fix(https): 修复域名提取携带分号导致证书申请失败

修正 https.sh 中 server_name 提取与 certbot 参数构建逻辑，避免将 `credit99.cn;` 等非法域名传给 certbot；同时在 start.sh 增加域名规范化与格式校验，提前拦截协议前缀、路径和分号等脏输入。 Made-with: Cursor
2026-03-31 15:04:56 +08:00 · 2026-03-31 15:04:56 +08:00 · b7dddfb750
commit b7dddfb750
parent e66b3c71af
2 changed files with 53 additions and 4 deletions
--- a/https.sh
+++ b/https.sh
@ -120,10 +120,21 @@ sudo nginx -s stop
 echo "🚀 使用certbot 自动配置证书"
 # 从 Nginx 配置文件中提取所有域名
 CONF_FILE="${EASYAI_PROXY_CONF:-easyai-proxy.conf}"
-DOMAINS=$(grep "server_name" /etc/nginx/conf.d/"$CONF_FILE" 2>/dev/null || find /etc/nginx/conf.d/ -name "easyai-proxy.conf" -exec grep "server_name" {} \; | \
+SERVER_NAME_LINES=$(
+    if [ -f "/etc/nginx/conf.d/$CONF_FILE" ]; then
+        grep "server_name" "/etc/nginx/conf.d/$CONF_FILE" 2>/dev/null || true
+    else
+        find /etc/nginx/conf.d/ -name "easyai-proxy.conf" -exec grep "server_name" {} \; 2>/dev/null || true
+    fi
+)
+
+DOMAINS=$(echo "$SERVER_NAME_LINES" | \
    grep -v "#" | \
    awk '{for(i=2;i<=NF;i++) if($i!=";") print $i}' | \
    sed 's/;//g' | \
+    sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | \
+    grep -E '^[A-Za-z0-9.-]+$' | \
+    grep -vE '^(\*|localhost)$' | \
    sort -u | \
    tr '\n' ' ')

@ -133,9 +144,9 @@ if [ -n "$DOMAINS" ]; then
    sudo nginx -s stop

    # 构建域名参数字符串
-    DOMAIN_ARGS=""
+    DOMAIN_ARGS=()
    for domain in $DOMAINS; do
-        DOMAIN_ARGS="$DOMAIN_ARGS -d $domain"
+        DOMAIN_ARGS+=("-d" "$domain")
    done

    # 使用 certbot --nginx 插件安装证书
@ -146,7 +157,7 @@ if [ -n "$DOMAINS" ]; then
        --rsa-key-size 2048 \
        --preferred-challenges http \
        --force-renewal \
-        $DOMAIN_ARGS
+        "${DOMAIN_ARGS[@]}"

    # 启动 Nginx 服务
    echo "启动 Nginx 服务..."
--- a/start.sh
+++ b/start.sh
@ -28,6 +28,33 @@ DEPLOY_IP=""
 DEPLOY_DOMAIN=""
 DEPLOY_HTTPS=false

+sanitize_domain() {
+    local domain="$1"
+    domain="${domain#http://}"
+    domain="${domain#https://}"
+    domain="${domain%%/*}"
+    domain="${domain%;}"
+    echo "$domain"
+}
+
+validate_domain() {
+    local domain="$1"
+    # 基础域名校验：仅允许字母、数字、连字符和点；必须包含至少一个点；不能以点或连字符开头结尾
+    if [[ ! "$domain" =~ ^[A-Za-z0-9.-]+$ ]]; then
+        return 1
+    fi
+    if [[ "$domain" != *.* ]]; then
+        return 1
+    fi
+    if [[ "$domain" =~ ^[.-] || "$domain" =~ [.-]$ ]]; then
+        return 1
+    fi
+    if [[ "$domain" == *".."* ]]; then
+        return 1
+    fi
+    return 0
+}
+
 prompt_or_env() {
    local var_name=$1
    local prompt_text=$2
@ -63,6 +90,11 @@ run_deploy_questions() {
            return
        fi
        if [ "$DEPLOY_ACCESS" = "domain" ] && [ -n "$DEPLOY_DOMAIN" ]; then
+            DEPLOY_DOMAIN="$(sanitize_domain "$DEPLOY_DOMAIN")"
+            if ! validate_domain "$DEPLOY_DOMAIN"; then
+                echo "❌ 环境变量 DEPLOY_DOMAIN 格式不合法: ${DEPLOY_DOMAIN}"
+                exit 1
+            fi
            DEPLOY_MODE="domain"
            DEPLOY_HTTPS="${DEPLOY_HTTPS_INPUT:-false}"
            echo "使用环境变量: 域名模式, 域名=$DEPLOY_DOMAIN"
@ -96,10 +128,16 @@ run_deploy_questions() {
    else
        # 3. 输入域名
        prompt_or_env DEPLOY_DOMAIN "3. 请输入域名（不含 https:// 前缀，如 51easyai.com）" "DEPLOY_DOMAIN" ""
+        DEPLOY_DOMAIN="$(sanitize_domain "$DEPLOY_DOMAIN")"
        if [ -z "$DEPLOY_DOMAIN" ]; then
            echo "❌ 域名不能为空"
            exit 1
        fi
+        if ! validate_domain "$DEPLOY_DOMAIN"; then
+            echo "❌ 域名格式不合法: ${DEPLOY_DOMAIN}"
+            echo "   请输入类似 51easyai.com 的域名，不要包含协议、路径或分号"
+            exit 1
+        fi

        # 3.1 是否启用 HTTPS
        if [ -n "$DEPLOY_HTTPS_INPUT" ]; then