【更新】检测平台访问限制

Bacon-123 · Bacon-123 · commit 8e5f529abcec · 2025-05-20T17:24:52.000+08:00
diff --git a/dockerfile b/dockerfile
@@ -10,7 +10,9 @@ RUN apt-get update && apt-get install -y \
     && rm -rf /var/lib/apt/lists/*
 
 # 复制源代码
-COPY . .
+COPY --from=builder /build/shieldml_server /www/dk_project/dk_app/shieldml/
+COPY --from=builder /build/shieldml_scan.html /www/dk_project/dk_app/shieldml/
+COPY bt-shieldml /www/dk_project/dk_app/shieldml/
 
 # 安装Go依赖
 RUN go mod download
@@ -45,8 +47,8 @@ COPY bt-shieldml /www/dk_project/dk_app/shieldml/
 RUN chmod +x /www/dk_project/dk_app/shieldml/shieldml_server && \
     chmod +x /www/dk_project/dk_app/shieldml/bt-shieldml && \
     echo '{"results":[]}' > /www/dk_project/dk_app/shieldml/data/webshellJson.json && \
-    chmod 777 /www/dk_project/dk_app/shieldml/data/webshellJson.json && \
-    chmod 777 /www/dk_project/dk_app/shieldml/data
+    chmod 755 /www/dk_project/dk_app/shieldml/data/webshellJson.json && \
+    chmod 755 /www/dk_project/dk_app/shieldml/data
 
 # 暴露端口
 EXPOSE 6528
@@ -55,5 +57,9 @@ EXPOSE 6528
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
   CMD wget -qO- http://localhost:6528/shieldml_scan.html || exit 1
 
+# 创建非特权用户
+RUN groupadd -r shieldml && useradd -r -g shieldml shieldml
+USER shieldml
+
 # 启动服务
 CMD ["/www/dk_project/dk_app/shieldml/shieldml_server"]
diff --git a/shieldml_server.go b/shieldml_server.go
@@ -46,9 +46,41 @@ var scanLock sync.Mutex
 // 上次扫描时间
 var lastScanTime time.Time
 
+// 添加安全相关HTTP头
+func securityMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// 防止目录列表
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		// 防止点击劫持
+		w.Header().Set("X-Frame-Options", "DENY")
+		// XSS保护
+		w.Header().Set("X-XSS-Protection", "1; mode=block")
+		// 内容安全策略
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; img-src 'self' data:;")
+		// 不缓存敏感页面
+		w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate")
+		next.ServeHTTP(w, r)
+	})
+}
+
 func main() {
+	// API路由
 	http.HandleFunc("/api/scan", scanHandler)
-	http.Handle("/", http.FileServer(http.Dir(".")))
+
+	// 静态文件处理
+	fileHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// 只允许访问shieldml_scan.html
+		if r.URL.Path == "/" || r.URL.Path == "/index.html" {
+			http.Redirect(w, r, "/shieldml_scan.html", http.StatusFound)
+		} else if r.URL.Path == "/shieldml_scan.html" {
+			http.ServeFile(w, r, "shieldml_scan.html")
+		} else {
+			http.Error(w, "拒绝访问", http.StatusForbidden)
+		}
+	})
+
+	// 应用安全中间件
+	http.Handle("/", securityMiddleware(fileHandler))
 
 	fmt.Println("服务已启动：http://localhost:6528/shieldml_scan.html")
 	http.ListenAndServe(":6528", nil)
