From a1757187e2045d2945f30417422e283aa8ccf1f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=90=B4=E5=B0=8F=E7=99=BD?= <296015668@qq.com> Date: Tue, 18 May 2021 17:10:29 +0800 Subject: [PATCH 1/2] =?UTF-8?q?perf:=20=E5=8E=BB=E6=8E=89=20ipv6=20?= =?UTF-8?q?=E5=88=A4=E6=96=AD=E5=9B=9E=E6=98=BE=20(#82)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * perf: 去掉 ipv6 判断回显 * fix: 修复CVE-2016-2183 --- compose/config_static/http_server.conf | 2 +- config_init/nginx/lb_http_server.conf | 2 +- scripts/utils.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/compose/config_static/http_server.conf b/compose/config_static/http_server.conf index 3814d264..1d4c2e0d 100644 --- a/compose/config_static/http_server.conf +++ b/compose/config_static/http_server.conf @@ -10,7 +10,7 @@ server { ssl_certificate_key cert/server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!DES:!ECDHE-RSA-DES-CBC3-SHA; add_header Strict-Transport-Security "max-age=31536000"; client_max_body_size 5000m; diff --git a/config_init/nginx/lb_http_server.conf b/config_init/nginx/lb_http_server.conf index 700e39ed..8cdbf2f4 100644 --- a/config_init/nginx/lb_http_server.conf +++ b/config_init/nginx/lb_http_server.conf @@ -21,7 +21,7 @@ server { ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!DES:!ECDHE-RSA-DES-CBC3-SHA; add_header Strict-Transport-Security "max-age=31536000" always; ssl_prefer_server_ciphers off; diff --git a/scripts/utils.sh b/scripts/utils.sh index f48d4f12..64ae9c7e 100755 --- a/scripts/utils.sh +++ b/scripts/utils.sh @@ -405,7 +405,7 @@ function check_ipv6_iptables_if_need() { use_ipv6=$(get_config USE_IPV6) subnet_ipv6=$(get_config DOCKER_SUBNET_IPV6) if [[ "${use_ipv6}" == "1" ]]; then - if ! ip6tables -t nat -L | grep "${subnet_ipv6}"; then + if [[ ! "$(ip6tables -t nat -L | grep "${subnet_ipv6}")" ]]; then ip6tables -t nat -A POSTROUTING -s "${subnet_ipv6}" -j MASQUERADE fi fi From 77e6d653d7d12127f37c0eb0fa9ef73fcf7dbe09 Mon Sep 17 00:00:00 2001 From: Eric Date: Mon, 17 May 2021 16:51:17 +0800 Subject: [PATCH 2/2] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E4=B8=8A=E4=BC=A0?= =?UTF-8?q?=E8=B6=85=E5=A4=A7=E6=96=87=E4=BB=B6=EF=BC=8C=E8=B6=85=E6=97=B6?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- compose/config_static/http_server.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/compose/config_static/http_server.conf b/compose/config_static/http_server.conf index 1d4c2e0d..41853d41 100644 --- a/compose/config_static/http_server.conf +++ b/compose/config_static/http_server.conf @@ -57,7 +57,12 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - access_log off; + + proxy_ignore_client_abort on; + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 600; + send_timeout 6000; } # OmniDB 配置