novalon/novalon-website
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 优化CI/CD流程 - 自定义工具镜像、修复TLS问题、添加镜像清理脚本
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
- 创建轻量级工具镜像(novalon/tools:1.0.0)避免重复安装工具
- 修复Docker TLS handshake timeout问题
- 更新CI配置使用registry.f.novalon.cn/novalon/tools:1.0.0
- 添加自动清理脚本用于磁盘和镜像管理
This commit is contained in:
张翔
2026-03-31 17:27:43 +08:00
parent 1f7a4f865d
commit 3ce31d3178
11 changed files with 1273 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/security-verification.sh
+260
View File
@@ -0,0 +1,260 @@
#!/bin/bash
# 生产环境安全配置验证脚本
# 作者:张翔
# 日期:2026-03-31
echo "🔍 开始执行安全配置验证..."
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
PROD_DIR="/home/novalon/docker-app"
NGINX_DIR="$PROD_DIR/novalon-nginx"
PASS_COUNT=0
FAIL_COUNT=0
# 检查函数
check_pass() {
echo -e "${GREEN}$1${NC}"
((PASS_COUNT++))
}
check_fail() {
echo -e "${RED}$1${NC}"
((FAIL_COUNT++))
}
check_warn() {
echo -e "${YELLOW}⚠️ $1${NC}"
}
echo ""
echo "=========================================="
echo "1. Nginx配置验证"
echo "=========================================="
# 检查nginx.conf是否存在
if [ -f "$NGINX_DIR/nginx.conf" ]; then
check_pass "Nginx配置文件存在"
# 检查安全头配置
if grep -q "X-Frame-Options" "$NGINX_DIR/nginx.conf"; then
check_pass "X-Frame-Options安全头已配置"
else
check_fail "X-Frame-Options安全头未配置"
fi
if grep -q "X-Content-Type-Options" "$NGINX_DIR/nginx.conf"; then
check_pass "X-Content-Type-Options安全头已配置"
else
check_fail "X-Content-Type-Options安全头未配置"
fi
if grep -q "Content-Security-Policy" "$NGINX_DIR/nginx.conf"; then
check_pass "Content-Security-Policy安全头已配置"
else
check_fail "Content-Security-Policy安全头未配置"
fi
if grep -q "Strict-Transport-Security" "$NGINX_DIR/nginx.conf"; then
check_pass "Strict-Transport-Security安全头已配置"
else
check_fail "Strict-Transport-Security安全头未配置"
fi
# 检查server_tokens
if grep -q "server_tokens off" "$NGINX_DIR/nginx.conf"; then
check_pass "Nginx版本号已隐藏"
else
check_fail "Nginx版本号未隐藏"
fi
# 检查SSL配置
if grep -q "ssl_certificate" "$NGINX_DIR/nginx.conf"; then
check_pass "SSL证书配置已存在"
else
check_fail "SSL证书配置缺失"
fi
# 检查DDoS防护
if grep -q "limit_req_zone" "$NGINX_DIR/nginx.conf"; then
check_pass "请求频率限制已配置"
else
check_fail "请求频率限制未配置"
fi
if grep -q "limit_conn_zone" "$NGINX_DIR/nginx.conf"; then
check_pass "连接数限制已配置"
else
check_fail "连接数限制未配置"
fi
else
check_fail "Nginx配置文件不存在"
fi
echo ""
echo "=========================================="
echo "2. SSL配置验证"
echo "=========================================="
# 检查SSL目录
if [ -d "$NGINX_DIR/ssl" ]; then
check_pass "SSL目录存在"
# 检查证书文件
if [ -f "$NGINX_DIR/ssl/fullchain.pem" ] && [ -f "$NGINX_DIR/ssl/privkey.pem" ]; then
check_pass "SSL证书文件存在"
# 检查证书有效期
if command -v openssl &> /dev/null; then
EXPIRY=$(openssl x509 -in "$NGINX_DIR/ssl/fullchain.pem" -noout -enddate 2>/dev/null)
if [ -n "$EXPIRY" ]; then
check_pass "SSL证书有效:$EXPIRY"
else
check_fail "SSL证书无效或已过期"
fi
fi
else
check_fail "SSL证书文件缺失"
check_warn "请配置SSL证书以启用HTTPS"
fi
else
check_fail "SSL目录不存在"
fi
echo ""
echo "=========================================="
echo "3. Docker配置验证"
echo "=========================================="
# 检查docker-compose.yml
if [ -f "$NGINX_DIR/docker-compose.yml" ]; then
check_pass "Docker Compose配置文件存在"
# 检查资源限制
if grep -q "deploy:" "$NGINX_DIR/docker-compose.yml"; then
check_pass "容器资源限制已配置"
else
check_fail "容器资源限制未配置"
fi
else
check_fail "Docker Compose配置文件不存在"
fi
echo ""
echo "=========================================="
echo "4. 服务状态验证"
echo "=========================================="
# 检查Docker服务
if command -v docker &> /dev/null; then
check_pass "Docker已安装"
# 检查Nginx容器
if docker ps --filter "name=novalon-nginx" --format "{{.Names}}" | grep -q "novalon-nginx"; then
check_pass "Nginx容器运行中"
else
check_fail "Nginx容器未运行"
fi
# 检查应用容器
if docker ps --filter "name=novalon-website" --format "{{.Names}}" | grep -q "novalon-website"; then
check_pass "应用容器运行中"
else
check_fail "应用容器未运行"
fi
else
check_fail "Docker未安装"
fi
echo ""
echo "=========================================="
echo "5. 端口配置验证"
echo "=========================================="
# 检查80端口
if command -v curl &> /dev/null; then
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:80 2>/dev/null)
if [ "$HTTP_CODE" = "301" ]; then
check_pass "80端口HTTP重定向正常($HTTP_CODE"
elif [ "$HTTP_CODE" = "200" ]; then
check_warn "80端口返回200,请确认是否需要重定向到HTTPS"
else
check_fail "80端口异常($HTTP_CODE"
fi
# 检查443端口
HTTPS_CODE=$(curl -s -o /dev/null -w "%{http_code}" -k https://localhost:443 2>/dev/null)
if [ "$HTTPS_CODE" = "200" ]; then
check_pass "443端口HTTPS正常($HTTPS_CODE"
elif [ "$HTTPS_CODE" = "301" ] || [ "$HTTPS_CODE" = "302" ]; then
check_pass "443端口HTTPS重定向正常($HTTPS_CODE"
else
check_warn "443端口可能未配置($HTTPS_CODE"
fi
else
check_fail "curl未安装,无法验证端口"
fi
echo ""
echo "=========================================="
echo "6. 安全头验证"
echo "=========================================="
if command -v curl &> /dev/null; then
HEADERS=$(curl -I -k https://localhost:443 2>/dev/null)
if echo "$HEADERS" | grep -qi "x-frame-options"; then
check_pass "X-Frame-Options响应头存在"
else
check_fail "X-Frame-Options响应头缺失"
fi
if echo "$HEADERS" | grep -qi "x-content-type-options"; then
check_pass "X-Content-Type-Options响应头存在"
else
check_fail "X-Content-Type-Options响应头缺失"
fi
if echo "$HEADERS" | grep -qi "strict-transport-security"; then
check_pass "Strict-Transport-Security响应头存在"
else
check_fail "Strict-Transport-Security响应头缺失"
fi
if echo "$HEADERS" | grep -qi "content-security-policy"; then
check_pass "Content-Security-Policy响应头存在"
else
check_fail "Content-Security-Policy响应头缺失"
fi
else
check_fail "curl未安装,无法验证安全头"
fi
echo ""
echo "=========================================="
echo "📊 验证结果汇总"
echo "=========================================="
echo ""
echo -e "${GREEN}通过:$PASS_COUNT${NC}"
echo -e "${RED}失败:$FAIL_COUNT${NC}"
echo ""
if [ $FAIL_COUNT -eq 0 ]; then
echo -e "${GREEN}✅ 所有安全配置验证通过!${NC}"
echo "您的生产环境安全配置符合最佳实践。"
else
echo -e "${RED}❌ 存在安全配置问题,请根据上述建议进行修复。${NC}"
fi
echo ""
echo "💡 建议:"
echo " 1. 确保SSL证书已配置并有效"
echo " 2. 定期更新Nginx和Docker"
echo " 3. 启用安全监控告警"
echo " 4. 定期进行安全审计"
echo ""