From 97944dd28cee96e080cc6c340fa07859fd41e51d Mon Sep 17 00:00:00 2001 From: liuyanglinux Date: Sat, 8 Mar 2025 16:05:44 +0800 Subject: [PATCH 1/5] update openeuler nginx.conf and dockerfile --- Dockerfile | 153 +++++++++++++++++++++--- deploy/entrypoint.sh | 10 ++ deploy/monitor.sh | 33 ++++++ deploy/nginx/nginx.conf | 251 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 434 insertions(+), 13 deletions(-) create mode 100644 deploy/entrypoint.sh create mode 100644 deploy/monitor.sh create mode 100644 deploy/nginx/nginx.conf diff --git a/Dockerfile b/Dockerfile index b3854f3fc..4ce46b0d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,31 +1,158 @@ -FROM gplane/pnpm as Builder +FROM swr.cn-north-4.myhuaweicloud.com/opensourceway/node:latest as Builder RUN mkdir -p /home/openeuler/web WORKDIR /home/openeuler/web COPY . /home/openeuler/web -RUN rm -rf ./app/ru +RUN npm install pnpm -g && \ + pnpm install && \ + pnpm build -RUN pnpm install -RUN pnpm build +FROM swr.cn-north-4.myhuaweicloud.com/opensourceway/openeuler/nginx:latest as NginxBuilder -FROM swr.cn-north-4.myhuaweicloud.com/opensourceway/openeuler/nginx:latest +FROM swr.cn-north-4.myhuaweicloud.com/opensourceway/openeuler/base:latest -RUN yum update -y \ - && yum install -y pcre-devel +ENV NGINX_CONFIG_FILE /etc/nginx/nginx.conf +ENV NGINX_CONFIG_PATH /etc/nginx/ +ENV NGINX_PID /var/run/nginx.pid +ENV NGINX_USER nginx +ENV NGINX_GROUP nginx +ENV NGINX_BIN /usr/share/nginx/sbin/ +ENV NGINX_HOME /usr/share/nginx/ +ENV NGINX_EXE_FILE /usr/share/nginx/sbin/nginx +ENV DST_PATH /etc/nginx/cert +COPY --from=NginxBuilder /usr/share/nginx /usr/share/nginx +COPY --from=NginxBuilder /usr/share/nginx/sbin/nginx /usr/share/nginx/sbin/nginx +COPY --from=NginxBuilder /etc/nginx/modules /etc/nginx/modules +COPY --from=NginxBuilder /etc/nginx/geoip /etc/nginx/geoip +COPY --from=NginxBuilder /etc/nginx/mime.types /etc/nginx/mime.types COPY --from=Builder /home/openeuler/web/app/.vitepress/dist /usr/share/nginx/www/ -RUN chmod -R 755 /usr/share/nginx/www -RUN rm -rf /usr/share/nginx/www/ru -COPY ./deploy/nginx/nginx.conf /etc/nginx/nginx.conf +COPY ./deploy/monitor.sh ./deploy/entrypoint.sh /etc/nginx/ +COPY ./deploy/nginx/nginx.conf /etc/nginx/nginx.conf.template -RUN touch /var/run/nginx.pid \ +RUN sed -i "s|repo.openeuler.org|mirrors.nju.edu.cn/openeuler|g" /etc/yum.repos.d/openEuler.repo \ + && sed -i '/metalink/d' /etc/yum.repos.d/openEuler.repo \ + && sed -i '/metadata_expire/d' /etc/yum.repos.d/openEuler.repo \ + && yum update -y \ + && yum install -y findutils passwd shadow pcre-devel \ + && find /usr/share/nginx/www -type d -print0| xargs -0 chmod 500 \ + && find /usr/share/nginx/www -type f -print0| xargs -0 chmod 400 \ + && touch /var/run/nginx.pid \ + && groupadd -g 1000 nginx \ + && useradd -u 1000 -g nginx -s /sbin/nologin nginx \ + && sed -i '/^PATH="\$HOME\/\.local\/bin:\$HOME\/bin:\$PATH"/d; /^export PATH/d' /home/nginx/.bashrc \ + && chmod 750 /usr \ + && chmod 550 /usr/share \ + && chown -R nginx:nginx /usr/share/nginx \ + && find /usr/share/nginx -type d -print0 | xargs -0 chmod 500 \ + && chmod 500 /usr/share/nginx/sbin/nginx \ + && mkdir -p /var/log/nginx \ + && mkdir -p /etc/nginx/cert \ + && chown -R nginx:nginx /etc/nginx/cert \ + && chmod -R 700 /etc/nginx/cert \ && chown -R nginx:nginx /var/log/nginx \ + && chmod -R 640 /var/log/nginx \ + && touch /var/log/nginx/error.log \ + && touch /var/log/nginx/access.log \ + && chmod 640 /var/log/nginx/error.log \ + && chmod 640 /var/log/nginx/access.log \ + && chmod 640 /var/log/dnf.librepo.log \ + && chmod 640 /var/log/dnf.log \ + && chmod 640 /var/log/dnf.rpm.log \ + && chmod 640 /var/log/hawkey.log \ + && chmod 640 /var/log/*.log \ + && chmod 440 /etc/nginx/nginx*.conf* \ + && chown -R nginx:nginx /var/log/nginx/* \ + && mkdir -p /var/lib/nginx/tmp/client_body \ + && chown -R nginx:nginx /var/lib/nginx/tmp/client_body \ + && mkdir -p /var/lib/nginx/tmp/fastcgi \ + && chown -R nginx:nginx /var/lib/nginx/tmp/fastcgi \ + && mkdir -p /var/lib/nginx/tmp/proxy \ + && chown -R nginx:nginx /var/lib/nginx/tmp/proxy \ + && mkdir -p /var/lib/nginx/tmp/scgi \ + && chown -R nginx:nginx /var/lib/nginx/tmp/scgi \ + && mkdir -p /var/lib/nginx/tmp/uwsgi \ + && chown -R nginx:nginx /var/lib/nginx/tmp/uwsgi \ + && chmod -R 500 /var/lib/nginx/ \ + && chmod -R 750 /var/lib/nginx/tmp/proxy \ + && chown -R nginx:nginx /var/lib/nginx/ \ && chown -R nginx:nginx /var/run/nginx.pid \ - && chown -R nginx:nginx /etc/nginx + && chmod 640 /var/run/nginx.pid \ + && chown -R nginx:nginx /etc/nginx \ + && chmod 550 /etc/nginx \ + && chmod 550 /etc/nginx/geoip/ \ + && chmod 440 /etc/nginx/geoip/* \ + && chmod 550 /etc/nginx/modules \ + && chmod 440 /etc/nginx/modules/* \ + && touch /etc/nginx/nginx.conf \ + && chown nginx:nginx /etc/nginx/nginx.conf \ + && chmod 640 /etc/nginx/nginx.conf \ + && chmod 640 /etc/nginx/nginx.conf.template \ + && chmod 440 /etc/nginx/mime.types \ + && chmod 700 /var/lib/nginx/tmp/client_body \ + && lsd() { \ + local v="$1"; \ + ls -ld "$v"; \ + while :; do \ + v="${v%/*}"; \ + [[ "$v" && ! -f "$v" ]] || break; \ + chown root:root "$v"; \ + done; \ + }; lsd "$NGINX_HOME" \ + && lsd() { \ + local v="$1"; \ + ls -ld $v; \ + while :; do \ + v="${v%/*}"; \ + [[ "$v" && ! -f "$v" ]] || break; \ + chmod 550 "$v"; \ + done; \ + }; lsd $NGINX_HOME \ + && lsd() { \ + local v="$1"; \ + ls -ld $v; \ + while :; do \ + v="${v%/*}"; \ + [[ "$v" && ! -f "$v" ]] || break; \ + chown $NGINX_USER:$NGINX_GROUP "$v"; \ + done; \ + }; lsd $NGINX_HOME \ + && rm -rf /usr/share/nginx/html/ \ + && rm -rf /usr/share/nginx/logs/ \ + && echo "umask 0027" >> /etc/bashrc \ + && echo "set +o history" >> /etc/bashrc \ + && sed -i "s|HISTSIZE=1000|HISTSIZE=0|" /etc/profile \ + && sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS 30/" /etc/login.defs \ + && echo "ALWAYS_SET_PATH yes" >> /etc/login.defs \ + && passwd -l $NGINX_USER \ + && yum clean all \ + && usermod -s /sbin/nologin sync \ + && usermod -s /sbin/nologin shutdown \ + && usermod -s /sbin/nologin halt \ + && echo "export TMOUT=1800 readonly TMOUT" >> /etc/profile \ + && rm -rf /usr/bin/gdb* \ + && rm -rf /usr/share/gdb \ + && rm -rf /usr/share/gcc* \ + && rm -rf /usr/lib64/python3.11/bdb.py \ + && rm -rf /usr/lib64/python3.11/pdb.py \ + && rm -rf /usr/lib64/python3.11/timeit.py \ + && rm -rf /usr/lib64/python3.11/trace.py \ + && rm -rf /usr/lib64/python3.11/tracemalloc.py \ + && rm -rf /usr/share/licenses/glibc \ + && rm -rf /usr/share/locale/ar \ + && rm -rf /usr/share/locale/cpp \ + && yum remove gdb-gdbserver findutils passwd shadow -y + +RUN chmod 500 /etc/nginx/monitor.sh \ + && chmod 500 /etc/nginx/entrypoint.sh \ + && chown nginx:nginx /etc/nginx/monitor.sh \ + && chown nginx:nginx /etc/nginx/entrypoint.sh \ + && sed -i "/PATH=/d" /home/nginx/.bashrc \ + && source /home/nginx/.bashrc EXPOSE 8080 USER nginx -ENTRYPOINT ["nginx", "-g", "daemon off;"] +ENTRYPOINT ["/etc/nginx/entrypoint.sh"] diff --git a/deploy/entrypoint.sh b/deploy/entrypoint.sh new file mode 100644 index 000000000..c0ccd9e42 --- /dev/null +++ b/deploy/entrypoint.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# 使用 ifconfig 获取主机的 IP 地址(假设是 eth0 接口) +LOCAL_IP=$(ifconfig eth0 | grep inet | awk '{ print $2 }' | head -n 1) + +# 使用 awk 替换 nginx.conf.template 中的环境变量 +echo "Replacing LOCAL_IP in nginx.conf" +awk -v ip="$LOCAL_IP" '{gsub(/\${LOCAL_IP}/, ip); print}' /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf +bash /etc/nginx/monitor.sh $DET_URL $DST_PATH & +/usr/share/nginx/sbin/nginx -g 'daemon off;' \ No newline at end of file diff --git a/deploy/monitor.sh b/deploy/monitor.sh new file mode 100644 index 000000000..d84c1bc8a --- /dev/null +++ b/deploy/monitor.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# this script is for website monitoring, +# when website is up, delete all cert file. + +HOST=$1 +DST_PATH=$2 + +delete_file() { + if [ -d $DST_PATH ]; then + echo "found $DST_PATH" > /dev/stdout + rm -rf $DST_PATH/* + else + echo "$DST_PATH not found" > /dev/stdout + fi +} + +while true; +do + sleep 20 + RET=$(curl -k -s -w "%{http_code}\n" -o /dev/null $HOST) + if [ $RET == "200" ]; then + echo "website is up!!!" > /dev/stdout + delete_file + if [ $? -eq 0 ]; then + echo "successful delete file, exit" > /dev/stdout + break + else + echo "failed to delete file" > /dev/stdout + fi + else + echo "waiting for website up, http_status: $RET" > /dev/stdout + fi +done \ No newline at end of file diff --git a/deploy/nginx/nginx.conf b/deploy/nginx/nginx.conf new file mode 100644 index 000000000..27883567e --- /dev/null +++ b/deploy/nginx/nginx.conf @@ -0,0 +1,251 @@ +user $NGINX_USER; +error_log /dev/stdout info; +pid /var/run/nginx.pid; +load_module /etc/nginx/modules/ngx_http_geoip2_module.so; +worker_processes auto; +worker_rlimit_nofile 65535; +events { + use epoll; + worker_connections 65535; +} + +http { + include /etc/nginx/mime.types; + + log_format access '[$time_local] remote_addr: $http_x_real_ip, request: "$request", ' + 'status: $status, body_bytes_sent: $body_bytes_sent, http_referer: "$http_referer", ' + 'http_user_agent: "$http_user_agent"'; + + access_log /dev/stdout access; + + geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb { + $geoip2_city_country_code source=$http_true_client_ip country iso_code; + $geoip2_city_country_name source=$http_true_client_ip country names en; + } + + geoip2 /etc/nginx/geoip/GeoLite2-City.mmdb { + $geoip2_city source=$http_true_client_ip city names en; + } + server_tokens off; + autoindex off; + + port_in_redirect off; + absolute_redirect off; + + client_header_buffer_size 1k; + large_client_header_buffers 4 8k; + client_body_buffer_size 16k; + client_max_body_size 50m; + + client_header_timeout 10; + client_body_timeout 10; + client_body_in_file_only off; + keepalive_timeout 10 30; + send_timeout 10; + + proxy_hide_header X-Powered-By; + + + limit_conn_zone $http_x_real_ip zone=limitperip:10m; + limit_req_zone $http_x_real_ip zone=frontendratelimit:10m rate=2000r/s; + limit_req_zone $http_x_real_ip zone=ratelimit:10m rate=200r/s; + underscores_in_headers on; + + gzip on; + gzip_min_length 1k; + gzip_buffers 4 16k; + gzip_comp_level 5; + gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/javascript application/x-httpd-php application/json; + gzip_vary on; + + server { + listen ${LOCAL_IP}:8080 ssl; + server_name www.openeuler.org; + charset utf-8; + + limit_conn limitperip 10; + ssl_session_tickets off; + ssl_session_timeout 10s; + ssl_session_cache shared:SSL:10m; + + ssl_certificate "cert/server.crt"; + ssl_certificate_key "cert/server.key"; + ssl_password_file "cert/abc.txt"; + ssl_dhparam "cert/dhparam.pem"; + ssl_ecdh_curve auto; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384"; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + resolver 8.8.8.8 8.8.4.4 valid=60s; + resolver_timeout 5s; + + set $language_chinese false; + if ($geoip2_city_country_name = "China") { + set $language_chinese true; + } + location = / { + if ($language_chinese = "true") { + rewrite ^/$ /zh last; + } + if ($language_chinese = "false") { + rewrite ^/$ /en last; + } + } + + if ($request_method !~ ^(GET|HEAD|POST)$) { + return 444; + } + + location ~ /\. { + deny all; + return 404; + } + + location / { + + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header Content-Security-Policy "script-src 'self' https://hm.baidu.com 'unsafe-inline' 'unsafe-eval' data:; frame-src https://vhall.huawei.com https://hw.vhallyun.com https://wenjuan.feishu.cn https://wx.vzan.com; worker-src 'self' blob:"; + add_header Cache-Control "no-cache,no-store,must-revalidate"; + add_header Pragma no-cache; + add_header Expires 0; + + location /assets { + # publish every two weeks + + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header Content-Security-Policy "script-src 'self' *.baidu.com 'unsafe-inline' 'unsafe-eval' ; object-src 'none'; frame-src 'none'"; + add_header Cache-Control "public,max-age=1209600"; + expires 14d; + add_header Cache-Control public; + } + + root /usr/share/nginx/www; + index index.html; + } + + # 搜索服务 + location /api-search/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + + proxy_pass https://doc-search.test.osinfra.cn/; + } + # 兼容性列表商业软件 + location /api-certification/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; + add_header Cache-Control "no-cache,no-store,must-revalidate"; + add_header Pragma no-cache; + add_header Expires 0; + + proxy_pass https://openeuler-compatibility.test.osinfra.cn/; + } + # 登录 + location /api-omapi/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; + add_header Cache-Control "no-cache,no-store,must-revalidate"; + add_header Pragma no-cache; + add_header Expires 0; + + proxy_pass https://omapi.test.osinfra.cn/; + } + # datastat数据 + location /api-dsapi/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; + add_header Cache-Control "no-cache,no-store,must-revalidate"; + add_header Pragma no-cache; + add_header Expires 0; + + # proxy_pass https://dsapi.test.osinfra.cn/; + proxy_pass https://dsapi.osinfra.cn/; + } + # 镜像下载&实习排行 + location /api/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; + add_header Cache-Control "no-cache,no-store,must-revalidate"; + add_header Pragma no-cache; + add_header Expires 0; + + proxy_pass https://api.openeuler.org/; + } + #会议 + location /api-meeting/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + + proxy_pass https://meetings.openeuler.openatom.cn/; + } + #邮件列表 + location /api-mail/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; + add_header Cache-Control "no-cache,no-store,must-revalidate"; + add_header Pragma no-cache; + add_header Expires 0; + + proxy_pass https://mailweb.openeuler.org/; + } + #CVE + location /api-cve/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; + add_header Cache-Control "no-cache,no-store,must-revalidate"; + add_header Pragma no-cache; + add_header Expires 0; + + proxy_pass https://cvesa.test.osinfra.cn/; + } + + location /api-message/ { + proxy_set_header X-Forwarded-For $http_x_real_ip; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; + add_header Cache-Control "no-cache,no-store,must-revalidate"; + add_header Pragma no-cache; + add_header Expires 0; + + proxy_pass https://message-center.test.osinfra.cn/message_center/; + } + + error_page 401 402 403 405 406 407 413 414 /error.html; + error_page 404 /404.html; + error_page 500 501 502 503 504 505 /error.html; + + location = /404.html { + root /usr/share/nginx/www; + } + + location = /error.html { + root /usr/share/nginx/www; + } + } +} \ No newline at end of file -- Gitee From d6c8e83613b6095fc7b8ffe8eb7c0c3ccf6868a4 Mon Sep 17 00:00:00 2001 From: liuyanglinux Date: Sun, 9 Mar 2025 11:41:07 +0800 Subject: [PATCH 2/5] update dockerfile --- Dockerfile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4ce46b0d6..17d86eccb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,7 +35,7 @@ RUN sed -i "s|repo.openeuler.org|mirrors.nju.edu.cn/openeuler|g" /etc/yum.repos. && sed -i '/metalink/d' /etc/yum.repos.d/openEuler.repo \ && sed -i '/metadata_expire/d' /etc/yum.repos.d/openEuler.repo \ && yum update -y \ - && yum install -y findutils passwd shadow pcre-devel \ + && yum install -y findutils passwd shadow pcre-devel net-tools \ && find /usr/share/nginx/www -type d -print0| xargs -0 chmod 500 \ && find /usr/share/nginx/www -type f -print0| xargs -0 chmod 400 \ && touch /var/run/nginx.pid \ @@ -85,10 +85,7 @@ RUN sed -i "s|repo.openeuler.org|mirrors.nju.edu.cn/openeuler|g" /etc/yum.repos. && chmod 440 /etc/nginx/geoip/* \ && chmod 550 /etc/nginx/modules \ && chmod 440 /etc/nginx/modules/* \ - && touch /etc/nginx/nginx.conf \ - && chown nginx:nginx /etc/nginx/nginx.conf \ - && chmod 640 /etc/nginx/nginx.conf \ - && chmod 640 /etc/nginx/nginx.conf.template \ + && chmod 440 /etc/nginx/nginx.conf \ && chmod 440 /etc/nginx/mime.types \ && chmod 700 /var/lib/nginx/tmp/client_body \ && lsd() { \ -- Gitee From cbe346fc96266ecbd17516225b78677e5520e861 Mon Sep 17 00:00:00 2001 From: liuyanglinux Date: Sun, 9 Mar 2025 12:02:28 +0800 Subject: [PATCH 3/5] update dockerfile --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 17d86eccb..c9e96f090 100644 --- a/Dockerfile +++ b/Dockerfile @@ -85,7 +85,10 @@ RUN sed -i "s|repo.openeuler.org|mirrors.nju.edu.cn/openeuler|g" /etc/yum.repos. && chmod 440 /etc/nginx/geoip/* \ && chmod 550 /etc/nginx/modules \ && chmod 440 /etc/nginx/modules/* \ - && chmod 440 /etc/nginx/nginx.conf \ + && touch /etc/nginx/nginx.conf \ + && chown nginx:nginx /etc/nginx/nginx.conf \ + && chmod 640 /etc/nginx/nginx.conf \ + && chmod 640 /etc/nginx/nginx.conf.template \ && chmod 440 /etc/nginx/mime.types \ && chmod 700 /var/lib/nginx/tmp/client_body \ && lsd() { \ -- Gitee From 80d9a1596fe33d7832480ab72f773138df02d83a Mon Sep 17 00:00:00 2001 From: liuyanglinux Date: Sun, 9 Mar 2025 14:15:50 +0800 Subject: [PATCH 4/5] update dockerfile --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c9e96f090..4eb705156 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,7 +35,7 @@ RUN sed -i "s|repo.openeuler.org|mirrors.nju.edu.cn/openeuler|g" /etc/yum.repos. && sed -i '/metalink/d' /etc/yum.repos.d/openEuler.repo \ && sed -i '/metadata_expire/d' /etc/yum.repos.d/openEuler.repo \ && yum update -y \ - && yum install -y findutils passwd shadow pcre-devel net-tools \ + && yum install -y findutils passwd shadow pcre-devel net-tools libmaxminddb libmaxminddb-devel \ && find /usr/share/nginx/www -type d -print0| xargs -0 chmod 500 \ && find /usr/share/nginx/www -type f -print0| xargs -0 chmod 400 \ && touch /var/run/nginx.pid \ @@ -125,6 +125,7 @@ RUN sed -i "s|repo.openeuler.org|mirrors.nju.edu.cn/openeuler|g" /etc/yum.repos. && sed -i "s|HISTSIZE=1000|HISTSIZE=0|" /etc/profile \ && sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS 30/" /etc/login.defs \ && echo "ALWAYS_SET_PATH yes" >> /etc/login.defs \ + && chage --maxdays 30 nginx \ && passwd -l $NGINX_USER \ && yum clean all \ && usermod -s /sbin/nologin sync \ -- Gitee From e62846156dc84a80f84dd0d6844a6fcd903e9c4c Mon Sep 17 00:00:00 2001 From: liuyanglinux Date: Sun, 9 Mar 2025 15:20:23 +0800 Subject: [PATCH 5/5] clean debug config file --- deploy/entrypoint.sh | 10 -- deploy/monitor.sh | 33 ------ deploy/nginx/nginx.conf | 251 ---------------------------------------- 3 files changed, 294 deletions(-) delete mode 100644 deploy/entrypoint.sh delete mode 100644 deploy/monitor.sh delete mode 100644 deploy/nginx/nginx.conf diff --git a/deploy/entrypoint.sh b/deploy/entrypoint.sh deleted file mode 100644 index c0ccd9e42..000000000 --- a/deploy/entrypoint.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -# 使用 ifconfig 获取主机的 IP 地址(假设是 eth0 接口) -LOCAL_IP=$(ifconfig eth0 | grep inet | awk '{ print $2 }' | head -n 1) - -# 使用 awk 替换 nginx.conf.template 中的环境变量 -echo "Replacing LOCAL_IP in nginx.conf" -awk -v ip="$LOCAL_IP" '{gsub(/\${LOCAL_IP}/, ip); print}' /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf -bash /etc/nginx/monitor.sh $DET_URL $DST_PATH & -/usr/share/nginx/sbin/nginx -g 'daemon off;' \ No newline at end of file diff --git a/deploy/monitor.sh b/deploy/monitor.sh deleted file mode 100644 index d84c1bc8a..000000000 --- a/deploy/monitor.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash -# this script is for website monitoring, -# when website is up, delete all cert file. - -HOST=$1 -DST_PATH=$2 - -delete_file() { - if [ -d $DST_PATH ]; then - echo "found $DST_PATH" > /dev/stdout - rm -rf $DST_PATH/* - else - echo "$DST_PATH not found" > /dev/stdout - fi -} - -while true; -do - sleep 20 - RET=$(curl -k -s -w "%{http_code}\n" -o /dev/null $HOST) - if [ $RET == "200" ]; then - echo "website is up!!!" > /dev/stdout - delete_file - if [ $? -eq 0 ]; then - echo "successful delete file, exit" > /dev/stdout - break - else - echo "failed to delete file" > /dev/stdout - fi - else - echo "waiting for website up, http_status: $RET" > /dev/stdout - fi -done \ No newline at end of file diff --git a/deploy/nginx/nginx.conf b/deploy/nginx/nginx.conf deleted file mode 100644 index 27883567e..000000000 --- a/deploy/nginx/nginx.conf +++ /dev/null @@ -1,251 +0,0 @@ -user $NGINX_USER; -error_log /dev/stdout info; -pid /var/run/nginx.pid; -load_module /etc/nginx/modules/ngx_http_geoip2_module.so; -worker_processes auto; -worker_rlimit_nofile 65535; -events { - use epoll; - worker_connections 65535; -} - -http { - include /etc/nginx/mime.types; - - log_format access '[$time_local] remote_addr: $http_x_real_ip, request: "$request", ' - 'status: $status, body_bytes_sent: $body_bytes_sent, http_referer: "$http_referer", ' - 'http_user_agent: "$http_user_agent"'; - - access_log /dev/stdout access; - - geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb { - $geoip2_city_country_code source=$http_true_client_ip country iso_code; - $geoip2_city_country_name source=$http_true_client_ip country names en; - } - - geoip2 /etc/nginx/geoip/GeoLite2-City.mmdb { - $geoip2_city source=$http_true_client_ip city names en; - } - server_tokens off; - autoindex off; - - port_in_redirect off; - absolute_redirect off; - - client_header_buffer_size 1k; - large_client_header_buffers 4 8k; - client_body_buffer_size 16k; - client_max_body_size 50m; - - client_header_timeout 10; - client_body_timeout 10; - client_body_in_file_only off; - keepalive_timeout 10 30; - send_timeout 10; - - proxy_hide_header X-Powered-By; - - - limit_conn_zone $http_x_real_ip zone=limitperip:10m; - limit_req_zone $http_x_real_ip zone=frontendratelimit:10m rate=2000r/s; - limit_req_zone $http_x_real_ip zone=ratelimit:10m rate=200r/s; - underscores_in_headers on; - - gzip on; - gzip_min_length 1k; - gzip_buffers 4 16k; - gzip_comp_level 5; - gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/javascript application/x-httpd-php application/json; - gzip_vary on; - - server { - listen ${LOCAL_IP}:8080 ssl; - server_name www.openeuler.org; - charset utf-8; - - limit_conn limitperip 10; - ssl_session_tickets off; - ssl_session_timeout 10s; - ssl_session_cache shared:SSL:10m; - - ssl_certificate "cert/server.crt"; - ssl_certificate_key "cert/server.key"; - ssl_password_file "cert/abc.txt"; - ssl_dhparam "cert/dhparam.pem"; - ssl_ecdh_curve auto; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384"; - ssl_prefer_server_ciphers on; - ssl_stapling on; - ssl_stapling_verify on; - resolver 8.8.8.8 8.8.4.4 valid=60s; - resolver_timeout 5s; - - set $language_chinese false; - if ($geoip2_city_country_name = "China") { - set $language_chinese true; - } - location = / { - if ($language_chinese = "true") { - rewrite ^/$ /zh last; - } - if ($language_chinese = "false") { - rewrite ^/$ /en last; - } - } - - if ($request_method !~ ^(GET|HEAD|POST)$) { - return 444; - } - - location ~ /\. { - deny all; - return 404; - } - - location / { - - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - add_header Content-Security-Policy "script-src 'self' https://hm.baidu.com 'unsafe-inline' 'unsafe-eval' data:; frame-src https://vhall.huawei.com https://hw.vhallyun.com https://wenjuan.feishu.cn https://wx.vzan.com; worker-src 'self' blob:"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - - location /assets { - # publish every two weeks - - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - add_header Content-Security-Policy "script-src 'self' *.baidu.com 'unsafe-inline' 'unsafe-eval' ; object-src 'none'; frame-src 'none'"; - add_header Cache-Control "public,max-age=1209600"; - expires 14d; - add_header Cache-Control public; - } - - root /usr/share/nginx/www; - index index.html; - } - - # 搜索服务 - location /api-search/ { - proxy_set_header X-Forwarded-For $http_x_real_ip; - - proxy_pass https://doc-search.test.osinfra.cn/; - } - # 兼容性列表商业软件 - location /api-certification/ { - proxy_set_header X-Forwarded-For $http_x_real_ip; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - - proxy_pass https://openeuler-compatibility.test.osinfra.cn/; - } - # 登录 - location /api-omapi/ { - proxy_set_header X-Forwarded-For $http_x_real_ip; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - - proxy_pass https://omapi.test.osinfra.cn/; - } - # datastat数据 - location /api-dsapi/ { - proxy_set_header X-Forwarded-For $http_x_real_ip; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - - # proxy_pass https://dsapi.test.osinfra.cn/; - proxy_pass https://dsapi.osinfra.cn/; - } - # 镜像下载&实习排行 - location /api/ { - proxy_set_header X-Forwarded-For $http_x_real_ip; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - - proxy_pass https://api.openeuler.org/; - } - #会议 - location /api-meeting/ { - proxy_set_header X-Forwarded-For $http_x_real_ip; - - proxy_pass https://meetings.openeuler.openatom.cn/; - } - #邮件列表 - location /api-mail/ { - proxy_set_header X-Forwarded-For $http_x_real_ip; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - - proxy_pass https://mailweb.openeuler.org/; - } - #CVE - location /api-cve/ { - proxy_set_header X-Forwarded-For $http_x_real_ip; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - - proxy_pass https://cvesa.test.osinfra.cn/; - } - - location /api-message/ { - proxy_set_header X-Forwarded-For $http_x_real_ip; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; frame-src 'none'"; - add_header Cache-Control "no-cache,no-store,must-revalidate"; - add_header Pragma no-cache; - add_header Expires 0; - - proxy_pass https://message-center.test.osinfra.cn/message_center/; - } - - error_page 401 402 403 405 406 407 413 414 /error.html; - error_page 404 /404.html; - error_page 500 501 502 503 504 505 /error.html; - - location = /404.html { - root /usr/share/nginx/www; - } - - location = /error.html { - root /usr/share/nginx/www; - } - } -} \ No newline at end of file -- Gitee