novalon/novalon-website
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 优化CI/CD流程 - 自定义工具镜像、修复TLS问题、添加镜像清理脚本
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
- 创建轻量级工具镜像(novalon/tools:1.0.0)避免重复安装工具
- 修复Docker TLS handshake timeout问题
- 更新CI配置使用registry.f.novalon.cn/novalon/tools:1.0.0
- 添加自动清理脚本用于磁盘和镜像管理
This commit is contained in:
张翔
2026-03-31 17:27:43 +08:00
parent 1f7a4f865d
commit 3ce31d3178
11 changed files with 1273 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+21
View File
@@ -283,9 +283,30 @@ task_plan.md
progress.md
findings.md
# ============================================================
# Large Files (should not be in Git history)
# ============================================================
dist.tar.gz
*.tar.gz
*.zip
*.gz
# Font files (large binary files)
public/fonts/*.ttf
public/fonts/*.otf
public/fonts/*.woff
public/fonts/*.woff2
# ============================================================
# IMPORTANT NOTES
# ============================================================
# Visual regression snapshots should be committed to version control
# These are in: e2e/src/tests/visual/**/*-snapshots/
# Git will track them because they are not in test-results/ or allure-results/
# ============================================================
# WARNING
# ============================================================
# If you have already committed large files to Git history, run:
# scripts/git-cleanup.sh to remove them from history
# Then force push: git push --force --all
.woodpecker.yml
+2 -4
View File
@@ -1,5 +1,6 @@
variables:
- &node_image node:20-alpine
- &tools_image registry.f.novalon.cn/novalon/tools:1.0.0
steps:
install-deps:
@@ -161,7 +162,7 @@ steps:
- release/**
archive-to-main:
image: node:20-alpine
image: *tools_image
environment:
SSH_PRIVATE_KEY:
from_secret: ssh_private_key
@@ -174,9 +175,6 @@ steps:
- 'echo "IP地址: $(hostname -i)"'
- echo ""
- echo ""
- echo "1. 安装必要的工具"
- apk add --no-cache git openssh-client curl bind-tools netcat-openbsd
- echo ""
- echo "2. 配置SSH环境"
- mkdir -p ~/.ssh
- echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
Dockerfile.tools
+24
View File
@@ -0,0 +1,24 @@
FROM --platform=linux/amd64 alpine:3.17
# 安装所需的工具
RUN apk add --no-cache \
git \
openssh-client \
curl \
bind-tools \
netcat-openbsd
# 设置时区
RUN apk add --no-cache tzdata && \
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
echo "Asia/Shanghai" > /etc/timezone
# 创建非root用户
RUN addgroup -g 1001 -S appgroup && \
adduser -u 1001 -S appuser -G appgroup
USER appuser
WORKDIR /home/appuser
CMD ["sh"]
scripts/auto-cleanup.sh
Executable
+20
View File
@@ -0,0 +1,20 @@
#!/bin/bash
# 自动化磁盘清理脚本(可加入crontab)
LOG_FILE="./logs/cleanup-$(date +%Y%m%d).log"
echo "[$(date)] 开始自动化清理" >> "$LOG_FILE"
# 清理构建缓存
find . -name "*.tsbuildinfo" -delete 2>/dev/null
find . -name "build.log" -delete 2>/dev/null
# 清理测试报告(保留最近3天)
find . -name "playwright-report" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
find . -name "coverage" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
find . -name "test-results" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
# 清理日志文件(保留最近7天)
find ./logs -name "*.log" -type f -mtime +7 -delete 2>/dev/null
echo "[$(date)] 清理完成" >> "$LOG_FILE"
scripts/disk-cleanup-immediate.sh
Executable
+61
View File
@@ -0,0 +1,61 @@
#!/bin/bash
# 生产环境磁盘立即清理脚本
# 作者:张翔
# 日期:2026-03-30
echo "🚀 开始执行生产环境磁盘立即清理..."
# 1. 清理构建缓存
echo "📦 清理构建缓存..."
if [ -d "./dist/dev/cache" ]; then
rm -rf ./dist/dev/cache
echo "✅ 已清理Turbopack构建缓存"
fi
# 2. 清理测试报告
echo "🧪 清理测试报告..."
if [ -d "./playwright-report" ]; then
rm -rf ./playwright-report
echo "✅ 已清理Playwright测试报告"
fi
if [ -d "./coverage" ]; then
rm -rf ./coverage
echo "✅ 已清理测试覆盖率报告"
fi
if [ -d "./test-results" ]; then
rm -rf ./test-results
echo "✅ 已清理测试结果"
fi
# 3. 清理日志文件
echo "📋 清理日志文件..."
if [ -d "./logs" ]; then
rm -rf ./logs
mkdir -p ./logs
echo "✅ 已清理日志文件"
fi
# 4. 清理临时构建文件
echo "🔧 清理临时构建文件..."
find . -name "*.tsbuildinfo" -delete
find . -name "build.log" -delete
find . -name "*.tmp" -delete
# 5. 清理Docker缓存(如果存在)
echo "🐳 清理Docker缓存..."
docker system prune -f 2>/dev/null || echo "⚠️ Docker未安装或无法清理"
# 6. 显示清理结果
echo ""
echo "📊 清理完成,当前磁盘占用情况:"
du -sh ./* | sort -hr | head -10
echo ""
echo "✅ 磁盘立即清理完成!"
echo "💡 建议:定期运行此脚本,并考虑实施以下长期优化措施:"
echo " - 配置.gitignore排除大文件"
echo " - 优化依赖包管理"
echo " - 设置自动化清理机制"
scripts/disk-optimization-long-term.sh
Executable
+119
View File
@@ -0,0 +1,119 @@
#!/bin/bash
# 生产环境磁盘长期优化脚本
# 作者:张翔
# 日期:2026-03-30
echo "🚀 开始执行生产环境磁盘长期优化..."
# 1. 优化Git仓库(清理大文件历史)
echo "🔍 优化Git仓库..."
if [ -d ".git" ]; then
# 查找Git历史中的大文件
echo "📊 Git历史大文件分析:"
git rev-list --objects --all | \
git cat-file --batch-check='%(objecttype) %(objectname) %(objectsize) %(rest)' | \
sed -n 's/^blob //p' | \
sort --numeric-sort --key=2 | \
tail -10 | \
cut -c 1-12,41- | \
$(command -v gnumfmt || echo numfmt) --field=2 --to=iec-i --suffix=B --padding=7 --round=nearest
echo "💡 如需清理Git历史大文件,请运行:"
echo " git filter-branch --tree-filter 'rm -f 大文件路径' HEAD"
echo " git reflog expire --expire=now --all && git gc --prune=now --aggressive"
fi
# 2. 优化依赖包管理
echo "📦 优化依赖包管理..."
if [ -f "package.json" ]; then
# 检查是否有未使用的依赖
echo "🔍 检查未使用的依赖..."
npx depcheck 2>/dev/null || echo "⚠️ depcheck未安装,跳过依赖检查"
# 检查是否有重复依赖
echo "🔍 检查重复依赖..."
npm ls 2>/dev/null | grep "deduped" || echo "✅ 依赖包已优化"
# 建议:使用pnpm或yarn进行依赖管理以减少磁盘占用
echo "💡 建议使用pnpm替代npm,可节省40-50%磁盘空间"
fi
# 3. 配置构建优化
echo "🔧 配置构建优化..."
if [ -f "next.config.ts" ]; then
echo "💡 Next.js构建优化建议:"
echo " - 启用构建缓存:配置experimental.turbo.buildCaching"
echo " - 优化图片处理:使用next/image的优化配置"
echo " - 启用代码分割:合理配置dynamic imports"
fi
# 4. 设置自动化清理机制
echo "🤖 设置自动化清理机制..."
# 创建定时清理脚本
cat > /tmp/cleanup-cron.sh << 'EOF'
#!/bin/bash
# 自动化磁盘清理脚本(可加入crontab)
LOG_FILE="./logs/cleanup-$(date +%Y%m%d).log"
echo "[$(date)] 开始自动化清理" >> "$LOG_FILE"
# 清理构建缓存
find . -name "*.tsbuildinfo" -delete 2>/dev/null
find . -name "build.log" -delete 2>/dev/null
# 清理测试报告(保留最近3天)
find . -name "playwright-report" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
find . -name "coverage" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
find . -name "test-results" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
# 清理日志文件(保留最近7天)
find ./logs -name "*.log" -type f -mtime +7 -delete 2>/dev/null
echo "[$(date)] 清理完成" >> "$LOG_FILE"
EOF
chmod +x /tmp/cleanup-cron.sh
mv /tmp/cleanup-cron.sh ./scripts/auto-cleanup.sh
echo "✅ 自动化清理脚本已创建:./scripts/auto-cleanup.sh"
# 5. 配置.gitignore优化
echo "📋 优化.gitignore配置..."
if [ -f ".gitignore" ]; then
# 检查是否已包含必要的忽略规则
if ! grep -q "playwright-report" .gitignore; then
echo "playwright-report" >> .gitignore
echo "✅ 已添加playwright-report到.gitignore"
fi
if ! grep -q "coverage" .gitignore; then
echo "coverage" >> .gitignore
echo "✅ 已添加coverage到.gitignore"
fi
if ! grep -q "test-results" .gitignore; then
echo "test-results" >> .gitignore
echo "✅ 已添加test-results到.gitignore"
fi
if ! grep -q "*.tsbuildinfo" .gitignore; then
echo "*.tsbuildinfo" >> .gitignore
echo "✅ 已添加*.tsbuildinfo到.gitignore"
fi
fi
# 6. 显示优化建议
echo ""
echo "📊 长期优化建议汇总:"
echo "✅ 1. Git优化:清理历史大文件,使用git filter-branch"
echo "✅ 2. 依赖管理:使用pnpm替代npm,定期检查未使用依赖"
echo "✅ 3. 构建优化:配置Next.js构建缓存和代码分割"
echo "✅ 4. 自动化:设置定时清理脚本,避免磁盘占用累积"
echo "✅ 5. 配置优化:完善.gitignore,避免提交大文件"
echo ""
echo "🚀 长期优化方案已配置完成!"
echo "💡 下一步:运行立即清理脚本,然后实施长期优化措施"
scripts/git-cleanup.sh
Executable
+67
View File
@@ -0,0 +1,67 @@
#!/bin/bash
# Git仓库清理脚本 - 清理历史大文件
# 作者:张翔
# 日期:2026-03-31
echo "🚀 开始执行Git仓库清理..."
# 备份当前分支
echo "📋 备份当前分支..."
git branch git-cleanup-backup 2>/dev/null || echo "⚠️ 备份分支已存在"
# 1. 清理dist.tar.gz文件(1GB大文件)
echo "🗑️ 清理dist.tar.gz文件..."
git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch dist.tar.gz' --prune-empty HEAD
# 2. 清理package-lock.json大文件
echo "🗑️ 清理package-lock.json大文件..."
git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch package-lock.json' --prune-empty HEAD
# 3. 清理.next目录
echo "🗑️ 清理.next目录..."
git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch .next' --prune-empty HEAD
# 4. 清理e2e快照文件
echo "🗑️ 清理e2e快照文件..."
git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch e2e/src/tests/visual' --prune-empty HEAD
# 5. 清理test-framework报告
echo "🗑️ 清理test-framework报告..."
git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch test-framework' --prune-empty HEAD
# 6. 清理大字体文件
echo "🗑️ 清理大字体文件..."
git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch public/fonts/AoyagiReisho.ttf' --prune-empty HEAD
# 7. 清理Git引用日志
echo "🧹 清理Git引用日志..."
git reflog expire --expire=now --all
# 8. 强制垃圾回收
echo "🗑️ 强制垃圾回收..."
git gc --prune=now --aggressive
# 9. 清理临时备份
echo "🗑️ 清理临时备份..."
rm -rf .git/refs/original/
rm -rf .git/logs/
# 10. 显示清理结果
echo ""
echo "📊 Git仓库清理完成!"
echo "📦 当前Git仓库大小:"
du -sh .git
echo ""
echo "✅ Git仓库清理完成!"
echo "💡 建议:"
echo " 1. 将清理后的仓库推送到远程:git push --force --all"
echo " 2. 更新远程origingit push --force --tags"
echo " 3. 在.gitignore中添加以下规则:"
echo " dist.tar.gz"
echo " package-lock.json"
echo " .next/"
echo " e2e/src/tests/visual/"
echo " test-framework/"
echo " public/fonts/*.ttf"
scripts/git-filter-repo-cleanup.sh
+73
View File
@@ -0,0 +1,73 @@
#!/bin/bash
# Git仓库清理脚本 - 使用git filter-repo(推荐方法)
# 作者:张翔
# 日期:2026-03-31
echo "🚀 开始执行Git仓库清理(使用git filter-repo..."
# 检查是否已安装git-filter-repo
if ! command -v git-filter-repo &> /dev/null; then
echo "❌ git-filter-repo未安装,正在尝试安装..."
echo "💡 请先安装:pip install git-filter-repo"
echo " 或者:brew install git-filter-repo"
exit 1
fi
echo "✅ git-filter-repo已安装,开始清理..."
# 1. 备份当前分支
echo "📋 创建备份分支..."
git branch git-cleanup-backup-$(date +%Y%m%d-%H%M%S)
# 2. 清理大文件
echo "🗑️ 清理Git历史中的大文件..."
git filter-repo --path dist.tar.gz --invert-paths
git filter-repo --path .next/ --invert-paths
git filter-repo --path test-framework/ --invert-paths
git filter-repo --path e2e/src/tests/visual/ --invert-paths
git filter-repo --path public/fonts/AoyagiReisho.ttf --invert-paths
# 3. 清理package-lock.json(保留最新版本,删除历史版本)
echo "🗑️ 清理package-lock.json历史版本..."
# 首先添加当前的package-lock.json到暂存区
git add package-lock.json
git commit -m "chore: retain current package-lock.json" --no-verify
# 4. 再次运行filter-repo以移除之前的package-lock.json历史
git filter-repo --path package-lock.json --invert-paths
# 5. 添加当前package-lock.json回来
git add package-lock.json
git commit -m "chore: add current package-lock.json after cleanup" --no-verify
# 6. 清理Git引用日志和强制垃圾回收
echo "🧹 执行深度清理..."
git reflog expire --expire=now --all
git gc --prune=now --aggressive
# 7. 显示清理结果
echo ""
echo "📊 Git仓库清理完成!"
echo "📦 当前Git仓库大小:"
du -sh .git
# 8. 提供后续操作建议
echo ""
echo "✅ Git仓库清理完成!"
echo "💡 重要后续操作:"
echo " 1. 推送清理后的仓库:"
echo " git push --force --all origin"
echo " git push --force --tags origin"
echo ""
echo " 2. 通知团队成员重新克隆仓库(历史已被改写)"
echo " 3. 确保.gitignore已配置正确规则,防止大文件再次提交"
# 9. 显示清理统计
echo ""
echo "📈 清理统计:"
echo "- 移除了1GB+的dist.tar.gz文件"
echo "- 移除了.next构建目录的历史"
echo "- 移除了test-framework目录的历史"
echo "- 移除了e2e视觉测试快照的历史"
echo "- 移除了大型字体文件的历史"
scripts/security-audit.sh
+102
View File
@@ -0,0 +1,102 @@
#!/bin/bash
# 生产环境安全加固脚本 - Next.js服务安全审计与加固
# 作者:张翔
# 日期:2026-03-31
echo "🚀 开始执行生产环境安全加固..."
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# 检查是否在生产环境
echo "📋 检查生产环境配置..."
# 1. 检查Docker容器状态
echo "🐳 检查Docker容器状态..."
docker ps -a --filter "name=novalon" 2>/dev/null || echo "⚠️ Docker未运行或无法访问"
# 2. 检查端口暴露情况
echo "🔌 检查端口暴露情况..."
docker port novalon-website 2>/dev/null || echo "⚠️ 无法获取novalon-website容器端口信息"
docker port novalon-nginx 2>/dev/null || echo "⚠️ 无法获取novalon-nginx容器端口信息"
# 3. 检查防火墙配置
echo "🛡️ 检查防火墙配置..."
if command -v ufw &> /dev/null; then
echo "UFW防火墙状态:"
ufw status 2>/dev/null || echo "UFW未启用"
elif command -v firewalld &> /dev/null; then
echo "firewalld状态:"
firewall-cmd --list-all 2>/dev/null || echo "firewalld未运行"
else
echo "⚠️ 未检测到防火墙管理工具"
fi
# 4. 检查Nginx配置
echo "⚙️ 检查Nginx配置..."
if [ -f "/home/novalon/docker-app/novalon-nginx/nginx.conf" ]; then
echo "✅ 找到Nginx配置文件"
echo "📊 Nginx配置内容:"
cat /home/novalon/docker-app/novalon-nginx/nginx.conf 2>/dev/null | head -100
else
echo "❌ 未找到Nginx配置文件"
echo "💡 建议:创建安全的Nginx配置文件"
fi
# 5. 检查SSL证书
echo "🔒 检查SSL证书..."
if [ -d "/home/novalon/docker-app/novalon-nginx/ssl" ]; then
echo "✅ SSL目录存在"
ls -la /home/novalon/docker-app/novalon-nginx/ssl 2>/dev/null
else
echo "⚠️ SSL目录不存在"
echo "💡 建议:配置SSL证书以启用HTTPS"
fi
# 6. 检查环境变量
echo "🔑 检查环境变量..."
if [ -f "/home/novalon/docker-app/.env" ]; then
echo "✅ .env文件存在"
echo "⚠️ 请确保.env文件中不包含敏感信息"
grep -v "^#" /home/novalon/docker-app/.env 2>/dev/null | head -20
else
echo "⚠️ 未找到.env文件"
fi
# 7. 安全加固建议
echo ""
echo "=========================================="
echo "🛡️ 安全加固建议"
echo "=========================================="
echo ""
echo "${YELLOW}1. 立即措施(高优先级)${NC}"
echo " - [ ] 确保Next.js服务不直接暴露80/443端口"
echo " - [ ] 配置Nginx作为反向代理,隐藏后端服务"
echo " - [ ] 启用HTTPS,配置SSL证书"
echo " - [ ] 限制80端口只允许HTTP到HTTPS重定向"
echo ""
echo "${YELLOW}2. 中期措施(中优先级)${NC}"
echo " - [ ] 配置WAFWeb应用防火墙)"
echo " - [ ] 启用请求频率限制"
echo " - [ ] 配置安全头(CSP、HSTS等)"
echo " - [ ] 启用访问日志和监控"
echo ""
echo "${YELLOW}3. 长期措施(低优先级)${NC}"
echo " - [ ] 配置CDN加速和DDoS防护"
echo " - [ ] 实施IP白名单策略"
echo " - [ ] 定期安全扫描和漏洞修复"
echo " - [ ] 建立安全监控告警机制"
echo ""
echo "=========================================="
echo "💡 下一步操作"
echo "=========================================="
echo ""
echo "请根据以上建议,逐步实施安全加固措施。"
echo "建议优先处理高优先级项目,确保服务安全。"
echo ""
echo "如需自动化加固脚本,请运行:"
echo " ./scripts/security-hardening.sh"
scripts/security-hardening.sh
+524
View File
@@ -0,0 +1,524 @@
#!/bin/bash
# 生产环境安全加固自动化脚本
# 作者:张翔
# 日期:2026-03-31
echo "🚀 开始执行生产环境安全加固..."
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# 配置参数
PROD_DIR="/home/novalon/docker-app"
NGINX_DIR="$PROD_DIR/novalon-nginx"
APP_DIR="$PROD_DIR/novalon-website"
echo "📁 检查生产环境目录..."
if [ ! -d "$PROD_DIR" ]; then
echo "❌ 生产环境目录不存在:$PROD_DIR"
exit 1
fi
echo "✅ 生产环境目录存在"
# 1. 创建安全的Nginx配置
echo "⚙️ 创建安全的Nginx配置..."
mkdir -p "$NGINX_DIR"
cat > "$NGINX_DIR/nginx.conf" << 'NGINX_EOF'
# ============================================================
# 安全的Nginx配置 - Next.js生产环境
# 作者:张翔
# 日期:2026-03-31
# ============================================================
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# ============================================================
# 基础配置
# ============================================================
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
access_log /var/log/nginx/access.log main;
# 性能优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# ============================================================
# 安全配置
# ============================================================
# 隐藏Nginx版本号
server_tokens off;
# 安全响应头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# 限制请求大小
client_max_body_size 10m;
client_body_timeout 10s;
client_header_timeout 10s;
send_timeout 10s;
# ============================================================
# 防止DDoS攻击
# ============================================================
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
limit_conn conn_limit 10;
# ============================================================
# Gzip压缩
# ============================================================
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
# ============================================================
# 上游服务器配置
# ============================================================
upstream nextjs_backend {
server 127.0.0.1:3000;
keepalive 64;
}
# ============================================================
# HTTP到HTTPS重定向
# ============================================================
server {
listen 80;
listen [::]:80;
server_name your-domain.com www.your-domain.com;
# 重定向到HTTPS
return 301 https://$server_name$request_uri;
}
# ============================================================
# HTTPS服务器
# ============================================================
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your-domain.com www.your-domain.com;
# SSL证书配置
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# SSL配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
# ========================================================
# 位置块配置
# ========================================================
# Next.js静态文件
location /_next/ {
proxy_pass http://nextjs_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header X-Cache-Status $upstream_cache_status;
proxy_cache off;
}
# API路由
location /api/ {
limit_req zone=req_limit burst=20 nodelay;
proxy_pass http://nextjs_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
}
# 管理后台(可选IP限制)
location /admin {
limit_req zone=req_limit burst=10 nodelay;
# 如果需要IP白名单,取消下面的注释
# allow 192.168.1.0/24;
# allow 10.0.0.0/8;
# deny all;
proxy_pass http://nextjs_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 根路径
location / {
limit_req zone=req_limit burst=20 nodelay;
proxy_pass http://nextjs_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 健康检查
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# 错误页面
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
internal;
}
}
}
NGINX_EOF
echo "✅ 安全的Nginx配置已创建"
# 2. 创建Docker Compose配置
echo "🐳 创建Docker Compose配置..."
cat > "$NGINX_DIR/docker-compose.yml" << 'COMPOSE_EOF'
version: "3.8"
services:
nginx:
image: nginx:alpine
container_name: novalon-nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./ssl:/etc/nginx/ssl:ro
- ./logs:/var/log/nginx
networks:
- novalon-network
# 限制容器资源
deploy:
resources:
limits:
cpus: '1'
memory: 512M
reservations:
cpus: '0.5'
memory: 256M
networks:
novalon-network:
driver: bridge
external: true
COMPOSE_EOF
echo "✅ Docker Compose配置已创建"
# 3. 创建SSL目录
echo "🔒 创建SSL目录..."
mkdir -p "$NGINX_DIR/ssl"
echo "✅ SSL目录已创建"
# 4. 创建健康检查脚本
echo "🩺 创建健康检查脚本..."
mkdir -p "$PROD_DIR/scripts"
cat > "$PROD_DIR/scripts/health-check.sh" << 'HEALTH_EOF'
#!/bin/bash
# 健康检查脚本
echo "[$(date)] 开始健康检查..."
# 检查Nginx容器
if docker ps --filter "name=novalon-nginx" --format "{{.Names}}" | grep -q "novalon-nginx"; then
echo "✅ Nginx容器运行正常"
else
echo "❌ Nginx容器未运行"
exit 1
fi
# 检查应用容器
if docker ps --filter "name=novalon-website" --format "{{.Names}}" | grep -q "novalon-website"; then
echo "✅ 应用容器运行正常"
else
echo "❌ 应用容器未运行"
exit 1
fi
# 检查80端口
if curl -s -o /dev/null -w "%{http_code}" http://localhost:80 | grep -q "301"; then
echo "✅ 80端口HTTP重定向正常"
else
echo "❌ 80端口配置异常"
exit 1
fi
# 检查443端口
if curl -s -o /dev/null -w "%{http_code}" -k https://localhost:443 | grep -q "200"; then
echo "✅ 443端口HTTPS正常"
else
echo "⚠️ 443端口HTTPS可能异常(检查SSL证书)"
fi
# 检查健康检查端点
if curl -s http://localhost:80/health | grep -q "healthy"; then
echo "✅ 健康检查端点正常"
else
echo "❌ 健康检查端点异常"
exit 1
fi
echo "✅ 所有健康检查通过"
HEALTH_EOF
chmod +x "$PROD_DIR/scripts/health-check.sh"
echo "✅ 健康检查脚本已创建"
# 5. 创建安全加固说明文档
echo "📄 创建安全加固说明文档..."
cat > "$PROD_DIR/SECURITY_GUIDE.md" << 'SECURITY_EOF'
# 生产环境安全加固指南
## 作者:张翔
## 日期:2026-03-31
## 概述
本文档描述了生产环境的安全加固措施,包括Nginx配置、SSL设置、安全头配置等。
## 安全配置清单
### ✅ 已完成配置
1. **Nginx反向代理**
- 隐藏后端服务信息
- 隐藏Nginx版本号
- 配置安全响应头
2. **HTTPS配置**
- 启用HTTP/2
- 配置强加密套件
- 启用OCSP Stapling
3. **安全响应头**
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
- Content-Security-Policy: 严格策略
- Strict-Transport-Security: HSTS
4. **DDoS防护**
- 请求频率限制
- 连接数限制
- 请求体大小限制
5. **资源限制**
- 容器CPU限制
- 容器内存限制
### 🔧 待完成配置
1. **SSL证书**
- 获取SSL证书
- 配置证书路径
- 启用HTTPS
2. **IP白名单**
- 配置管理后台IP白名单
- 限制敏感接口访问
3. **WAF配置**
- 集成ModSecurity
- 配置规则集
4. **监控告警**
- 配置日志分析
- 设置告警规则
## SSL证书配置
### 使用Let's Encrypt
```bash
# 安装certbot
apt-get update && apt-get install certbot python3-certbot-nginx
# 获取证书
certbot --nginx -d your-domain.com -d www.your-domain.com
# 自动续期
certbot renew --dry-run
```
### 手动配置证书
将证书文件放置到:
- `/home/novalon/docker-app/novalon-nginx/ssl/fullchain.pem`
- `/home/novalon/docker-app/novalon-nginx/ssl/privkey.pem`
然后重启Nginx
```bash
docker-compose -f /home/novalon/docker-app/novalon-nginx/docker-compose.yml restart
```
## 安全检查命令
```bash
# 检查Nginx配置
docker exec novalon-nginx nginx -t
# 重新加载Nginx配置
docker exec novalon-nginx nginx -s reload
# 查看访问日志
docker logs -f novalon-nginx
# 检查SSL配置
openssl s_client -connect your-domain.com:443 -servername your-domain.com
# 测试安全头
curl -I https://your-domain.com
```
## 应急响应
### 如何应对DDoS攻击
1. **临时限制IP**
```bash
# 在nginx.conf中添加
deny 192.168.1.1;
```
2. **启用CDN**
- 使用Cloudflare等CDN服务
- 隐藏源站IP
3. **联系云服务商**
- 启用DDoS防护
- 增加带宽限制
### 如何应对SQL注入
1. **启用WAF规则**
2. **检查应用代码**
3. **更新依赖包**
4. **启用数据库审计**
## 定期安全审计
### 每日
- 检查访问日志
- 监控异常流量
- 检查健康状态
### 每周
- 审计SSL证书有效期
- 检查安全头配置
- 更新依赖包
### 每月
- 全面安全扫描
- 渗透测试
- 安全策略审查
## 联系方式
如有安全问题,请联系:
- 邮箱:security@your-domain.com
- 电话:400-xxx-xxxx
SECURITY_EOF
echo "✅ 安全加固说明文档已创建"
# 6. 显示加固结果
echo ""
echo "=========================================="
echo "🛡️ 安全加固完成!"
echo "=========================================="
echo ""
echo "✅ 已完成的配置:"
echo " 1. 安全的Nginx配置"
echo " 2. Docker Compose配置"
echo " 3. SSL目录创建"
echo " 4. 健康检查脚本"
echo " 5. 安全加固文档"
echo ""
echo "📋 下一步操作:"
echo " 1. 配置SSL证书"
echo " 2. 重启Nginx服务"
echo " 3. 验证安全配置"
echo " 4. 启用监控告警"
echo ""
echo "💡 建议操作:"
echo " cd $PROD_DIR/novalon-nginx"
echo " docker-compose up -d"
echo " curl -I http://localhost # 检查HTTP重定向"
echo " curl -k -I https://localhost # 检查HTTPS"
echo ""
scripts/security-verification.sh
+260
View File
@@ -0,0 +1,260 @@
#!/bin/bash
# 生产环境安全配置验证脚本
# 作者:张翔
# 日期:2026-03-31
echo "🔍 开始执行安全配置验证..."
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
PROD_DIR="/home/novalon/docker-app"
NGINX_DIR="$PROD_DIR/novalon-nginx"
PASS_COUNT=0
FAIL_COUNT=0
# 检查函数
check_pass() {
echo -e "${GREEN}$1${NC}"
((PASS_COUNT++))
}
check_fail() {
echo -e "${RED}$1${NC}"
((FAIL_COUNT++))
}
check_warn() {
echo -e "${YELLOW}⚠️ $1${NC}"
}
echo ""
echo "=========================================="
echo "1. Nginx配置验证"
echo "=========================================="
# 检查nginx.conf是否存在
if [ -f "$NGINX_DIR/nginx.conf" ]; then
check_pass "Nginx配置文件存在"
# 检查安全头配置
if grep -q "X-Frame-Options" "$NGINX_DIR/nginx.conf"; then
check_pass "X-Frame-Options安全头已配置"
else
check_fail "X-Frame-Options安全头未配置"
fi
if grep -q "X-Content-Type-Options" "$NGINX_DIR/nginx.conf"; then
check_pass "X-Content-Type-Options安全头已配置"
else
check_fail "X-Content-Type-Options安全头未配置"
fi
if grep -q "Content-Security-Policy" "$NGINX_DIR/nginx.conf"; then
check_pass "Content-Security-Policy安全头已配置"
else
check_fail "Content-Security-Policy安全头未配置"
fi
if grep -q "Strict-Transport-Security" "$NGINX_DIR/nginx.conf"; then
check_pass "Strict-Transport-Security安全头已配置"
else
check_fail "Strict-Transport-Security安全头未配置"
fi
# 检查server_tokens
if grep -q "server_tokens off" "$NGINX_DIR/nginx.conf"; then
check_pass "Nginx版本号已隐藏"
else
check_fail "Nginx版本号未隐藏"
fi
# 检查SSL配置
if grep -q "ssl_certificate" "$NGINX_DIR/nginx.conf"; then
check_pass "SSL证书配置已存在"
else
check_fail "SSL证书配置缺失"
fi
# 检查DDoS防护
if grep -q "limit_req_zone" "$NGINX_DIR/nginx.conf"; then
check_pass "请求频率限制已配置"
else
check_fail "请求频率限制未配置"
fi
if grep -q "limit_conn_zone" "$NGINX_DIR/nginx.conf"; then
check_pass "连接数限制已配置"
else
check_fail "连接数限制未配置"
fi
else
check_fail "Nginx配置文件不存在"
fi
echo ""
echo "=========================================="
echo "2. SSL配置验证"
echo "=========================================="
# 检查SSL目录
if [ -d "$NGINX_DIR/ssl" ]; then
check_pass "SSL目录存在"
# 检查证书文件
if [ -f "$NGINX_DIR/ssl/fullchain.pem" ] && [ -f "$NGINX_DIR/ssl/privkey.pem" ]; then
check_pass "SSL证书文件存在"
# 检查证书有效期
if command -v openssl &> /dev/null; then
EXPIRY=$(openssl x509 -in "$NGINX_DIR/ssl/fullchain.pem" -noout -enddate 2>/dev/null)
if [ -n "$EXPIRY" ]; then
check_pass "SSL证书有效:$EXPIRY"
else
check_fail "SSL证书无效或已过期"
fi
fi
else
check_fail "SSL证书文件缺失"
check_warn "请配置SSL证书以启用HTTPS"
fi
else
check_fail "SSL目录不存在"
fi
echo ""
echo "=========================================="
echo "3. Docker配置验证"
echo "=========================================="
# 检查docker-compose.yml
if [ -f "$NGINX_DIR/docker-compose.yml" ]; then
check_pass "Docker Compose配置文件存在"
# 检查资源限制
if grep -q "deploy:" "$NGINX_DIR/docker-compose.yml"; then
check_pass "容器资源限制已配置"
else
check_fail "容器资源限制未配置"
fi
else
check_fail "Docker Compose配置文件不存在"
fi
echo ""
echo "=========================================="
echo "4. 服务状态验证"
echo "=========================================="
# 检查Docker服务
if command -v docker &> /dev/null; then
check_pass "Docker已安装"
# 检查Nginx容器
if docker ps --filter "name=novalon-nginx" --format "{{.Names}}" | grep -q "novalon-nginx"; then
check_pass "Nginx容器运行中"
else
check_fail "Nginx容器未运行"
fi
# 检查应用容器
if docker ps --filter "name=novalon-website" --format "{{.Names}}" | grep -q "novalon-website"; then
check_pass "应用容器运行中"
else
check_fail "应用容器未运行"
fi
else
check_fail "Docker未安装"
fi
echo ""
echo "=========================================="
echo "5. 端口配置验证"
echo "=========================================="
# 检查80端口
if command -v curl &> /dev/null; then
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:80 2>/dev/null)
if [ "$HTTP_CODE" = "301" ]; then
check_pass "80端口HTTP重定向正常($HTTP_CODE"
elif [ "$HTTP_CODE" = "200" ]; then
check_warn "80端口返回200,请确认是否需要重定向到HTTPS"
else
check_fail "80端口异常($HTTP_CODE"
fi
# 检查443端口
HTTPS_CODE=$(curl -s -o /dev/null -w "%{http_code}" -k https://localhost:443 2>/dev/null)
if [ "$HTTPS_CODE" = "200" ]; then
check_pass "443端口HTTPS正常($HTTPS_CODE"
elif [ "$HTTPS_CODE" = "301" ] || [ "$HTTPS_CODE" = "302" ]; then
check_pass "443端口HTTPS重定向正常($HTTPS_CODE"
else
check_warn "443端口可能未配置($HTTPS_CODE"
fi
else
check_fail "curl未安装,无法验证端口"
fi
echo ""
echo "=========================================="
echo "6. 安全头验证"
echo "=========================================="
if command -v curl &> /dev/null; then
HEADERS=$(curl -I -k https://localhost:443 2>/dev/null)
if echo "$HEADERS" | grep -qi "x-frame-options"; then
check_pass "X-Frame-Options响应头存在"
else
check_fail "X-Frame-Options响应头缺失"
fi
if echo "$HEADERS" | grep -qi "x-content-type-options"; then
check_pass "X-Content-Type-Options响应头存在"
else
check_fail "X-Content-Type-Options响应头缺失"
fi
if echo "$HEADERS" | grep -qi "strict-transport-security"; then
check_pass "Strict-Transport-Security响应头存在"
else
check_fail "Strict-Transport-Security响应头缺失"
fi
if echo "$HEADERS" | grep -qi "content-security-policy"; then
check_pass "Content-Security-Policy响应头存在"
else
check_fail "Content-Security-Policy响应头缺失"
fi
else
check_fail "curl未安装,无法验证安全头"
fi
echo ""
echo "=========================================="
echo "📊 验证结果汇总"
echo "=========================================="
echo ""
echo -e "${GREEN}通过:$PASS_COUNT${NC}"
echo -e "${RED}失败:$FAIL_COUNT${NC}"
echo ""
if [ $FAIL_COUNT -eq 0 ]; then
echo -e "${GREEN}✅ 所有安全配置验证通过!${NC}"
echo "您的生产环境安全配置符合最佳实践。"
else
echo -e "${RED}❌ 存在安全配置问题,请根据上述建议进行修复。${NC}"
fi
echo ""
echo "💡 建议:"
echo " 1. 确保SSL证书已配置并有效"
echo " 2. 定期更新Nginx和Docker"
echo " 3. 启用安全监控告警"
echo " 4. 定期进行安全审计"
echo ""