ÔõÑùÔÚLinuxЧÀÍÆ÷ÉÏÉèÖø߶ÈÇå¾²µÄWeb½Ó¿Ú£¿
ÔõÑùÔÚLinuxЧÀÍÆ÷ÉÏÉèÖø߶ÈÇå¾²µÄWeb½Ó¿Ú£¿
ÔÚ½ñÌìµÄÊý×Öʱ´ú£¬±£»¤Web½Ó¿ÚµÄÇå¾²ÐÔ±äµÃÓÈΪÖ÷Òª¡£ÎÞÂÛÊÇСÎÒ˽ÈËÍøÕ¾ÕÕ¾ÉÆóÒµ¼¶Ó¦ÓóÌÐò£¬ÉèÖø߶ÈÇå¾²µÄWeb½Ó¿Ú¶¼¿ÉÒÔΪÓû§ºÍ»ú¹¹Ìṩ¸üÇå¾²µÄÔÚÏßÌåÑé¡£±¾ÎĽ«ÖصãÏÈÈÝÔõÑùÔÚLinuxЧÀÍÆ÷ÉÏÉèÖø߶ÈÇå¾²µÄWeb½Ó¿Ú¡£
È·±£Ð§ÀÍÆ÷Çå¾²
Ê×ÏÈ£¬Òª°ü¹ÜЧÀÍÆ÷×Ô¼ºµÄÇå¾²¡£Õâ°üÀ¨¸üвÙ×÷ϵͳºÍÓ¦ÓóÌÐòµÄ²¹¶¡³ÌÐò¡¢°´ÆÚ¸ü¸ÄЧÀÍÆ÷ÖÎÀíÔ±ºÍrootÓû§µÄÃÜÂë¡¢½ûÓÃʹÓÃÈõÃÜÂëµÇ¼¡¢ÏÞÖÆЧÀ͵Ļá¼ûȨÏ޵ȡ£
ÀýÈ磬¿ÉÒÔͨ¹ýÒÔÏÂÏÂÁî¸üÐÂϵͳÈí¼þ°ü£º
sudo apt update
sudo apt upgrade
ʹÓÃHTTPSÐÒé
ʹÓÃHTTPSÐÒéÄܹ»¼ÓÃÜWeb½Ó¿ÚºÍÓû§Ö®¼äµÄͨѶ£¬ÎªÓû§Ìṩ¸ü¸ß¼¶±ðµÄÇå¾²ÐÔ¡£HTTPSÐÒéʹÓÃÁËSSL/TLSÖ¤ÊéÀ´¼ÓÃÜͨѶ£¬²¢Í¨¹ý¹«Ô¿ºÍ˽ԿÀ´Ñé֤ЧÀÍÆ÷µÄÉí·Ý¡£
Ê×ÏÈ£¬ÐèÒªÔÚЧÀÍÆ÷ÉÏ×°ÖÃSSLÖ¤Êé¡£¿ÉÒÔ¹ºÖÃÉÌÒµSSLÖ¤Ê飬Ҳ¿ÉÒÔͨ¹ýÃâ·ÑµÄÖ¤Êé½ÒÏþ»ú¹¹£¨ÈçLet’s Encrypt£©ÌìÉú¡£È»ºó£¬½«Ö¤ÊéºÍ˽ԿÉèÖõ½WebЧÀÍÆ÷ÉÏ¡£ÒÔÏÂÊÇʹÓÃNginxЧÀÍÆ÷µÄʾÀý´úÂ룺
server {
listen 443 ssl; server_name example.com; ssl_certificate /path/to/certificate.crt; ssl_certificate_key /path/to/private.key; #ÆäËûNginxÉèÖà ...
µÇ¼ºó¸´ÖÆ
}
ÉèÖ÷À»ðǽ
ÉèÖ÷À»ðǽÄܹ»¹ýÂ˺ͼà¿ØÍøÂçÊý¾ÝÁ÷£¬×èÖ¹²»Õý³£µÄ»á¼û²¢±£»¤Ð§ÀÍÆ÷ÃâÊܶñÒâ¹¥»÷¡£LinuxЧÀÍÆ÷Éϳ£ÓõķÀ»ðǽÈí¼þ°üÀ¨iptablesºÍufw¡£
ÔÚÆôÓ÷À»ðǽ֮ǰ£¬È·±£Ö»ÔÊÐíÐëÒªµÄÈëÕ¾ºÍ³öÕ¾ÅþÁ¬£¬²¢½ûÓò»ÐëÒªµÄЧÀͺͶ˿ڡ£È»ºó£¬ÉèÖ÷À»ðǽ¹æÔòÒÔÔÊÐíHTTPºÍHTTPSÁ÷Á¿Í¨¹ý¡£ÒÔÏÂÊÇʹÓÃufwµÄʾÀý´úÂ룺
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
ÉèÖûá¼û¿ØÖÆ
ÉèÖûá¼û¿ØÖÆ¿ÉÒÔÏÞÖƶÔWeb½Ó¿ÚµÄ»á¼û£¬Ö»ÔÊÐíÊÚȨÓû§»òIPµØµã»á¼û¡£Õâ¿ÉÒÔ±ÜÃâδ¾ÊÚȨµÄÓû§ºÍDZÔڵĹ¥»÷Õß»á¼ûÃô¸ÐÊý¾Ý»òÖ´Ðв»·¨²Ù×÷¡£
ÔÚNginxЧÀÍÆ÷ÉÏ£¬¿ÉÒÔʹÓûùÓÚIPµØµãµÄ»á¼û¿ØÖÆ£¨ÀýÈçʹÓÃallowºÍdenyÖ¸Á¡£ÒÔÏÂÊÇʾÀý´úÂ룺
location / {
allow 192.168.0.0/24; deny all;
µÇ¼ºó¸´ÖÆ
}
ʹÓÃÇå¾²µÄÈÏÖ¤ÒªÁì
Ç¿Ê¢µÄÉí·ÝÑéÖ¤ºÍÊÚȨ»úÖÆÊÇÉèÖø߶ÈÇå¾²Web½Ó¿ÚµÄÒªº¦¡£Ê¹ÓÃÇå¾²µÄÈÏÖ¤ÒªÁ죬Èç»ùÓÚÁîÅƵĻá¼ûÁîÅÆ£¨Token£©ºÍ¶àÒòËØÉí·ÝÑéÖ¤£¨MFA£©£¬¿ÉÒÔÔöÌíÓû§ºÍЧÀÍÆ÷Ö®¼äµÄÐÅÍжȡ£
ÀýÈ磬ÔÚWebÓ¦ÓóÌÐòÖУ¬¿ÉÒÔʹÓÃJSON WebÁîÅÆ£¨JWT£©À´ÊµÏÖ»ùÓÚÁîÅƵÄÉí·ÝÑéÖ¤ºÍÊÚȨ¡£ÒÔÏÂÊÇʹÓÃNode.js£¨Express¿ò¼Ü£©µÄʾÀý´úÂ룺
const jwt = require(‘jsonwebtoken’);
const secretKey = ‘your-secret-key’;
// Óû§µÇ¼
app.post(‘/login’, (req, res) => {
const username = req.body.username; const password = req.body.password; // ÑéÖ¤Óû§Éí·Ý if (username === 'admin' && password === 'admin123') { const token = jwt.sign({ username: username }, secretKey); res.json({ token: token }); } else { res.status(401).json({ error: 'Invalid username or password' }); }
µÇ¼ºó¸´ÖÆ
});
// »á¼ûÊܱ£»¤µÄ×ÊÔ´
app.get(‘/protected’, verifyToken, (req, res) => {
res.json({ message: 'Protected resource' });
µÇ¼ºó¸´ÖÆ
});
function verifyToken(req, res, next) {
const token = req.headers['authorization']; if (!token) { res.status(401).json({ error: 'Unauthorized' }); } else { jwt.verify(token, secretKey, (err, decoded) => { if (err) { res.status(401).json({ error: 'Invalid token' }); } else { req.user = decoded.username; next(); } }); }
µÇ¼ºó¸´ÖÆ
}
ͨ¹ýʵÑéÒÔÉÏÇå¾²²½·¥£¬Äú¿ÉÒÔÉèÖÃÒ»¸ö¸ß¶ÈÇå¾²µÄWeb½Ó¿Ú£¬²¢ÎªÓû§Ìṩ¸üÇå¾²µÄÔÚÏßÌåÑé¡£Çë¼Ç×Å£¬¼á³ÖЧÀÍÆ÷ºÍÓ¦ÓóÌÐòµÄÇå¾²ÊÇÒ»¸öÒ»Á¬µÄÀú³Ì£¬ÐèÒª¼á³Ö¸üкͼàÊÓÒÔÓ¦¶ÔÒ»Ö±ÑݽøµÄÇå¾²Íþв¡£
ÒÔÉϾÍÊÇÔõÑùÔÚLinuxЧÀÍÆ÷ÉÏÉèÖø߶ÈÇå¾²µÄWeb½Ó¿Ú£¿µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡