mirror of
https://github.com/netcccyun/dnsmgr.git
synced 2026-05-09 07:06:26 +02:00
新增阿里云WAF(云产品接入)部署SSL证书
This commit is contained in:
net909
@@ -1251,6 +1251,7 @@ ctrl+x 保存退出<br/>',
|
||||
['value'=>'esa_saas', 'label'=>'边缘安全加速ESA SaaS'],
|
||||
['value'=>'oss', 'label'=>'对象存储OSS'],
|
||||
['value'=>'waf', 'label'=>'Web应用防火墙3.0'],
|
||||
['value'=>'wafres', 'label'=>'Web应用防火墙3.0(云产品接入)'],
|
||||
['value'=>'waf2', 'label'=>'Web应用防火墙2.0'],
|
||||
['value'=>'clb', 'label'=>'传统型负载均衡CLB'],
|
||||
['value'=>'alb', 'label'=>'应用型负载均衡ALB'],
|
||||
@@ -1303,7 +1304,7 @@ ctrl+x 保存退出<br/>',
|
||||
['value'=>'ap-southeast-1', 'label'=>'非中国内地'],
|
||||
],
|
||||
'value' => 'cn-hangzhou',
|
||||
'show' => 'product==\'waf\'||product==\'waf2\'||product==\'ddoscoo\'||product==\'esa\'||product==\'esa_saas\'',
|
||||
'show' => 'product==\'waf\'||product==\'waf2\'||product==\'wafres\'||product==\'ddoscoo\'||product==\'esa\'||product==\'esa_saas\'',
|
||||
'required' => true,
|
||||
],
|
||||
'regionid' => [
|
||||
@@ -1374,6 +1375,14 @@ ctrl+x 保存退出<br/>',
|
||||
'note' => '进入实例详情->监听列表,复制监听ID(只支持HTTPS监听协议)',
|
||||
'required' => true,
|
||||
],
|
||||
'waf_resource_id' => [
|
||||
'name' => '云产品防护对象ID',
|
||||
'type' => 'input',
|
||||
'placeholder' => '多个ID可用,隔开',
|
||||
'show' => 'product==\'wafres\'',
|
||||
'note' => '进入查看防护对象,对象名称一列即为云产品防护对象ID',
|
||||
'required' => true,
|
||||
],
|
||||
'deploy_type' => [
|
||||
'name' => '部署证书类型',
|
||||
'type' => 'select',
|
||||
@@ -1382,7 +1391,7 @@ ctrl+x 保存退出<br/>',
|
||||
['value'=>'1', 'label'=>'扩展证书'],
|
||||
],
|
||||
'value' => '0',
|
||||
'show' => 'product==\'clb\'||product==\'alb\'||product==\'nlb\'||product==\'ga\'',
|
||||
'show' => 'product==\'clb\'||product==\'alb\'||product==\'nlb\'||product==\'ga\'||product==\'wafres\'',
|
||||
'required' => true,
|
||||
],
|
||||
'clb_domain' => [
|
||||
@@ -1396,7 +1405,7 @@ ctrl+x 保存退出<br/>',
|
||||
'name' => '绑定的域名',
|
||||
'type' => 'input',
|
||||
'placeholder' => '多个域名可用,隔开',
|
||||
'show' => 'product!=\'esa\'&&product!=\'esa_saas\'&&product!=\'clb\'&&product!=\'alb\'&&product!=\'nlb\'&&product!=\'ga\'&&product!=\'upload\'',
|
||||
'show' => 'product!=\'esa\'&&product!=\'esa_saas\'&&product!=\'clb\'&&product!=\'alb\'&&product!=\'nlb\'&&product!=\'ga\'&&product!=\'upload\'&&product!=\'wafres\'',
|
||||
'required' => true,
|
||||
],
|
||||
],
|
||||
|
||||
@@ -54,6 +54,8 @@ class aliyun implements DeployInterface
|
||||
$this->deploy_oss($cert_id, $config);
|
||||
} elseif ($config['product'] == 'waf') {
|
||||
$this->deploy_waf($cert_id, $config);
|
||||
} elseif ($config['product'] == 'wafres') {
|
||||
$this->deploy_waf_res($cert_id, $config);
|
||||
} elseif ($config['product'] == 'waf2') {
|
||||
$this->deploy_waf2($cert_id, $config);
|
||||
} elseif ($config['product'] == 'ddoscoo') {
|
||||
@@ -157,9 +159,9 @@ class aliyun implements DeployInterface
|
||||
if (empty($config['domain'])) throw new Exception('DCDN绑定域名不能为空');
|
||||
$client = new AliyunClient($this->AccessKeyId, $this->AccessKeySecret, 'dcdn.aliyuncs.com', '2018-01-15', $this->proxy);
|
||||
foreach (explode(',', $config['domain']) as $domain) {
|
||||
$param = [
|
||||
'Action' => 'SetDcdnDomainSSLCertificate',
|
||||
'DomainName' => $domain,
|
||||
$param = [
|
||||
'Action' => 'SetDcdnDomainSSLCertificate',
|
||||
'DomainName' => $domain,
|
||||
'CertName' => $cert_name,
|
||||
'CertType' => 'cas',
|
||||
'SSLProtocol' => 'on',
|
||||
@@ -439,6 +441,119 @@ class aliyun implements DeployInterface
|
||||
}
|
||||
}
|
||||
|
||||
private function deploy_waf_res($cert_id, $config)
|
||||
{
|
||||
if (empty($config['waf_resource_id'])) throw new Exception('云产品防护对象ID不能为空');
|
||||
$deploy_type = isset($config['deploy_type']) ? intval($config['deploy_type']) : 0;
|
||||
|
||||
if ($config['region'] == 'ap-southeast-1') {
|
||||
$cert_id .= '-ap-southeast-1';
|
||||
} else {
|
||||
$cert_id .= '-cn-hangzhou';
|
||||
}
|
||||
|
||||
$endpoint = 'wafopenapi.' . $config['region'] . '.aliyuncs.com';
|
||||
|
||||
$client = new AliyunClient($this->AccessKeyId, $this->AccessKeySecret, $endpoint, '2021-10-01', $this->proxy);
|
||||
|
||||
$param = [
|
||||
'Action' => 'DescribeInstance',
|
||||
'RegionId' => $config['region'],
|
||||
];
|
||||
try {
|
||||
$data = $client->request($param, 'GET');
|
||||
} catch (Exception $e) {
|
||||
throw new Exception('获取WAF实例详情失败:' . $e->getMessage());
|
||||
}
|
||||
if (empty($data['InstanceId'])) throw new Exception('当前账号未找到WAF实例');
|
||||
$instance_id = $data['InstanceId'];
|
||||
$this->log('获取WAF实例ID成功 InstanceId=' . $instance_id);
|
||||
|
||||
foreach (explode(',', $config['waf_resource_id']) as $waf_resource_id) {
|
||||
$parts = explode('-', $waf_resource_id);
|
||||
$resource_instance_id = $parts[count($parts) - 3] ?? '';
|
||||
if (empty($resource_instance_id)) {
|
||||
throw new Exception('ResourceInstanceId解析失败:' . $waf_resource_id);
|
||||
}
|
||||
$param = [
|
||||
'Action' => 'DescribeCloudResourceList',
|
||||
'InstanceId' => $instance_id,
|
||||
'CloudResourceId' => $waf_resource_id,
|
||||
'RegionId' => $config['region'],
|
||||
];
|
||||
try {
|
||||
$data = $client->request($param, 'GET');
|
||||
} catch (Exception $e) {
|
||||
throw new Exception('查询云产品接入WAF配置失败:' . $e->getMessage());
|
||||
}
|
||||
if (empty($data['CloudResourceList'])) {
|
||||
throw new Exception('WAF云产品接入实例不存在:' . $waf_resource_id);
|
||||
}
|
||||
|
||||
if ($deploy_type == 0) {
|
||||
$param = [
|
||||
'Action' => 'ModifyCloudResourceDefaultCert',
|
||||
'InstanceId' => $instance_id,
|
||||
'CloudResourceId' => $waf_resource_id,
|
||||
'CertId' => $cert_id,
|
||||
'RegionId' => $config['region'],
|
||||
];
|
||||
$client->request($param);
|
||||
$this->log('WAF云产品防护对象 ' . $waf_resource_id . ' 部署默认证书成功!');
|
||||
} else {
|
||||
$param = [
|
||||
'Action' => 'CreateCloudResourceExtensionCert',
|
||||
'InstanceId' => $instance_id,
|
||||
'CloudResourceId' => $waf_resource_id,
|
||||
'CertId' => $cert_id,
|
||||
'RegionId' => $config['region'],
|
||||
];
|
||||
$client->request($param);
|
||||
$this->log('WAF云产品防护对象 ' . $waf_resource_id . ' 部署扩展证书成功!');
|
||||
|
||||
$this->clean_waf_res_expired_certs($client, $instance_id, $resource_instance_id, $waf_resource_id, $config['region']);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private function clean_waf_res_expired_certs($client, $instance_id, $resource_instance_id, $waf_resource_id, $region)
|
||||
{
|
||||
$param = [
|
||||
'Action' => 'DescribeResourceInstanceCerts',
|
||||
'InstanceId' => $instance_id,
|
||||
'ResourceInstanceId' => $resource_instance_id,
|
||||
'RegionId' => $region,
|
||||
];
|
||||
try {
|
||||
$data = $client->request($param, 'GET');
|
||||
} catch (Exception $e) {
|
||||
$this->log('查询扩展证书列表失败:' . $e->getMessage());
|
||||
return;
|
||||
}
|
||||
if (empty($data['Certs'])) return;
|
||||
|
||||
$now = time();
|
||||
foreach ($data['Certs'] as $cert) {
|
||||
if (empty($cert['CertIdentifier']) || empty($cert['AfterDate'])) continue;
|
||||
$expire_time = strtotime($cert['AfterDate']);
|
||||
if ($expire_time !== false && $expire_time < $now) {
|
||||
$param = [
|
||||
'Action' => 'DeleteCloudResourceExtensionCert',
|
||||
'InstanceId' => $instance_id,
|
||||
'CloudResourceId' => $waf_resource_id,
|
||||
'CertId' => $cert['CertIdentifier'],
|
||||
'RegionId' => $region,
|
||||
];
|
||||
try {
|
||||
$client->request($param);
|
||||
$this->log('已删除过期扩展证书:' . $cert['CertIdentifier']);
|
||||
} catch (Exception $e) {
|
||||
$this->log('删除过期扩展证书失败:' . $cert['CertIdentifier'] . ' ' . $e->getMessage());
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private function deploy_waf2($cert_id, $config)
|
||||
{
|
||||
if (empty($config['domain'])) throw new Exception('WAF绑定域名不能为空');
|
||||
|
||||
Reference in New Issue
Block a user