添加云虚拟主机文件部署，增加game-docker的安全加固

2026-04-14 14:19:25 +08:00
parent f98091bb54
commit f381ae2e8f
48 changed files with 631 additions and 549 deletions
--- a/codes/agent/game-docker/docker/nginx/default.conf.template
+++ b/codes/agent/game-docker/docker/nginx/default.conf.template
@@ -10,6 +10,14 @@ upstream wxserver_service {
    server wxserver:3000;
 }

+# ── 限速区域定义（在 http 块级别，此处用 geo 标记 + limit_req_zone）──
+# 登录接口：每个 IP 每秒最多 5 次请求，突发缓冲 10 次
+limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/s;
+# 通用 API：每个 IP 每秒最多 30 次请求
+limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/s;
+# 连接数限制：每个 IP 同时最多 20 个连接
+limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
+
 # =============================================
 # 域名路由模式 + SSL（Let's Encrypt 自动证书）
 #
@@ -108,10 +116,45 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/${API_DOMAIN}/privkey.pem;
    include /etc/nginx/snippets/ssl-params.conf;

+    # 隐藏服务器版本信息
+    server_tokens off;
+
+    # 请求体大小限制（防止大请求攻击）
+    client_max_body_size 10m;
+    client_body_timeout 30s;
+    client_header_timeout 30s;
+
+    # 连接数限制
+    limit_conn conn_limit 20;
+
+    # ── 屏蔽敏感文件（直接返回 404，不暴露文件存在）──
+    location ~* \.(env|sh|bak|sql|log|git|svn|htaccess|htpasswd|ini|conf)$ {
+        return 404;
+    }
+    location ~* /(ntunnel_mysql|phpMyAdmin|phpmyadmin|adminer|debug)\.php$ {
+        return 404;
+    }
+    location ~ /\. {
+        return 404;
+    }
+
+    # ── 登录接口限速（防爆破）──
+    location ~* /source/login/ {
+        limit_req zone=login_limit burst=10 nodelay;
+        limit_req_status 429;
+        proxy_pass http://api_service;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port $server_port;
+    }
+
    # wxserver 路由：/wx/ 前缀转发给 wxserver 容器，自动去除 /wx 前缀
    # 例：/wx/auth/oa/callback → wxserver:/auth/oa/callback
    # 例：/wx/api/login        → wxserver:/api/login
    location /wx/ {
+        limit_req zone=api_limit burst=50 nodelay;
        proxy_pass http://wxserver_service/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -132,6 +175,7 @@ server {

    # PHP API（所有其他请求）
    location / {
+        limit_req zone=api_limit burst=50 nodelay;
        proxy_pass http://api_service;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
@@ -151,7 +195,30 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/${DLWEB_DOMAIN}/privkey.pem;
    include /etc/nginx/snippets/ssl-params.conf;

+    # 隐藏服务器版本信息
+    server_tokens off;
+
+    # 请求体大小限制
+    client_max_body_size 10m;
+    client_body_timeout 30s;
+    client_header_timeout 30s;
+
+    # 连接数限制
+    limit_conn conn_limit 20;
+
+    # ── 屏蔽敏感文件 ──
+    location ~* \.(env|sh|bak|sql|log|git|svn|htaccess|htpasswd|ini|conf)$ {
+        return 404;
+    }
+    location ~* /(ntunnel_mysql|phpMyAdmin|phpmyadmin|adminer|debug)\.php$ {
+        return 404;
+    }
+    location ~ /\. {
+        return 404;
+    }
+
    location / {
+        limit_req zone=api_limit burst=50 nodelay;
        proxy_pass http://dlweb_service;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
--- a/codes/agent/game-docker/docker/nginx/ssl-params.conf
+++ b/codes/agent/game-docker/docker/nginx/ssl-params.conf
@@ -5,8 +5,8 @@ ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_prefer_server_ciphers off;

-# HSTS (取消注释以启用，请确认所有子域都支持 HTTPS 后再启用)
-# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+# HSTS：强制浏览器只用 HTTPS 连接（去掉 includeSubDomains，避免影响其他未配置 HTTPS 的子域名）
+add_header Strict-Transport-Security "max-age=31536000" always;

 # OCSP Stapling
 ssl_stapling on;
@@ -21,3 +21,17 @@ ssl_session_tickets off;

 # DH 参数 (如果生成了 dhparam.pem)
 # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+# ── 安全响应头 ──────────────────────────────────────────────────────
+# 防点击劫持：禁止页面被嵌入 iframe
+add_header X-Frame-Options "SAMEORIGIN" always;
+# 防 MIME 类型嗅探
+add_header X-Content-Type-Options "nosniff" always;
+# 启用浏览器内置 XSS 过滤（旧浏览器兼容）
+add_header X-XSS-Protection "1; mode=block" always;
+# 限制 Referer 信息泄露
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+# 隐藏 nginx 版本号（在 nginx.conf 中配合 server_tokens off 使用）
+# Content Security Policy：按需调整，当前允许同源 + 必要的外部资源
+# frame-ancestors 额外放开微信支付收银台来源，避免微信 H5 支付 iframe 被拦截
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' res.wx.qq.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; connect-src 'self' https:; frame-ancestors 'self' https://wx.tenpay.com https://*.weixin.qq.com https://*.qq.com;" always;