ÔõÑùʹÓÃLinuxЧÀÍÆ÷±£»¤Web½Ó¿ÚÃâÊܻỰЮÖƹ¥»÷£¿
ÔõÑùʹÓÃLinuxЧÀÍÆ÷±£»¤Web½Ó¿ÚÃâÊܻỰЮÖƹ¥»÷£¿
¼ò½é£º
Ëæ×Å»¥ÁªÍøµÄ¿ìËÙÉú³¤£¬WebÓ¦ÓóÌÐò³ÉΪÁËÎÒÃÇÉúÑÄÖбز»¿ÉÉÙµÄÒ»²¿·Ö¡£È»¶ø£¬WebÓ¦ÓóÌÐòÃæÁÙ×ÅÖî¶àÇå¾²Íþв£¬ÆäÖÐÖ®Ò»¾ÍÊǻỰЮÖƹ¥»÷¡£»á»°Ð®Öƹ¥»÷ÊÇÖ¸ºÚ¿Íͨ¹ýÖÖÖÖÊֶλñÈ¡Õýµ±Óû§µÄ»á»°ÐÅÏ¢£¬È»ºóʹÓÃÕâЩÐÅÏ¢À´Î±×°³ÉÕýµ±Óû§¡£ÎªÁ˱£»¤Web½Ó¿ÚÃâÊܻỰЮÖƹ¥»÷£¬ÎÒÃÇ¿ÉÒÔʹÓÃLinuxЧÀÍÆ÷µÄһЩ¹¦Ð§ºÍÊÖÒÕÀ´¼Ó¹ÌÎÒÃǵÄϵͳ¡£±¾ÎĽ«ÏÈÈÝһЩ³£ÓõÄÒªÁì¡£
ÉèÖúÏÊʵÄSSL/TLSÉèÖÃ
ΪÁ˱£»¤ÎÒÃǵÄWeb½Ó¿ÚÃâÊÜÖÐÐÄÈ˹¥»÷ºÍÊý¾ÝÇÔÈ¡£¬ÎÒÃÇ¿ÉÒÔʹÓÃSSL/TLSÀ´¼ÓÃÜÊý¾Ý´«Êä¡£ÔÚLinuxЧÀÍÆ÷ÉÏ£¬ÎÒÃÇ¿ÉÒÔʹÓÃNginxÀ´×÷Ϊ·´ÏòÊðÀí£¬²¢ÉèÖúÏÊʵÄSSLÖ¤ÊéºÍÃÜÂëÌ×¼þ¡£ÒÔÏÂÊÇÒ»¸öʾÀýÉèÖãº
server { listen 443 ssl http2; server_name example.com; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256; # ÆäËûÉèÖÃ... }
µÇ¼ºó¸´ÖÆ
Ç¿»¯»á»°Éí·ÝÑéÖ¤
ºÚ¿Íͨ³£Í¨¹ýÇÔÈ¡»á»°IDÀ´¾ÙÐлỰЮÖƹ¥»÷¡£ÎªÁËÌá¸ß»á»°µÄÇå¾²ÐÔ£¬ÎÒÃÇ¿ÉÒÔ½ÓÄÉÒÔϲ½·¥£º
ÌìÉúÇ¿ÃÜÂëµÄ»á»°ID£ºÊ¹ÓÃ×ã¹»³¤¶ÈµÄËæ»ú×Ö·û´®×÷Ϊ»á»°ID£¬Í¬Ê±°´ÆÚ¸üлỰID¡£
ͨ¹ýcookieÉèÖÃSecure±ê¼Ç£ºÔÚ½«»á»°IDдÈëcookieʱ£¬Ê¹ÓÃSecure±ê¼ÇÀ´Ö¸¶¨¸ÃcookieÖ»ÄÜͨ¹ýHTTPS´«Êä¡£
ʹÓÃHttpOnly±ê¼Ç£ºÔÚ½«»á»°IDдÈëcookieʱ£¬Ê¹ÓÃHttpOnly±ê¼ÇÀ´Õ¥È¡¾ç±¾ÓïÑÔ£¨ÈçJavaScript£©»á¼ûcookie£¬´Ó¶øÌá¸ßÇå¾²ÐÔ¡£
ÒÔÏÂÊÇÒ»¸öʹÓÃPHPºÍLaravel¿ò¼ÜÌìÉúÇ¿ÃÜÂëµÄ»á»°IDµÄʾÀý´úÂ룺
$sessionId = bin2hex(random_bytes(32)); session_id($sessionId); session_start();
µÇ¼ºó¸´ÖÆ
ÉèÖÃÊʵ±µÄ»á»°ÓâÆÚʱ¼ä
ºÏÀíµÄ»á»°ÓâÆÚʱ¼ä¿ÉÒÔïÔ̻ỰЮÖƹ¥»÷µÄÓ°Ïì¹æÄ£¡£ÎÒÃÇ¿ÉÒÔÔÚLinuxЧÀÍÆ÷ÉϾÙÐÐÏêϸµÄÉèÖá£ÒÔÏÂÊÇÒ»¸öʾÀý£¬¼á³Ö»á»°30·ÖÖÓºóʧЧ£º
# ÐÞ¸Äsession.gc_maxlifetimeµÄÖµ sudo nano /etc/php.ini # ÐÞ¸ÄΪ30·ÖÖÓ£¬ÉèÖÃÉúЧÐèÒªÖØÆôЧÀÍÆ÷ session.gc_maxlifetime = 1800 # ÉúÑIJ¢Í˳ö sudo systemctl restart php-fpm.service
µÇ¼ºó¸´ÖÆ
ʹÓÃCSRF±£»¤
CSRF£¨¿çÕ¾ÇëÇóαÔ죩¹¥»÷ÊǺڿÍͨ¹ýαÔìÕýµ±Óû§ÇëÇóÀ´¾ÙÐÐÕ¾µã²Ù×÷£¬ÀýÈç·¢ËͶñÒâÇëÇ󡢸ü¸ÄÃÜÂëµÈ¡£ÎªÁ˱ÜÃâCSRF¹¥»÷£¬ÎÒÃÇ¿ÉÒÔÔÚÊܱ£»¤µÄ±íµ¥ÖÐÌí¼ÓÒ»¸öÒþ²ØµÄÁîÅÆ£¬²¢ÔÚЧÀÍÆ÷¶Ë¾ÙÐÐÑéÖ¤¡£ÒÔÏÂÊÇÒ»¸öʹÓÃPHPºÍLaravel¿ò¼ÜÌí¼ÓCSRFÁîÅƵÄʾÀý´úÂ룺
<form action="/change_password" method="POST"> @csrf <!-- ÆäËû±íµ¥×Ö¶Î... --> <button type="submit">Ìá½»</button> </form>
µÇ¼ºó¸´ÖÆ
°´ÆÚ¸üÐÂϵͳºÍÈí¼þ
°´ÆÚ¸üÐÂЧÀÍÆ÷µÄ²Ù×÷ϵͳºÍÈí¼þÊǼá³ÖϵͳÇå¾²ÐÔµÄÖ÷Òª²½·¥¡£Ã¿¸öа汾µÄ¸üÐÂͨ³£¶¼»áÐÞ¸´Çå¾²Îó²îºÍÔöǿϵͳµÄ·À»¤ÄÜÁ¦¡£ÎÒÃÇ¿ÉÒÔʹÓÃÒÔÏÂÏÂÁîÀ´¸üÐÂϵͳºÍÈí¼þ£º
sudo apt update sudo apt upgrade
µÇ¼ºó¸´ÖÆ
×ܽ᣺
ΪÁ˱£»¤Web½Ó¿ÚÃâÊܻỰЮÖƹ¥»÷£¬ÎÒÃÇ¿ÉÒÔͨ¹ýÉèÖúÏÊʵÄSSL/TLSÉèÖá¢Ç¿»¯»á»°Éí·ÝÑéÖ¤¡¢ÉèÖÃÊʵ±µÄ»á»°ÓâÆÚʱ¼ä¡¢Ê¹ÓÃCSRF±£»¤ºÍ°´ÆÚ¸üÐÂϵͳºÍÈí¼þµÈÒªÁìÀ´¼Ó¹ÌÎÒÃǵÄϵͳ¡£ÕâЩҪÁì¿ÉÒÔÌá¸ßϵͳµÄÇå¾²ÐÔ£¬Í¬Ê±½µµÍϵͳ±»ºÚ¿ÍÈëÇÖµÄΣº¦¡£È»¶ø£¬¼á³ÖϵͳÇå¾²²¢²»ÊÇÒ»´ÎÐÔµÄʹÃü£¬ÎÒÃÇÐèÒªÒ»Ö±µØѧϰºÍ¹Ø×¢×îеÄÇå¾²Íþв£¬²¢ÎÞаµ÷½âÎÒÃǵÄÇå¾²²½·¥¡£
ÒÔÉϾÍÊÇÔõÑùʹÓÃLinuxЧÀÍÆ÷±£»¤Web½Ó¿ÚÃâÊܻỰЮÖƹ¥»÷£¿µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡