
 | `init-layout.sh` | 创建 `/opt/apps` 目录布局并写入 `run/layout.json`。 |
 | `repo-status.sh` | 检查固定仓库、分支、DIRTY/AHEAD/BEHIND/DIVERGED 状态。 |
 | `deploy-business.sh` | 克隆/更新仓库并生成 dry-run release manifest。 |
+| `domain-https.sh` | 检查固定 API 域名、Nginx 模板、站点启用状态、TLS 和健康端点。 |
 | `backup.sh` | 生成 manifest-only 备份记录。 |
 | `restore.sh` | 输出人工恢复要求，不自动改动生产数据。 |
 | `rollback.sh` | 列出 release 回滚点。 |
 | `diagnose.sh` | 汇总快检、仓库、磁盘、服务和公开端点。 |

-M00 阶段脚本必须保持可重复执行和非破坏性。真实数据库、证书、EMQX ACL、Nginx 写入和 PM2 切换将在后续模块具备配置后继续补全。
+M00 阶段脚本必须保持可重复执行和非破坏性。真实数据库、证书、EMQX ACL、Nginx 自动写入和 PM2 切换将在后续模块具备配置后继续补全。
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=lib.sh
+. "${SCRIPT_DIR}/lib.sh"
+
+qipai_domain_https_status() {
+  local template_path nginx_available nginx_enabled
+  template_path="${SCRIPT_DIR}/../../deploy/nginx/api.txyundm.cn.conf.template"
+  nginx_available="/etc/nginx/sites-available/qipai-api.conf"
+  nginx_enabled="/etc/nginx/sites-enabled/qipai-api.conf"
+
+  qipai_info "domain: ${QIPAI_DOMAIN}"
+  qipai_info "origin: ${QIPAI_API_ORIGIN}"
+  qipai_info "app api: ${QIPAI_API_ORIGIN}/app-api"
+  qipai_info "admin api: ${QIPAI_API_ORIGIN}/admin-api"
+  qipai_info "nginx template: ${template_path}"
+  qipai_info "target nginx config: ${nginx_available}"
+
+  if [ -f "$template_path" ]; then
+    qipai_pass "nginx template exists"
+  else
+    qipai_warn "nginx template not found"
+  fi
+
+  if command -v getent >/dev/null 2>&1; then
+    if getent hosts "$QIPAI_DOMAIN" >/dev/null 2>&1; then
+      qipai_pass "DNS resolves for ${QIPAI_DOMAIN}"
+      getent hosts "$QIPAI_DOMAIN" | head -3
+    else
+      qipai_warn "DNS does not resolve from this host"
+    fi
+  else
+    qipai_warn "getent not available; DNS check skipped"
+  fi
+
+  if command -v nginx >/dev/null 2>&1; then
+    nginx -t && qipai_pass "nginx config test passed" || qipai_warn "nginx config test failed or requires production privileges"
+  else
+    qipai_warn "nginx not installed"
+  fi
+
+  if [ -f "$nginx_available" ]; then
+    qipai_pass "nginx site file exists: ${nginx_available}"
+  else
+    qipai_warn "nginx site file not installed yet"
+  fi
+
+  if [ -L "$nginx_enabled" ] || [ -f "$nginx_enabled" ]; then
+    qipai_pass "nginx site enabled: ${nginx_enabled}"
+  else
+    qipai_warn "nginx site not enabled yet"
+  fi
+
+  if command -v openssl >/dev/null 2>&1; then
+    qipai_info "TLS certificate live check:"
+    echo | openssl s_client -servername "$QIPAI_DOMAIN" -connect "${QIPAI_DOMAIN}:443" 2>/dev/null | openssl x509 -noout -subject -issuer -dates 2>/dev/null || qipai_warn "live TLS certificate not reachable"
+  else
+    qipai_warn "openssl not installed"
+  fi
+
+  if command -v curl >/dev/null 2>&1; then
+    qipai_info "health probe: ${QIPAI_API_ORIGIN}/health"
+    curl -fsSIL --max-time 10 "${QIPAI_API_ORIGIN}/health" >/dev/null 2>&1 && qipai_pass "HTTPS health endpoint reachable" || qipai_warn "HTTPS health endpoint not reachable"
+  else
+    qipai_warn "curl not installed"
+  fi
+
+  qipai_info "manual install command after certificate is ready:"
+  qipai_info "sudo install -m 0644 ${template_path} ${nginx_available} && sudo ln -sfn ${nginx_available} ${nginx_enabled} && sudo nginx -t && sudo systemctl reload nginx"
+}
+
+if [ "${1:-}" = "--run" ]; then
+  qipai_domain_https_status
+fi
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail

-QIPAI_DEPLOY_VERSION="${QIPAI_DEPLOY_VERSION:-0.1.0-m00-deploy-baseline}"
+QIPAI_DEPLOY_VERSION="${QIPAI_DEPLOY_VERSION:-0.1.1-m00-domain-https-check}"
 APP_ROOT="${APP_ROOT:-/opt/apps}"
 QIPAI_REPO_URL="${QIPAI_REPO_URL:-ssh://git@127.0.0.1:2222/panda/qipai.git}"
 QIPAI_PUBLIC_REPO_URL="${QIPAI_PUBLIC_REPO_URL:-ssh://git@git.txyundm.cn:2222/panda/qipai.git}"
@@ -90,4 +90,3 @@ qipai_print_context() {
  qipai_info "branch: ${QIPAI_BRANCH}"
  qipai_info "api origin: ${QIPAI_API_ORIGIN}"
 }
-