feat: CoreDNS IPv4 上游、03-03 Tomcat 修复、HAProxy 与验证脚本

- Ansible: 部署时自动配置 CoreDNS forward 为 IPv4，避免 ACME 解析失败 - 01-01/01-07: 文档增加 CoreDNS 设置说明 - 03-03: Tomcat webapps.dist 复制、HTTP/HTTPS 双 Ingress、显式 Dashboard IngressRoute - traefik-dashboard-acme: tomcat-acme.yaml、404 排查说明 - HAProxy: 健康检查与 PROXY 配置拆分，18080/18443 部署与验证脚本 Made-with: Cursor
2026-03-22 19:02:46 +08:00
parent de1be1dbe5
commit 8a54cac61f
25 changed files with 924 additions and 113 deletions
--- a/scripts/01-08-deploy-openwrt-haproxy.sh
+++ b/scripts/01-08-deploy-openwrt-haproxy.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+# OpenWrt：uhttpd 改回 80/443（IPv4+IPv6），HAProxy 部署到 18080/18443
+# 用法：./scripts/01-08-deploy-openwrt-haproxy.sh [haproxy-cfg-name]
+# cfg-name 默认 haproxy-tls（可选 haproxy-no-check, haproxy-http, haproxy-tls, haproxy-proxy-http-tls）
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+CFG_DIR="${ROOT_DIR}/ansible/files/01-08-haproxy"
+SSH_OPENWRT="${SSH_OPENWRT:-openwrt}"
+HAPROXY_CFG_NAME="${1:-haproxy-tls}"
+HAPROXY_CFG_PATH="${HAPROXY_CFG_PATH:-/etc/haproxy.cfg}"
+
+echo "=== OpenWrt 部署：uhttpd 80/443 + HAProxy 18080/18443（${HAPROXY_CFG_NAME}）==="
+
+# 1. uhttpd 恢复 80/443（IPv4 + IPv6）
+echo "[1/4] 配置 uhttpd 监听 0.0.0.0:80、[::]:80、0.0.0.0:443、[::]:443..."
+ssh "$SSH_OPENWRT" "bash -s" <<'UHTTPD'
+set -e
+# 清除旧 listen 并设置新的
+uci delete uhttpd.main.listen_http 2>/dev/null || true
+uci delete uhttpd.main.listen_https 2>/dev/null || true
+uci add_list uhttpd.main.listen_http='0.0.0.0:80'
+uci add_list uhttpd.main.listen_http='[::]:80'
+uci add_list uhttpd.main.listen_https='0.0.0.0:443'
+uci add_list uhttpd.main.listen_https='[::]:443'
+uci commit uhttpd
+/etc/init.d/uhttpd restart
+echo "  uhttpd 已重启"
+UHTTPD
+
+# 2. 停止 HAProxy（释放 80/443，避免与 uhttpd 冲突）
+echo "[2/4] 停止 HAProxy..."
+ssh "$SSH_OPENWRT" "/etc/init.d/haproxy stop 2>/dev/null || true"
+
+# 3. 拷贝 HAProxy cfg 并校验
+SRC_CFG="${CFG_DIR}/${HAPROXY_CFG_NAME}.cfg"
+if [[ ! -f "$SRC_CFG" ]]; then
+  echo "[ERR] 配置文件不存在: $SRC_CFG" >&2
+  exit 1
+fi
+
+echo "[3/4] 拷贝 ${HAPROXY_CFG_NAME}.cfg 到 ${SSH_OPENWRT}:${HAPROXY_CFG_PATH}..."
+scp -q -O "$SRC_CFG" "${SSH_OPENWRT}:/tmp/haproxy-new.cfg" 2>/dev/null || {
+  scp -q "$SRC_CFG" "${SSH_OPENWRT}:/tmp/haproxy-new.cfg"
+}
+
+ssh "$SSH_OPENWRT" "haproxy -c -f /tmp/haproxy-new.cfg" || {
+  echo "[ERR] HAProxy 配置语法校验失败" >&2
+  exit 1
+}
+ssh "$SSH_OPENWRT" "mv /tmp/haproxy-new.cfg ${HAPROXY_CFG_PATH}"
+
+# 4. 启动 HAProxy
+echo "[4/4] 启动 HAProxy..."
+ssh "$SSH_OPENWRT" "/etc/init.d/haproxy start"
+ssh "$SSH_OPENWRT" "/etc/init.d/haproxy enable"
+
+echo ""
+echo "[OK] 部署完成。验证：./scripts/01-08-verify-haproxy-openwrt.sh"
+echo "  - uhttpd: 80/443（IPv4+IPv6）"
+echo "  - HAProxy: 18080/18443"