novalon/novalon-website
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5f9c5c996211f50c8dcd92b16b6316bd93773fe6
novalon-website/scripts/security-audit.sh
T
张翔 3ce31d3178
ci/woodpecker/push/woodpecker Pipeline failed
Details
feat: 优化CI/CD流程 - 自定义工具镜像、修复TLS问题、添加镜像清理脚本 
- 创建轻量级工具镜像(novalon/tools:1.0.0)避免重复安装工具
- 修复Docker TLS handshake timeout问题
- 更新CI配置使用registry.f.novalon.cn/novalon/tools:1.0.0
- 添加自动清理脚本用于磁盘和镜像管理
2026-03-31 17:27:43 +08:00

102 lines
3.5 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# 生产环境安全加固脚本 - Next.js服务安全审计与加固
# 作者:张翔
# 日期:2026-03-31
echo "🚀 开始执行生产环境安全加固..."
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# 检查是否在生产环境
echo "📋 检查生产环境配置..."
# 1. 检查Docker容器状态
echo "🐳 检查Docker容器状态..."
docker ps -a --filter "name=novalon" 2>/dev/null || echo "⚠️ Docker未运行或无法访问"
# 2. 检查端口暴露情况
echo "🔌 检查端口暴露情况..."
docker port novalon-website 2>/dev/null || echo "⚠️ 无法获取novalon-website容器端口信息"
docker port novalon-nginx 2>/dev/null || echo "⚠️ 无法获取novalon-nginx容器端口信息"
# 3. 检查防火墙配置
echo "🛡️ 检查防火墙配置..."
if command -v ufw &> /dev/null; then
echo "UFW防火墙状态:"
ufw status 2>/dev/null || echo "UFW未启用"
elif command -v firewalld &> /dev/null; then
echo "firewalld状态:"
firewall-cmd --list-all 2>/dev/null || echo "firewalld未运行"
else
echo "⚠️ 未检测到防火墙管理工具"
fi
# 4. 检查Nginx配置
echo "⚙️ 检查Nginx配置..."
if [ -f "/home/novalon/docker-app/novalon-nginx/nginx.conf" ]; then
echo "✅ 找到Nginx配置文件"
echo "📊 Nginx配置内容:"
cat /home/novalon/docker-app/novalon-nginx/nginx.conf 2>/dev/null | head -100
else
echo "❌ 未找到Nginx配置文件"
echo "💡 建议:创建安全的Nginx配置文件"
fi
# 5. 检查SSL证书
echo "🔒 检查SSL证书..."
if [ -d "/home/novalon/docker-app/novalon-nginx/ssl" ]; then
echo "✅ SSL目录存在"
ls -la /home/novalon/docker-app/novalon-nginx/ssl 2>/dev/null
else
echo "⚠️ SSL目录不存在"
echo "💡 建议:配置SSL证书以启用HTTPS"
fi
# 6. 检查环境变量
echo "🔑 检查环境变量..."
if [ -f "/home/novalon/docker-app/.env" ]; then
echo "✅ .env文件存在"
echo "⚠️ 请确保.env文件中不包含敏感信息"
grep -v "^#" /home/novalon/docker-app/.env 2>/dev/null | head -20
else
echo "⚠️ 未找到.env文件"
fi
# 7. 安全加固建议
echo ""
echo "=========================================="
echo "🛡️ 安全加固建议"
echo "=========================================="
echo ""
echo "${YELLOW}1. 立即措施(高优先级)${NC}"
echo " - [ ] 确保Next.js服务不直接暴露80/443端口"
echo " - [ ] 配置Nginx作为反向代理,隐藏后端服务"
echo " - [ ] 启用HTTPS,配置SSL证书"
echo " - [ ] 限制80端口只允许HTTP到HTTPS重定向"
echo ""
echo "${YELLOW}2. 中期措施(中优先级)${NC}"
echo " - [ ] 配置WAFWeb应用防火墙)"
echo " - [ ] 启用请求频率限制"
echo " - [ ] 配置安全头(CSP、HSTS等)"
echo " - [ ] 启用访问日志和监控"
echo ""
echo "${YELLOW}3. 长期措施(低优先级)${NC}"
echo " - [ ] 配置CDN加速和DDoS防护"
echo " - [ ] 实施IP白名单策略"
echo " - [ ] 定期安全扫描和漏洞修复"
echo " - [ ] 建立安全监控告警机制"
echo ""
echo "=========================================="
echo "💡 下一步操作"
echo "=========================================="
echo ""
echo "请根据以上建议,逐步实施安全加固措施。"
echo "建议优先处理高优先级项目,确保服务安全。"
echo ""
echo "如需自动化加固脚本,请运行:"
echo " ./scripts/security-hardening.sh"
Reference in New Issue View Git Blame Copy Permalink