From 1d4bff31c4ad5e23f530c140c429cf02892e4140 Mon Sep 17 00:00:00 2001 From: gahusb Date: Mon, 11 May 2026 03:31:15 +0900 Subject: [PATCH] =?UTF-8?q?feat(packs-lab):=20DSM=5FVERIFY=5FSSL=20env=20?= =?UTF-8?q?=E2=80=94=20LAN=20IP=20+=20self-signed=20cert=20=ED=99=98?= =?UTF-8?q?=EA=B2=BD=20=EB=8C=80=EC=9D=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 운영 NAS에서 DSM_HOST=https://192.168.x.x:5001 같은 LAN IP 사용 시 DSM의 self-signed 인증서가 IP 주소에 매칭되지 않아 SSL 검증 실패 (SSL: CERTIFICATE_VERIFY_FAILED — IP address mismatch). LAN 내부 통신이라 verify=False 허용 가능. 환경변수로 토글: - DSM_VERIFY_SSL=true (default) — 도메인 + 정상 cert 환경 - DSM_VERIFY_SSL=false — LAN IP + self-signed 환경 dsm_client.py가 환경변수 읽어 httpx.AsyncClient(verify=...)에 전달. docker-compose.yml + .env.example + CLAUDE.md에 신규 env 명시. 회귀 25/25 passing. --- .env.example | 2 ++ CLAUDE.md | 1 + docker-compose.yml | 1 + packs-lab/app/dsm_client.py | 5 ++++- 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.env.example b/.env.example index ebb65d3..78a4efa 100644 --- a/.env.example +++ b/.env.example @@ -99,6 +99,8 @@ YOUTUBE_DATA_API_KEY= DSM_HOST=https://gahusb.synology.me:5001 DSM_USER= DSM_PASS= +# LAN IP로 DSM 접근 시 self-signed cert가 IP에 매칭 안 되어 검증 실패. 그 경우 false 설정 (LAN 내부 통신이라 허용 가능). 도메인 + 정상 cert면 true 유지. +DSM_VERIFY_SSL=true # Vercel SaaS ↔ backend HMAC 시크릿 (양쪽 동일 값) BACKEND_HMAC_SECRET= diff --git a/CLAUDE.md b/CLAUDE.md index e59eae4..239f4db 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -646,6 +646,7 @@ docker compose up -d **환경변수** - `DSM_HOST` / `DSM_USER` / `DSM_PASS`: Synology DSM 7.x 인증 (공유 링크 발급용) +- `DSM_VERIFY_SSL`: SSL 검증 (default `true`). LAN IP + self-signed cert 환경에서 IP mismatch 시 `false` 설정 (LAN 내부 통신이라 허용) - `BACKEND_HMAC_SECRET`: Vercel SaaS와 양쪽 공유 시크릿 (HMAC SHA256) - `SUPABASE_URL` / `SUPABASE_SERVICE_KEY`: Supabase pack_files 테이블 접근 (service_role, RLS 우회) - `UPLOAD_TOKEN_TTL_SEC`: admin upload 토큰 TTL (기본 1800초 = 30분) diff --git a/docker-compose.yml b/docker-compose.yml index dc36304..1920065 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -198,6 +198,7 @@ services: - DSM_HOST=${DSM_HOST:-} - DSM_USER=${DSM_USER:-} - DSM_PASS=${DSM_PASS:-} + - DSM_VERIFY_SSL=${DSM_VERIFY_SSL:-true} - BACKEND_HMAC_SECRET=${BACKEND_HMAC_SECRET:-} - SUPABASE_URL=${SUPABASE_URL:-} - SUPABASE_SERVICE_KEY=${SUPABASE_SERVICE_KEY:-} diff --git a/packs-lab/app/dsm_client.py b/packs-lab/app/dsm_client.py index eef6763..22469c5 100644 --- a/packs-lab/app/dsm_client.py +++ b/packs-lab/app/dsm_client.py @@ -15,6 +15,9 @@ logger = logging.getLogger("packs-lab.dsm") DSM_HOST = os.getenv("DSM_HOST", "") # 예: https://gahusb.synology.me:5001 DSM_USER = os.getenv("DSM_USER", "") DSM_PASS = os.getenv("DSM_PASS", "") +# LAN IP로 DSM 접근 시 self-signed cert가 IP에 매칭 안 되어 검증 실패. LAN 내부 통신이라 false 허용. +# 운영에서 LAN IP + self-signed면 DSM_VERIFY_SSL=false. 도메인 + 정상 cert면 기본값(true) 유지. +DSM_VERIFY_SSL = os.getenv("DSM_VERIFY_SSL", "true").strip().lower() != "false" API_AUTH = "/webapi/auth.cgi" API_SHARE = "/webapi/entry.cgi" @@ -74,7 +77,7 @@ async def create_share_link(file_path: str, expires_in_sec: int = 14400) -> tupl expires_at = datetime.now(timezone.utc) + timedelta(seconds=expires_in_sec) expire_time_ms = int(expires_at.timestamp() * 1000) - async with httpx.AsyncClient(verify=True) as client: + async with httpx.AsyncClient(verify=DSM_VERIFY_SSL) as client: sid = await _login(client) try: r = await client.get(