SSH、防火墙、Fail2ban 已搞定。Nginx → SSL → 网站防护 → 应用绑定 一条龙。
apt update && apt install -y nginx certbot python3-certbot-nginx
systemctl enable nginx --now
# 检查版本
nginx -v
certbot --version
dig +short your-domain.com
# 必须返回服务器 IP,否则 certbot 100% 失败
# /etc/nginx/sites-available/your-site
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
ln -s /etc/nginx/sites-available/your-site /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx
# 获取证书
certbot certonly --nginx -d your-domain.com --non-interactive --agree-tos -m your@email.com
把第五节的站点配置填进去,reload 即可。
systemctl status certbot.timer # 确认 active ✅
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location ~ /\.(git|env|md|aws|config) {
deny all;
}
limit_req_zone $binary_remote_addr zone=global_limit:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=6r/m;
limit_conn_zone $binary_remote_addr zone=addr_limit:10m;
server {
listen 80;
server_name your-domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
# 安全响应头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 全局速率 + 并发限制
limit_req zone=global_limit burst=20 nodelay;
limit_req_status 429;
limit_conn addr_limit 10;
# 敏感路径——直接封
location ~ /\.(git|env|md|aws|config) {
limit_req zone=global_limit burst=1 nodelay;
deny all;
}
# 登录接口——每分钟6次
location /api/auth/login {
limit_req zone=login_limit burst=3 nodelay;
limit_req_status 429;
proxy_pass http://127.0.0.1:3000;
proxy_set_header ...;
}
# API 接口——30次/分钟
location /api/ {
limit_req zone=api_limit burst=5 nodelay;
limit_req_status 429;
proxy_pass http://127.0.0.1:3000;
}
# 静态资源——缓存7天
location ~* \.(jpg|png|css|js|svg|woff2?)$ {
proxy_pass http://127.0.0.1:3000;
expires 7d;
add_header Cache-Control "public, immutable";
}
# 主应用
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# 幽灵域名——直接断连
server {
listen 80 default_server;
listen 443 ssl default_server;
server_name _;
ssl_certificate ...;
ssl_certificate_key ...;
location / { return 444; }
}
# nginx.conf http 块
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
# ... 更多 → https://www.cloudflare.com/ips-v4
real_ip_header CF-Connecting-IP;
# /etc/fail2ban/jail.local
[nginx-ratelimit]
enabled = true
filter = nginx-ratelimit
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 300
bantime = 3600
# /etc/fail2ban/filter.d/nginx-ratelimit.conf
[Definition]
failregex = ^<HOST> - - .* "(GET|POST).* 429 .*$
ignoreregex =
5分钟内触发5次 429 → 自动封1小时
# Node.js / Next.js
next start -H 127.0.0.1 -p 3000
# Python / Gunicorn
gunicorn -b 127.0.0.1:8000 app:app
# 验证:只有 nginx 的 80/443 对外
ss -tlnp | grep -v "127.0.0.1\|::1\|0.0.0.0:80\|0.0.0.0:443"
| 限流区 | 速率 | burst | 说明 |
|---|---|---|---|
| global_limit | 10r/s | 20 | 正常人无感 |
| login_limit | 6r/m | 3 | 约10秒/次,足够输密码 |
| api_limit | 30r/m | 5 | 防接口被灌数据 |
| 静态资源 | 300r/m | 50 | 扛高并发 |
nginx -t && systemctl reload nginx
fail2ban-client reload
# 敏感路径
curl -o /dev/null -w "%{http_code}" https://your-domain.com/.env
# → 403
# 幽灵域名
curl -o /dev/null -w "%{http_code}" https://1.2.3.4/ -H "Host: fake.com"
# → 000 (444断开)
# 登录限流——连发7次,第7次应429
for i in $(seq 1 7); do
curl -s -o /dev/null -w "%{http_code} " \
-X POST https://your-domain.com/api/auth/login \
-H "Content-Type: application/json" \
-d '{"user":"test","pass":"wrong"}'
done
| 操作 | 命令 |
|---|---|
| 装 Nginx + Certbot | apt install -y nginx certbot python3-certbot-nginx |
| 获取证书 | certbot certonly --nginx -d domain.com |
| 测试配置 | nginx -t && systemctl reload nginx |
| 查看 SSL 到期 | certbot certificates |
| 验 .env 保护 | curl -o /dev/null -w "%{http_code}" https://domain.com/.env |
| 验幽灵域名 | curl -o /dev/null -w "%{http_code}" https://IP/ -H "Host: fake.com" |