#!/bin/bash # 生产环境安全配置验证脚本 # 作者:张翔 # 日期:2026-03-31 echo "🔍 开始执行安全配置验证..." # 颜色定义 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' PROD_DIR="/home/novalon/docker-app" NGINX_DIR="$PROD_DIR/novalon-nginx" PASS_COUNT=0 FAIL_COUNT=0 # 检查函数 check_pass() { echo -e "${GREEN}✅ $1${NC}" ((PASS_COUNT++)) } check_fail() { echo -e "${RED}❌ $1${NC}" ((FAIL_COUNT++)) } check_warn() { echo -e "${YELLOW}⚠️ $1${NC}" } echo "" echo "==========================================" echo "1. Nginx配置验证" echo "==========================================" # 检查nginx.conf是否存在 if [ -f "$NGINX_DIR/nginx.conf" ]; then check_pass "Nginx配置文件存在" # 检查安全头配置 if grep -q "X-Frame-Options" "$NGINX_DIR/nginx.conf"; then check_pass "X-Frame-Options安全头已配置" else check_fail "X-Frame-Options安全头未配置" fi if grep -q "X-Content-Type-Options" "$NGINX_DIR/nginx.conf"; then check_pass "X-Content-Type-Options安全头已配置" else check_fail "X-Content-Type-Options安全头未配置" fi if grep -q "Content-Security-Policy" "$NGINX_DIR/nginx.conf"; then check_pass "Content-Security-Policy安全头已配置" else check_fail "Content-Security-Policy安全头未配置" fi if grep -q "Strict-Transport-Security" "$NGINX_DIR/nginx.conf"; then check_pass "Strict-Transport-Security安全头已配置" else check_fail "Strict-Transport-Security安全头未配置" fi # 检查server_tokens if grep -q "server_tokens off" "$NGINX_DIR/nginx.conf"; then check_pass "Nginx版本号已隐藏" else check_fail "Nginx版本号未隐藏" fi # 检查SSL配置 if grep -q "ssl_certificate" "$NGINX_DIR/nginx.conf"; then check_pass "SSL证书配置已存在" else check_fail "SSL证书配置缺失" fi # 检查DDoS防护 if grep -q "limit_req_zone" "$NGINX_DIR/nginx.conf"; then check_pass "请求频率限制已配置" else check_fail "请求频率限制未配置" fi if grep -q "limit_conn_zone" "$NGINX_DIR/nginx.conf"; then check_pass "连接数限制已配置" else check_fail "连接数限制未配置" fi else check_fail "Nginx配置文件不存在" fi echo "" echo "==========================================" echo "2. SSL配置验证" echo "==========================================" # 检查SSL目录 if [ -d "$NGINX_DIR/ssl" ]; then check_pass "SSL目录存在" # 检查证书文件 if [ -f "$NGINX_DIR/ssl/fullchain.pem" ] && [ -f "$NGINX_DIR/ssl/privkey.pem" ]; then check_pass "SSL证书文件存在" # 检查证书有效期 if command -v openssl &> /dev/null; then EXPIRY=$(openssl x509 -in "$NGINX_DIR/ssl/fullchain.pem" -noout -enddate 2>/dev/null) if [ -n "$EXPIRY" ]; then check_pass "SSL证书有效:$EXPIRY" else check_fail "SSL证书无效或已过期" fi fi else check_fail "SSL证书文件缺失" check_warn "请配置SSL证书以启用HTTPS" fi else check_fail "SSL目录不存在" fi echo "" echo "==========================================" echo "3. Docker配置验证" echo "==========================================" # 检查docker-compose.yml if [ -f "$NGINX_DIR/docker-compose.yml" ]; then check_pass "Docker Compose配置文件存在" # 检查资源限制 if grep -q "deploy:" "$NGINX_DIR/docker-compose.yml"; then check_pass "容器资源限制已配置" else check_fail "容器资源限制未配置" fi else check_fail "Docker Compose配置文件不存在" fi echo "" echo "==========================================" echo "4. 服务状态验证" echo "==========================================" # 检查Docker服务 if command -v docker &> /dev/null; then check_pass "Docker已安装" # 检查Nginx容器 if docker ps --filter "name=novalon-nginx" --format "{{.Names}}" | grep -q "novalon-nginx"; then check_pass "Nginx容器运行中" else check_fail "Nginx容器未运行" fi # 检查应用容器 if docker ps --filter "name=novalon-website" --format "{{.Names}}" | grep -q "novalon-website"; then check_pass "应用容器运行中" else check_fail "应用容器未运行" fi else check_fail "Docker未安装" fi echo "" echo "==========================================" echo "5. 端口配置验证" echo "==========================================" # 检查80端口 if command -v curl &> /dev/null; then HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:80 2>/dev/null) if [ "$HTTP_CODE" = "301" ]; then check_pass "80端口HTTP重定向正常($HTTP_CODE)" elif [ "$HTTP_CODE" = "200" ]; then check_warn "80端口返回200,请确认是否需要重定向到HTTPS" else check_fail "80端口异常($HTTP_CODE)" fi # 检查443端口 HTTPS_CODE=$(curl -s -o /dev/null -w "%{http_code}" -k https://localhost:443 2>/dev/null) if [ "$HTTPS_CODE" = "200" ]; then check_pass "443端口HTTPS正常($HTTPS_CODE)" elif [ "$HTTPS_CODE" = "301" ] || [ "$HTTPS_CODE" = "302" ]; then check_pass "443端口HTTPS重定向正常($HTTPS_CODE)" else check_warn "443端口可能未配置($HTTPS_CODE)" fi else check_fail "curl未安装,无法验证端口" fi echo "" echo "==========================================" echo "6. 安全头验证" echo "==========================================" if command -v curl &> /dev/null; then HEADERS=$(curl -I -k https://localhost:443 2>/dev/null) if echo "$HEADERS" | grep -qi "x-frame-options"; then check_pass "X-Frame-Options响应头存在" else check_fail "X-Frame-Options响应头缺失" fi if echo "$HEADERS" | grep -qi "x-content-type-options"; then check_pass "X-Content-Type-Options响应头存在" else check_fail "X-Content-Type-Options响应头缺失" fi if echo "$HEADERS" | grep -qi "strict-transport-security"; then check_pass "Strict-Transport-Security响应头存在" else check_fail "Strict-Transport-Security响应头缺失" fi if echo "$HEADERS" | grep -qi "content-security-policy"; then check_pass "Content-Security-Policy响应头存在" else check_fail "Content-Security-Policy响应头缺失" fi else check_fail "curl未安装,无法验证安全头" fi echo "" echo "==========================================" echo "📊 验证结果汇总" echo "==========================================" echo "" echo -e "${GREEN}通过:$PASS_COUNT${NC}" echo -e "${RED}失败:$FAIL_COUNT${NC}" echo "" if [ $FAIL_COUNT -eq 0 ]; then echo -e "${GREEN}✅ 所有安全配置验证通过!${NC}" echo "您的生产环境安全配置符合最佳实践。" else echo -e "${RED}❌ 存在安全配置问题,请根据上述建议进行修复。${NC}" fi echo "" echo "💡 建议:" echo " 1. 确保SSL证书已配置并有效" echo " 2. 定期更新Nginx和Docker" echo " 3. 启用安全监控告警" echo " 4. 定期进行安全审计" echo ""