1

nginx/deploy.conf

@@ -0,0 +1,80 @@
+client_body_buffer_size 10M;
+large_client_header_buffers 4 8M;
+server {
+
+        listen       80;
+        server_name  localhost;
+        client_max_body_size 100M;
+
+
+        #charset koi8-r;
+        #access_log  /var/log/nginx/host.access.log  main;
+
+        #add_header X-Frame-Options SAMEORIGIN;
+        add_header Cache-Control no-store,max-age:0;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Content-Type-Options nosniff;
+        add_header Content-Security-Policy DENY;
+        add_header Referrer-Policy no-referrer;
+        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+        add_header X-Permitted-Cross-Domain-Policies "master-only";
+        add_header X-Download-Options "noopen" always;
+        add_header 'Referrer-Policy' 'origin';
+        gzip_vary on;
+        gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+            gzip  on;
+            gzip_min_length  1k;
+            gzip_buffers     4 16k;
+            gzip_http_version 1.1;
+            gzip_comp_level 9;
+            gzip_types       text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php application/javascript application/json;
+            gzip_disable "MSIE [1-6]\.";
+            gzip_vary on;
+            gzip_static on;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+
+
+
+  location ^~/api/ {
+        proxy_pass http://cloud-gateway-service:8001/;
+        proxy_connect_timeout 60s;
+       proxy_read_timeout 120s;
+       proxy_send_timeout 120s;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto http;
+       proxy_http_version 1.1;
+       proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Connection "upgrade";
+       proxy_set_header Host $http_host;
+    }
+
+   # 屏蔽所有敏感路径，不用改代码配置开关，双重保护
+    location ~* ^/(actuator|swagger-ui|v3/api-docs|swagger-resources|webjars|doc.html) {
+        return 403; # 禁止访问
+    }
+
+  error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+
+        # 避免端点安全问题
+       location ~ .*\/actuator.* {
+         deny all; # 这样配置返回403
+       }
+
+        # 避免接口暴露问题
+        location ~ .*\/api-docs.* {
+          deny all; # 这样配置返回403
+        }
+
+    }

nginx/developer.conf

@@ -0,0 +1,80 @@
+client_body_buffer_size 10M;
+large_client_header_buffers 4 8M;
+server {
+
+        listen       80;
+        server_name  localhost;
+        client_max_body_size 100M;
+
+
+        #charset koi8-r;
+        #access_log  /var/log/nginx/host.access.log  main;
+
+        #add_header X-Frame-Options SAMEORIGIN;
+        add_header Cache-Control no-store,max-age:0;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Content-Type-Options nosniff;
+        add_header Content-Security-Policy DENY;
+        add_header Referrer-Policy no-referrer;
+        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+        add_header X-Permitted-Cross-Domain-Policies "master-only";
+        add_header X-Download-Options "noopen" always;
+        add_header 'Referrer-Policy' 'origin';
+        gzip_vary on;
+        gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+            gzip  on;
+            gzip_min_length  1k;
+            gzip_buffers     4 16k;
+            gzip_http_version 1.1;
+            gzip_comp_level 9;
+            gzip_types       text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php application/javascript application/json;
+            gzip_disable "MSIE [1-6]\.";
+            gzip_vary on;
+            gzip_static on;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+
+
+
+  location ^~/api/ {
+        proxy_pass http://cloud-gateway-service:8001/;
+        proxy_connect_timeout 60s;
+       proxy_read_timeout 120s;
+       proxy_send_timeout 120s;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto http;
+       proxy_http_version 1.1;
+       proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Connection "upgrade";
+       proxy_set_header Host $http_host;
+    }
+
+   # 屏蔽所有敏感路径，不用改代码配置开关，双重保护
+    location ~* ^/(actuator|swagger-ui|v3/api-docs|swagger-resources|webjars|doc.html) {
+        return 403; # 禁止访问
+    }
+
+  error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+
+        # 避免端点安全问题
+       location ~ .*\/actuator.* {
+         deny all; # 这样配置返回403
+       }
+
+        # 避免接口暴露问题
+        location ~ .*\/api-docs.* {
+          deny all; # 这样配置返回403
+        }
+
+    }