🛡️ 网站安全防护配置指南

SSH、防火墙、Fail2ban 已搞定。Nginx → SSL → 网站防护 → 应用绑定 一条龙。

零、安装 Nginx + Certbot

apt update && apt install -y nginx certbot python3-certbot-nginx
systemctl enable nginx --now

# 检查版本
nginx -v
certbot --version

一、SSL 证书 + Nginx 部署

前置:确认 DNS 已解析

dig +short your-domain.com
# 必须返回服务器 IP,否则 certbot 100% 失败

步骤 1:先配 HTTP 反代,获取证书

# /etc/nginx/sites-available/your-site
server {
    listen 80;
    server_name your-domain.com;
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
ln -s /etc/nginx/sites-available/your-site /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx

# 获取证书
certbot certonly --nginx -d your-domain.com --non-interactive --agree-tos -m your@email.com

步骤 2:证书到手后,套上完整 SSL + 防护配置

把第五节的站点配置填进去,reload 即可。

systemctl status certbot.timer   # 确认 active ✅

二、安全响应头

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

三、敏感路径保护

location ~ /\.(git|env|md|aws|config) {
    deny all;
}

四、全局限流(nginx.conf http 块)

limit_req_zone $binary_remote_addr zone=global_limit:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=6r/m;
limit_conn_zone $binary_remote_addr zone=addr_limit:10m;

五、站点配置(完整示例)

server {
    listen 80;
    server_name your-domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name your-domain.com;

    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

    # 安全响应头
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # 全局速率 + 并发限制
    limit_req zone=global_limit burst=20 nodelay;
    limit_req_status 429;
    limit_conn addr_limit 10;

    # 敏感路径——直接封
    location ~ /\.(git|env|md|aws|config) {
        limit_req zone=global_limit burst=1 nodelay;
        deny all;
    }

    # 登录接口——每分钟6次
    location /api/auth/login {
        limit_req zone=login_limit burst=3 nodelay;
        limit_req_status 429;
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header ...;
    }

    # API 接口——30次/分钟
    location /api/ {
        limit_req zone=api_limit burst=5 nodelay;
        limit_req_status 429;
        proxy_pass http://127.0.0.1:3000;
    }

    # 静态资源——缓存7天
    location ~* \.(jpg|png|css|js|svg|woff2?)$ {
        proxy_pass http://127.0.0.1:3000;
        expires 7d;
        add_header Cache-Control "public, immutable";
    }

    # 主应用
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# 幽灵域名——直接断连
server {
    listen 80 default_server;
    listen 443 ssl default_server;
    server_name _;
    ssl_certificate ...;
    ssl_certificate_key ...;
    location / { return 444; }
}

六、Cloudflare 真实 IP

# nginx.conf http 块
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
# ... 更多 → https://www.cloudflare.com/ips-v4
real_ip_header CF-Connecting-IP;

七、429 联动 Fail2ban

# /etc/fail2ban/jail.local
[nginx-ratelimit]
enabled = true
filter = nginx-ratelimit
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 300
bantime = 3600
# /etc/fail2ban/filter.d/nginx-ratelimit.conf
[Definition]
failregex = ^<HOST> - - .* "(GET|POST).* 429 .*$
ignoreregex =
5分钟内触发5次 429 → 自动封1小时

八、应用全部绑定 127.0.0.1

# Node.js / Next.js
next start -H 127.0.0.1 -p 3000

# Python / Gunicorn
gunicorn -b 127.0.0.1:8000 app:app

# 验证:只有 nginx 的 80/443 对外
ss -tlnp | grep -v "127.0.0.1\|::1\|0.0.0.0:80\|0.0.0.0:443"

速率参考

限流区速率burst说明
global_limit10r/s20正常人无感
login_limit6r/m3约10秒/次,足够输密码
api_limit30r/m5防接口被灌数据
静态资源300r/m50扛高并发

重启生效

nginx -t && systemctl reload nginx
fail2ban-client reload

验证

# 敏感路径
curl -o /dev/null -w "%{http_code}" https://your-domain.com/.env
# → 403

# 幽灵域名
curl -o /dev/null -w "%{http_code}" https://1.2.3.4/ -H "Host: fake.com"
# → 000 (444断开)

# 登录限流——连发7次,第7次应429
for i in $(seq 1 7); do
  curl -s -o /dev/null -w "%{http_code} " \
    -X POST https://your-domain.com/api/auth/login \
    -H "Content-Type: application/json" \
    -d '{"user":"test","pass":"wrong"}'
done

快速参考

操作命令
装 Nginx + Certbotapt install -y nginx certbot python3-certbot-nginx
获取证书certbot certonly --nginx -d domain.com
测试配置nginx -t && systemctl reload nginx
查看 SSL 到期certbot certificates
验 .env 保护curl -o /dev/null -w "%{http_code}" https://domain.com/.env
验幽灵域名curl -o /dev/null -w "%{http_code}" https://IP/ -H "Host: fake.com"