分享下我的 nas 安全方案

1. 物理机直接安装 ubuntu, 所有应用都部署在 docker
2. ssh 只允许密钥登录, 禁止 root 用户登录
3. 所有访问( http, tcp)都通过 nginx 代理, ufw 只暴露固定的几个端口, nginx 开启 https 证书
4. nginx 配置 geolite2, 禁止任何 国外 ip 访问, 异常访问基本都是国外 ip
5. fail2ban 自动封禁所有 nginx 日志里面国外 ip
6. 不安装 1panel,宝塔等任何 web 管理工具, 直接 ssh 到机器上命令行管理

分享下我的 nginx 配置

load_module "modules/ngx_http_geoip2_module.so"; load_module "modules/ngx_stream_geoip2_module.so"; worker_processes 4; error_log /var/log/nginx/nginx_error.log; error_log /var/log/nginx/nginx_error.log notice; error_log /var/log/nginx/nginx_error.log info; pid /var/log/nginx/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb { auto_reload 24h; $geoip_country_code default=Unknown source=$remote_addr country iso_code; $geoip_country_name country names en; } geoip2 /etc/nginx/geoip/GeoLite2-City.mmdb { auto_reload 24h; $geoip_city default=Unknown city names en; } map $geoip_country_code $allowed_country { default no; CN yes; } map $remote_addr $allowed { default $allowed_country; 127.0.0.1 yes; ~^192\.168\.\\d+\.\\d+$ yes; ~^172\.16\.0\.\\d+$ yes; ~^172\.17\.\\d+\.\\d+$ yes; } map $http_upgrade $connection_upgrade { default upgrade; '' ""; } log_format json_analytics escape=json '{' '"timestamp": "$msec", ' # request unixtime in seconds with a milliseconds resolution '"request_id": "$request_id", ' # the unique request id '"request_length": "$request_length", ' # request length (including headers and body) '"body_bytes_sent": "$body_bytes_sent", ' '"remote_addr": "$remote_addr", ' # client IP '"time_iso8601": "$time_iso8601", ' '"request_uri": "$request_uri", ' # full path and arguments if the request '"code": "$status", ' # response status code '"http_host": "$http_host", ' # the request Host: header '"server_name": "$server_name", ' # the name of the vhost serving the request '"request_time": "$request_time", ' # request processing time in seconds with msec resolution '"upstream": "$upstream_addr", ' # upstream backend server for proxied requests '"request_method": "$request_method", ' # request method '"allowed": "$allowed", ' '"geoip_country_code": "$geoip_country_code", ' '"geoip_country_name": "$geoip_country_name", ' '"geoip_city": "$geoip_city"' '}'; access_log /var/log/nginx/access.log json_analytics; error_log /var/log/nginx/error.log warn; set_real_ip_from 0.0.0.0/0; real_ip_header X-Real-IP; real_ip_recursive on; sendfile on; server_tokens off; keepalive_timeout 65; gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/Javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; proxy_buffering off; proxy_buffers 4 128k; proxy_buffer_size 256k; proxy_busy_buffers_size 256k; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL; ssl_certificate /etc/nginx/ssl/fullchain.cer; ssl_certificate_key /etc/nginx/ssl/xxx.cc.key; include /etc/nginx/conf.d/*.conf; } stream { geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb { auto_reload 24h; $geoip_country_code default=Unknown source=$remote_addr country iso_code; $geoip_country_name country names en; } geoip2 /etc/nginx/geoip/GeoLite2-City.mmdb { auto_reload 24h; $geoip_city default=Unknown city names en; } map $geoip_country_code $allowed_country { default no; CN yes; } map $remote_addr $allowed { default $allowed_country; 127.0.0.1 yes; ~^192\.168\.\\d+\.\\d+$ yes; ~^172\.16\.0\.\\d+$ yes; ~^172\.17\.\\d+\.\\d+$ yes; } log_format json_analytics escape=json '{' '"timestamp": "$msec", ' # request unixtime in seconds with a milliseconds resolution '"connection": "$connection", ' # connection serial number '"pid": "$pid", ' # process pid '"remote_addr": "$remote_addr", ' # client IP '"remote_port": "$remote_port", ' # client port '"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format '"upstream": "$upstream_addr", ' '"protocol": "$protocol", ' '"allowed": "$allowed", ' '"request_method": "STREAM", ' '"geoip_country_code": "$geoip_country_code", ' '"geoip_country_name": "$geoip_country_name", ' '"geoip_city": "$geoip_city"' '}'; access_log /var/log/nginx/access.log json_analytics; error_log /var/log/nginx/error.log warn; include /etc/nginx/stream.d/*.conf; } 

ssh 代理

map $allowed $ssh_server { yes ssh; } upstream ssh { server 192.168.5.1:1234; } server { listen 5678; listen [::]:5678; proxy_pass $ssh_server; proxy_connect_timeout 30s; proxy_timeout 60s; ssl_preread on; } 

http 代理

server { server_name x.x.com; listen 1233 ssl; listen [::]:1233 ssl; http2 on; charset "utf-8"; if ($allowed != yes) { return 404; } error_page 497 =307 https://$host:$server_port$request_uri; client_max_body_size 512M; proxy_buffering off; set $backend "http://192.168.5.1:1234"; include /etc/nginx/conf.d/basic/no_log.conf; location / { proxy_redirect off; proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass $backend; } }