simon/wecom_it_smart_desk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
78f60c685701eb7a2a73a67b31cd89da9663cff2
wecom_it_smart_desk/deploy-server/nginx-access-log-redact.sh
T
Simon 627f4aa924 feat(deploy): v0.7.0 一键上传脚本(Windows PS) + nginx 脱敏脚本 
upload-frontend-v0.7.0.ps1:
- 自动打包 4 端 dist + scp + ssh 解压
- 用户只需在 PowerShell 跑一次

nginx-access-log-redact.sh:
- 自定义 log_format(去掉 Authorization/Cookie)
- 支持 --rollback 回滚
- nginx -t 验证语法 + nginx -s reload 热重载

Co-Authored-By: Claude <noreply@anthropic.com>
2026-06-21 11:56:48 +08:00

69 lines
2.4 KiB
Bash
Raw Blame History

#!/bin/bash
# =============================================================================
# nginx access_log 脱敏脚本(生产服务器跑)
# =============================================================================
# 作用:把默认的 access_log 换成自定义 log_format,删除 Authorization/Cookie 等
# 敏感 header,避免泄漏到日志
# 用法:bash nginx-access-log-redact.sh
# 回滚:bash nginx-access-log-redact.sh --rollback
# =============================================================================
set -e
CONTAINER="wecom_it_nginx" # 注意是下划线
CONF_PATH="/etc/nginx/conf.d/log-format.conf"
BACKUP_PATH="/etc/nginx/conf.d/log-format.conf.bak"
if [[ "$1" == "--rollback" ]]; then
echo "[ROLLBACK] 恢复默认 access_log..."
docker exec "$CONTAINER" bash -c "
if [[ -f $BACKUP_PATH ]]; then
mv $BACKUP_PATH $CONF_PATH
else
echo 'access_log /var/log/nginx/access.log;' > $CONF_PATH
fi
"
docker exec "$CONTAINER" nginx -t
docker exec "$CONTAINER" nginx -s reload
echo "[OK] 已回滚到默认 access_log"
exit 0
fi
echo "[1/5] 备份现有 log-format.conf(如有)..."
docker exec "$CONTAINER" bash -c "
if [[ -f $CONF_PATH ]]; then
cp $CONF_PATH $BACKUP_PATH
fi
"
echo "[2/5] 写入脱敏 log_format 配置..."
docker exec "$CONTAINER" bash -c "cat > $CONF_PATH << 'EOF'
# 自定义 access_log 格式 — 删除 Authorization/Cookie 等敏感 header
# 仅保留请求方法 + URI + 状态码 + 字节数 + UA + Referer
log_format secure \$remote_addr - \$remote_user [\$time_local] \"\$request_method \$uri \$server_protocol\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\";
# 应用:覆盖默认 access_log
access_log /var/log/nginx/access.log secure;
EOF
"
echo "[3/5] 验证配置文件..."
docker exec "$CONTAINER" cat $CONF_PATH
echo ""
echo "[4/5] nginx -t 验证语法..."
docker exec "$CONTAINER" nginx -t
echo ""
echo "[5/5] reload nginx(不中断连接)..."
docker exec "$CONTAINER" nginx -s reload
echo ""
echo "========================================"
echo "[OK] nginx access_log 脱敏已生效"
echo "========================================"
echo ""
echo "验证:tail 一下 access.log 看新格式"
echo " docker exec $CONTAINER tail -5 /var/log/nginx/access.log"
echo ""
echo "回滚:bash nginx-access-log-redact.sh --rollback"
Reference in New Issue View Git Blame Copy Permalink