{"id":23165224,"url":"https://github.com/abrahamgreyson/update-whitelist","last_synced_at":"2026-02-18T13:02:01.021Z","repository":{"id":267376999,"uuid":"899405788","full_name":"abrahamgreyson/update-whitelist","owner":"abrahamgreyson","description":"监控本机外网 ip 变动，并更新云服务安全组白名单放行 ip，用于加固没有堡垒机的在线环境","archived":false,"fork":false,"pushed_at":"2024-12-14T03:44:35.000Z","size":89,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-28T11:56:32.413Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/abrahamgreyson.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-12-06T07:44:35.000Z","updated_at":"2025-01-12T15:55:52.000Z","dependencies_parsed_at":"2025-05-12T16:46:13.971Z","dependency_job_id":null,"html_url":"https://github.com/abrahamgreyson/update-whitelist","commit_stats":null,"previous_names":["abrahamgreyson/whitelist_updater","abrahamgreyson/update-whitelist"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/abrahamgreyson/update-whitelist","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abrahamgreyson%2Fupdate-whitelist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abrahamgreyson%2Fupdate-whitelist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abrahamgreyson%2Fupdate-whitelist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abrahamgreyson%2Fupdate-whitelist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/abrahamgreyson","download_url":"https://codeload.github.com/abrahamgreyson/update-whitelist/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abrahamgreyson%2Fupdate-whitelist/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279018779,"owners_count":26086452,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-14T02:00:06.444Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-18T01:15:36.035Z","updated_at":"2025-10-14T10:34:02.883Z","avatar_url":"https://github.com/abrahamgreyson.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 定时更新云服务安全组规则\n\n[![License](https://img.shields.io/github/license/abrahamgreyson/update-whitelist.svg?)](https://opensource.org/license/mit)\n[![CodeFactor](https://www.codefactor.io/repository/github/abrahamgreyson/update-whitelist/badge)](https://www.codefactor.io/repository/github/abrahamgreyson/update-whitelist)\n[![Test](https://github.com/abrahamgreyson/update-whitelist/actions/workflows/test.yml/badge.svg)](https://github.com/abrahamgreyson/update-whitelist/actions/workflows/test.yml)\n[![Codecov](https://codecov.io/gh/abrahamgreyson/update-whitelist/branch/main/graph/badge.svg?token=Fc4MbBmMpZ)](https://codecov.io/gh/abrahamgreyson/update-whitelist?branch=main)\n[![Python versions](https://img.shields.io/badge/python-3.9%7C3.10%7C3.11%7C3.12-blue)](https://github.com/abrahamgreyson/update-whitelist/actions/workflows/test.yml)\n[![Views](https://komarev.com/ghpvc/?username=abe-update-whitelist\u0026color=green\u0026label=views)](https://komarev.com/ghpvc/)\n\n这个工具旨在在缺乏堡垒机的情况下，对在线服务器放行本地 ip，免得长期暴露敏感端口。它会定时（每 3 分钟）获取本地的外网 ip，更新到云服务器的安全组白名单（目前支持腾讯云、华为云，其它云请参考本页末尾的“扩展”部分）。\n支持多个云，每个云支持多个 region，每个 region 支持多个安全组，每个安全组支持多个端口的放行。\n\n## 部署\n\n1. 支持 `3.9` - `3.12`\n2. 克隆项目，安装依赖 `pip install -r requirements.txt`\n3. 复制模板配置文件 `config.example.yaml` 到 `config.yaml`，按需配置（请看下一节配置章节）\n4. 运行\n\n  ```bash\n   # 调试模式运行，带有 stdout\n   python main.py\n   \n   # 后台运行、丢弃任何输出（活着使用 screen 活 tmux 工具能达到同样效果）\n   nohup python main.py \u003e /dev/null 2\u003e\u00261 \u0026\n      \n   # 验证是否执行\n   ps aux | grep python\n   \n   # 重要服务，建议新建 systemd 服务单元，可以保证开机启动，也更好使用 systemctl 管理\n   # 新建服务单元配置\n   sudo vim /etc/systemd/system/whitelist.service\n   # 文件添加下个代码段的内容👇 ， 按需更改其中路径\n   \n   # 重新加载 systemd 配置\n   sudo systemctl daemon-reload\n   # 启动服务\n   sudo systemctl start whitelist\n   # 开机自启\n   sudo systemctl enable whitelist\n   # 检查状态 \n   sudo systemctl status whitelist\n   ```\n\n   ```ini\n   [Unit]\n   Description=Update whitelist by Abe\n   After=network.target\n\n   [Service]\n   ExecStart=/usr/bin/python3 /path/to/your/main.py\n   WorkingDirectory=/path/to/your/\n   # 丢弃 stderr 和 stdout， 我们自己维护日志\n   StandardOutput=null\n   StandardError=null\n   Restart=always\n\n   [Install]\n   WantedBy=multi-user.target\n   ```\n\n## 配置\n\n### ipinfo.io\n\n我们使用 ipinfo 的服务，去获得本地外网 ip， 最好申请个 token， 这样可以有更多的 rate limit 上限。\n\n### 华为云\n\n在[统一身份认证服务 IAM](https://console.huaweicloud.com/iam/?agencyId=c79cb5a07cda49f9bb4c4f7d97d4d506\u0026region=cn-east-3\u0026locale=zh-cn#/iam/users) 中创建用户，赋予特定的接口权限，获取用户的 `Access Key` 和 `Secret Key`。\n\n我们使用到的华为云 VPC 接口有：\n\n- `ListSecurityGroupRule`\n- `DeleteSecurityGroupRule`\n- `BatchCreateSecurityGroupRules`\n\n我们需要放行的权限：\n\n```json\n{\n    \"Version\": \"1.1\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"vpc:securityGroupRules:create\",\n                \"vpc:securityGroupRules:delete\",\n                \"vpc:securityGroupRules:get\"\n            ]\n        }\n    ]\n}\n```\n\n#### 腾讯云\n\n在[访问管理](https://console.cloud.tencent.com/cam/overview)中创建用户，赋予特定的接口权限，获取用户的 `SecretId` 和 `SecretKey`。\n\n我们使用到的接口：\n\n- `DescribeSecurityGroupPolicies`\n- `DeleteSecurityGroupPolicies`\n- `CreateSecurityGroupPolicies`\n\n我们需要放行的权限：\n\n```json\n{\n  \"statement\": [\n    {\n      \"action\": [\n        \"cvm:DescribeSecurityGroup*\",\n        \"cvm:Create*\",\n        \"cvm:DeleteSecurityGroupPolicy\"\n      ],\n      \"effect\": \"allow\",\n      \"resource\": [\n        \"*\"\n      ]\n    }\n  ],\n  \"version\": \"2.0\"\n}\n```\n\n## 扩展\n\n因为是自用的，所以仅实现了腾讯和华为云，如果你使用其它云平台，请按照 `update_whitelist/cloud_providers` 目录下的现有代码实现自己的云服务供应商，需要实现的方法签名如下。 为了更加快捷地实现这些方法， 可以直接去云服务商的 API 调试台，先搞清楚接口什么怎么调用的，然后直接引入其 sdk 即可。\n\n```python\n    @abstractmethod\n    def initialize_client(self):\n        \"\"\"\n        初始化特定云服务的客户端\n        \"\"\"\n    pass\n\n    @abstractmethod\n    def delete_rules(self, group_id, rules):\n        \"\"\"\n        删除安全组规则\n        \"\"\"\n        pass\n\n    @abstractmethod\n    def add_rules(self, group_id, rules, ip):\n        \"\"\"\n        添加安全组规则\n        \"\"\"\n        pass\n\n    @abstractmethod\n    def get_rules(self, group_id):\n        \"\"\"\n        获取安全组规则\n        \"\"\"\n        pass\n```\n  \n## 测试\n\n```bash\n# 安装开发依赖\npip install -e \".[dev]\"\n# 运行\npytest\n```\n\n## LICENSE\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabrahamgreyson%2Fupdate-whitelist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fabrahamgreyson%2Fupdate-whitelist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabrahamgreyson%2Fupdate-whitelist/lists"}