- 创建轻量级工具镜像(novalon/tools:1.0.0)避免重复安装工具 - 修复Docker TLS handshake timeout问题 - 更新CI配置使用registry.f.novalon.cn/novalon/tools:1.0.0 - 添加自动清理脚本用于磁盘和镜像管理
This commit is contained in:
张翔
@@ -0,0 +1,102 @@
|
||||
#!/bin/bash
|
||||
|
||||
# 生产环境安全加固脚本 - Next.js服务安全审计与加固
|
||||
# 作者:张翔
|
||||
# 日期:2026-03-31
|
||||
|
||||
echo "🚀 开始执行生产环境安全加固..."
|
||||
|
||||
# 颜色定义
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
# 检查是否在生产环境
|
||||
echo "📋 检查生产环境配置..."
|
||||
|
||||
# 1. 检查Docker容器状态
|
||||
echo "🐳 检查Docker容器状态..."
|
||||
docker ps -a --filter "name=novalon" 2>/dev/null || echo "⚠️ Docker未运行或无法访问"
|
||||
|
||||
# 2. 检查端口暴露情况
|
||||
echo "🔌 检查端口暴露情况..."
|
||||
docker port novalon-website 2>/dev/null || echo "⚠️ 无法获取novalon-website容器端口信息"
|
||||
docker port novalon-nginx 2>/dev/null || echo "⚠️ 无法获取novalon-nginx容器端口信息"
|
||||
|
||||
# 3. 检查防火墙配置
|
||||
echo "🛡️ 检查防火墙配置..."
|
||||
if command -v ufw &> /dev/null; then
|
||||
echo "UFW防火墙状态:"
|
||||
ufw status 2>/dev/null || echo "UFW未启用"
|
||||
elif command -v firewalld &> /dev/null; then
|
||||
echo "firewalld状态:"
|
||||
firewall-cmd --list-all 2>/dev/null || echo "firewalld未运行"
|
||||
else
|
||||
echo "⚠️ 未检测到防火墙管理工具"
|
||||
fi
|
||||
|
||||
# 4. 检查Nginx配置
|
||||
echo "⚙️ 检查Nginx配置..."
|
||||
if [ -f "/home/novalon/docker-app/novalon-nginx/nginx.conf" ]; then
|
||||
echo "✅ 找到Nginx配置文件"
|
||||
echo "📊 Nginx配置内容:"
|
||||
cat /home/novalon/docker-app/novalon-nginx/nginx.conf 2>/dev/null | head -100
|
||||
else
|
||||
echo "❌ 未找到Nginx配置文件"
|
||||
echo "💡 建议:创建安全的Nginx配置文件"
|
||||
fi
|
||||
|
||||
# 5. 检查SSL证书
|
||||
echo "🔒 检查SSL证书..."
|
||||
if [ -d "/home/novalon/docker-app/novalon-nginx/ssl" ]; then
|
||||
echo "✅ SSL目录存在"
|
||||
ls -la /home/novalon/docker-app/novalon-nginx/ssl 2>/dev/null
|
||||
else
|
||||
echo "⚠️ SSL目录不存在"
|
||||
echo "💡 建议:配置SSL证书以启用HTTPS"
|
||||
fi
|
||||
|
||||
# 6. 检查环境变量
|
||||
echo "🔑 检查环境变量..."
|
||||
if [ -f "/home/novalon/docker-app/.env" ]; then
|
||||
echo "✅ .env文件存在"
|
||||
echo "⚠️ 请确保.env文件中不包含敏感信息"
|
||||
grep -v "^#" /home/novalon/docker-app/.env 2>/dev/null | head -20
|
||||
else
|
||||
echo "⚠️ 未找到.env文件"
|
||||
fi
|
||||
|
||||
# 7. 安全加固建议
|
||||
echo ""
|
||||
echo "=========================================="
|
||||
echo "🛡️ 安全加固建议"
|
||||
echo "=========================================="
|
||||
echo ""
|
||||
echo "${YELLOW}1. 立即措施(高优先级)${NC}"
|
||||
echo " - [ ] 确保Next.js服务不直接暴露80/443端口"
|
||||
echo " - [ ] 配置Nginx作为反向代理,隐藏后端服务"
|
||||
echo " - [ ] 启用HTTPS,配置SSL证书"
|
||||
echo " - [ ] 限制80端口只允许HTTP到HTTPS重定向"
|
||||
echo ""
|
||||
echo "${YELLOW}2. 中期措施(中优先级)${NC}"
|
||||
echo " - [ ] 配置WAF(Web应用防火墙)"
|
||||
echo " - [ ] 启用请求频率限制"
|
||||
echo " - [ ] 配置安全头(CSP、HSTS等)"
|
||||
echo " - [ ] 启用访问日志和监控"
|
||||
echo ""
|
||||
echo "${YELLOW}3. 长期措施(低优先级)${NC}"
|
||||
echo " - [ ] 配置CDN加速和DDoS防护"
|
||||
echo " - [ ] 实施IP白名单策略"
|
||||
echo " - [ ] 定期安全扫描和漏洞修复"
|
||||
echo " - [ ] 建立安全监控告警机制"
|
||||
echo ""
|
||||
echo "=========================================="
|
||||
echo "💡 下一步操作"
|
||||
echo "=========================================="
|
||||
echo ""
|
||||
echo "请根据以上建议,逐步实施安全加固措施。"
|
||||
echo "建议优先处理高优先级项目,确保服务安全。"
|
||||
echo ""
|
||||
echo "如需自动化加固脚本,请运行:"
|
||||
echo " ./scripts/security-hardening.sh"
|
||||
Reference in New Issue
Block a user