5.1 HTTPS概述
5.1.1 为什么需要HTTPS
- 数据加密:保护传输中的敏感数据
- 身份验证:确认服务器身份的真实性
- 数据完整性:防止数据在传输过程中被篡改
- SEO优势:搜索引擎优先排名HTTPS网站
- 浏览器要求:现代浏览器对HTTP网站显示不安全警告
- 合规要求:许多行业标准要求使用HTTPS
5.1.2 Caddy的HTTPS特性
- 自动HTTPS:默认为所有站点启用HTTPS
- 自动证书管理:自动获取、续期SSL/TLS证书
- Let’s Encrypt集成:内置Let’s Encrypt ACME客户端
- 多CA支持:支持多个证书颁发机构
- OCSP装订:自动OCSP响应装订
- 现代TLS:默认使用安全的TLS配置
- HTTP/2和HTTP/3:自动启用现代HTTP协议
5.2 自动HTTPS配置
5.2.1 基本自动HTTPS
# 最简配置 - 自动启用HTTPS
example.com {
respond "Hello, HTTPS World!"
}
# 多域名自动HTTPS
example.com, www.example.com {
file_server
}
# 子域名通配符(需要DNS验证)
*.example.com {
respond "Wildcard HTTPS"
}
5.2.2 禁用自动HTTPS
# 全局禁用自动HTTPS
{
auto_https off
}
example.com {
respond "HTTP only"
}
# 仅对特定站点禁用
example.com {
auto_https off
respond "HTTP only"
}
# 禁用重定向但保留HTTPS
example.com {
auto_https disable_redirects
respond "HTTPS without redirect"
}
5.2.3 强制HTTPS重定向
# 自动HTTP到HTTPS重定向(默认行为)
example.com {
file_server
}
# 自定义重定向
http://example.com {
redir https://www.example.com{uri} 301
}
https://www.example.com {
file_server
}
5.3 证书管理
5.3.1 Let’s Encrypt配置
# 默认Let's Encrypt配置
example.com {
file_server
}
# 自定义Let's Encrypt配置
example.com {
tls {
# 指定邮箱
email admin@example.com
# 使用Let's Encrypt生产环境
ca https://acme-v02.api.letsencrypt.org/directory
# 或使用测试环境
# ca https://acme-staging-v02.api.letsencrypt.org/directory
}
file_server
}
5.3.2 DNS验证配置
# DNS验证(适用于通配符证书)
*.example.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
respond "Wildcard certificate via DNS validation"
}
# 其他DNS提供商
example.com {
tls {
# Route53
dns route53 {
access_key_id {env.AWS_ACCESS_KEY_ID}
secret_access_key {env.AWS_SECRET_ACCESS_KEY}
region us-east-1
}
# 或者使用Godaddy
# dns godaddy {
# api_key {env.GODADDY_API_KEY}
# api_secret {env.GODADDY_API_SECRET}
# }
}
file_server
}
5.3.3 自定义证书
# 使用自定义证书
example.com {
tls /path/to/cert.pem /path/to/key.pem
file_server
}
# 使用证书和中间证书
example.com {
tls /path/to/fullchain.pem /path/to/privkey.pem
file_server
}
# 客户端证书认证
example.com {
tls /path/to/cert.pem /path/to/key.pem {
client_auth {
mode require_and_verify
trusted_ca_cert_file /path/to/ca.pem
}
}
file_server
}
5.3.4 证书存储配置
{
# 自定义证书存储位置
storage file_system {
root /var/lib/caddy/certificates
}
# 或使用Redis存储(集群环境)
# storage redis {
# host localhost:6379
# password {env.REDIS_PASSWORD}
# db 0
# }
# ACME配置
acme_ca https://acme-v02.api.letsencrypt.org/directory
email admin@example.com
}
example.com {
file_server
}
5.4 TLS配置优化
5.4.1 TLS版本和密码套件
example.com {
tls {
# 指定TLS版本
protocols tls1.2 tls1.3
# 自定义密码套件(TLS 1.2)
ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# 椭圆曲线配置
curves x25519 secp256r1 secp384r1
}
file_server
}
5.4.2 ALPN和协议协商
{
# 全局协议配置
servers {
protocols h1 h2 h3
}
}
example.com {
tls {
# ALPN协议
alpn h2 h1
}
file_server
}
5.4.3 OCSP装订
example.com {
tls {
# 启用OCSP装订(默认启用)
ocsp_stapling on
# 自定义OCSP配置
ocsp_stapling {
responder_timeout 10s
cache_timeout 1h
}
}
file_server
}
5.5 安全头部配置
5.5.1 基本安全头部
example.com {
# 基本安全头部
header {
# 强制HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# 防止点击劫持
X-Frame-Options "DENY"
# 防止MIME类型嗅探
X-Content-Type-Options "nosniff"
# XSS保护
X-XSS-Protection "1; mode=block"
# 引用策略
Referrer-Policy "strict-origin-when-cross-origin"
# 权限策略
Permissions-Policy "geolocation=(), microphone=(), camera=()"
}
file_server
}
5.5.2 内容安全策略(CSP)
example.com {
header {
# 基本CSP
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
# 或者更严格的CSP
# Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"
}
file_server
}
5.5.3 条件安全头部
example.com {
# 根据路径设置不同的安全头部
@api {
path /api/*
}
header @api {
# API特定的安全头部
Content-Security-Policy "default-src 'none'"
X-Frame-Options "DENY"
Access-Control-Allow-Origin "https://app.example.com"
}
@static {
path /static/* /assets/*
}
header @static {
# 静态资源的缓存和安全头部
Cache-Control "public, max-age=31536000, immutable"
X-Content-Type-Options "nosniff"
}
# 默认安全头部
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
}
file_server
}
5.6 访问控制和认证
5.6.1 基本认证
# 基本HTTP认证
example.com {
basicauth {
# 用户名:密码哈希
admin $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNqq9qB6FY9gZKOOdOoKw6Uw.
user $2a$14$X1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOP.
}
file_server
}
# 特定路径的认证
example.com {
@admin {
path /admin/*
}
basicauth @admin {
admin $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNqq9qB6FY9gZKOOdOoKw6Uw.
}
file_server
}
5.6.2 IP白名单/黑名单
example.com {
# IP白名单
@allowed_ips {
remote_ip 192.168.1.0/24 10.0.0.0/8 172.16.0.0/12
}
# 拒绝非白名单IP
respond not @allowed_ips "Access denied" 403
# 或者IP黑名单
@blocked_ips {
remote_ip 192.168.100.100 10.0.0.50
}
respond @blocked_ips "Access denied" 403
file_server
}
5.6.3 地理位置限制
example.com {
# 基于国家的访问控制
@blocked_countries {
header CF-IPCountry CN RU
}
respond @blocked_countries "Access denied from your country" 403
# 或者只允许特定国家
@allowed_countries {
header CF-IPCountry US CA GB
}
respond not @allowed_countries "Access denied" 403
file_server
}
5.6.4 JWT认证
example.com {
@jwt_protected {
path /api/*
}
# JWT验证(需要jwt插件)
jwt @jwt_protected {
primary yes
trusted_tokens {
static_secret {env.JWT_SECRET}
}
auth_url /auth/login
forbidden_url /auth/forbidden
}
file_server
}
5.7 限流和DDoS防护
5.7.1 基本限流
example.com {
# 基于IP的限流
rate_limit {
zone general
key {remote_host}
rate 100r/m
window 1m
}
# API端点的严格限流
@api {
path /api/*
}
rate_limit @api {
zone api
key {remote_host}
rate 30r/m
window 1m
response_code 429
response_body "Rate limit exceeded"
}
file_server
}
5.7.2 高级限流策略
example.com {
# 基于用户的限流
@authenticated {
header Authorization *
}
rate_limit @authenticated {
zone users
key {http.request.header.X-User-ID}
rate 1000r/h
window 1h
}
# 未认证用户的限流
rate_limit not @authenticated {
zone anonymous
key {remote_host}
rate 100r/h
window 1h
}
# 登录端点的特殊限流
@login {
path /auth/login
method POST
}
rate_limit @login {
zone login
key {remote_host}
rate 5r/m
window 5m
response_code 429
response_body `{"error": "Too many login attempts"}`
}
file_server
}
5.7.3 DDoS防护
example.com {
# 连接限制
@high_connections {
remote_ip_connections > 10
}
respond @high_connections "Too many connections" 429
# 请求大小限制
request_body {
max_size 10MB
}
# 慢速攻击防护
@slow_request {
header_timeout > 30s
}
respond @slow_request "Request timeout" 408
# 恶意User-Agent过滤
@bad_bots {
header User-Agent *bot* *crawler* *spider*
not header User-Agent *Googlebot* *Bingbot*
}
respond @bad_bots "Access denied" 403
file_server
}
5.8 Web应用防火墙(WAF)
5.8.1 基本WAF规则
example.com {
# SQL注入防护
@sql_injection {
query *union* *select* *insert* *delete* *drop*
path *union* *select* *insert* *delete* *drop*
}
respond @sql_injection "Malicious request detected" 403
# XSS防护
@xss_attempt {
query *<script* *javascript:* *onload=* *onerror=*
path *<script* *javascript:* *onload=* *onerror=*
}
respond @xss_attempt "Malicious request detected" 403
# 路径遍历防护
@path_traversal {
path *../* *..\\* *%2e%2e*
}
respond @path_traversal "Access denied" 403
file_server
}
5.8.2 高级WAF配置
example.com {
# 文件上传安全
@file_upload {
path /upload/*
method POST
}
# 限制文件类型
@dangerous_files {
header Content-Type *application/x-executable*
header Content-Type *application/x-msdownload*
path *.exe *.bat *.cmd *.scr
}
respond @file_upload @dangerous_files "File type not allowed" 403
# 请求方法限制
@dangerous_methods {
method TRACE TRACK CONNECT
}
respond @dangerous_methods "Method not allowed" 405
# 敏感文件保护
@sensitive_files {
path *.env *.config *.log *.bak *.sql *.git/*
}
respond @sensitive_files "Access denied" 403
file_server {
hide .env .git .config *.log *.bak
}
}
5.8.3 自定义WAF规则
example.com {
# 自定义恶意模式检测
@malicious_patterns {
# 检查多个字段
or {
query_regexp "(?i)(union|select|insert|delete|drop|exec|script)"
path_regexp "(?i)(union|select|insert|delete|drop|exec|script)"
header_regexp User-Agent "(?i)(sqlmap|nikto|nmap|masscan)"
}
}
# 记录恶意请求
log @malicious_patterns {
output file /var/log/caddy/waf.log
format json
level WARN
}
respond @malicious_patterns "Security violation detected" 403
# 蜜罐端点
handle /admin.php {
log {
output file /var/log/caddy/honeypot.log
format json
}
respond "Not found" 404
}
file_server
}
5.9 监控和日志
5.9.1 安全日志配置
example.com {
# 详细的安全日志
log {
output file /var/log/caddy/security.log {
roll_size 100mb
roll_keep 30
}
format json
level INFO
# 包含安全相关字段
include http.request.method http.request.uri http.request.headers.User-Agent http.request.headers.X-Forwarded-For http.response.status http.request.tls.cipher_suite http.request.tls.version
}
# 错误日志
log error {
output file /var/log/caddy/security-errors.log
level ERROR
}
file_server
}
5.9.2 实时监控
example.com {
# 监控端点
handle /health {
respond "OK" 200
}
handle /metrics {
# 基本认证保护
basicauth {
monitor $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNqq9qB6FY9gZKOOdOoKw6Uw.
}
metrics
}
# 安全事件计数
@security_events {
status 403 429
}
handle_response @security_events {
# 增加安全事件计数器
metrics_increment security_violations_total
}
file_server
}
5.9.3 告警配置
example.com {
# 高频率的安全事件告警
@high_security_events {
status 403
rate > 10r/m
}
handle_response @high_security_events {
# 发送告警(需要自定义插件或外部脚本)
exec /usr/local/bin/send-alert.sh "High security events detected"
}
# DDoS攻击检测
@ddos_pattern {
rate > 1000r/m
remote_ip_connections > 50
}
handle_response @ddos_pattern {
exec /usr/local/bin/ddos-alert.sh {remote_host}
}
file_server
}
5.10 实战案例
5.10.1 高安全性企业网站
# 高安全性企业网站配置
www.company.com {
# 强制HTTPS重定向
redir http://www.company.com https://www.company.com{uri} 301
# 高级TLS配置
tls {
protocols tls1.2 tls1.3
ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
curves x25519 secp256r1 secp384r1
alpn h2 h1
}
# 全面的安全头部
header {
# HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# 防止点击劫持
X-Frame-Options "DENY"
# 防止MIME嗅探
X-Content-Type-Options "nosniff"
# XSS保护
X-XSS-Protection "1; mode=block"
# 引用策略
Referrer-Policy "strict-origin-when-cross-origin"
# CSP
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
# 权限策略
Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), speaker=()"
# 隐藏服务器信息
-Server
-X-Powered-By
}
# 基本限流
rate_limit {
zone general
key {remote_host}
rate 300r/m
window 1m
}
# WAF规则
@malicious {
or {
query_regexp "(?i)(union|select|insert|delete|drop|exec|script|alert|prompt|confirm)"
path_regexp "(?i)(union|select|insert|delete|drop|exec|script)"
header_regexp User-Agent "(?i)(sqlmap|nikto|nmap|masscan|burp|owasp)"
path *../* *..\\* *%2e%2e*
}
}
respond @malicious "Access denied" 403
# 敏感文件保护
@sensitive {
path *.env *.config *.log *.bak *.sql /.git/* /admin/* /.well-known/security.txt
}
respond @sensitive "Not found" 404
# 管理区域保护
@admin {
path /admin/*
}
handle @admin {
# IP白名单
@admin_ips {
remote_ip 192.168.1.0/24 10.0.0.0/8
}
respond not @admin_ips "Access denied" 403
# 基本认证
basicauth {
admin $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNqq9qB6FY9gZKOOdOoKw6Uw.
}
# 严格限流
rate_limit {
zone admin
key {remote_host}
rate 10r/m
window 5m
}
file_server {
root /var/www/admin
}
}
# 静态资源优化
@static {
path /assets/* /css/* /js/* /images/*
}
handle @static {
header {
Cache-Control "public, max-age=31536000, immutable"
Vary "Accept-Encoding"
}
encode gzip br
file_server
}
# 主站点
file_server {
root /var/www/html
hide .git .env .htaccess
}
# 安全日志
log {
output file /var/log/caddy/security.log {
roll_size 100mb
roll_keep 30
}
format json
include http.request.method http.request.uri http.request.headers.User-Agent http.request.headers.X-Forwarded-For http.response.status http.request.tls.cipher_suite http.request.tls.version
}
}
# 重定向非www到www
company.com {
redir https://www.company.com{uri} 301
}
5.10.2 API安全配置
# 安全的API服务
api.example.com {
# 高级TLS配置
tls {
protocols tls1.2 tls1.3
client_auth {
mode request
trusted_ca_cert_file /etc/ssl/ca.pem
}
}
# API安全头部
header {
# 严格的CSP
Content-Security-Policy "default-src 'none'; frame-ancestors 'none'"
# HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains"
# 其他安全头部
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
Referrer-Policy "no-referrer"
# API特定头部
X-API-Version "v1"
# CORS(根据需要调整)
Access-Control-Allow-Origin "https://app.example.com"
Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key"
Access-Control-Max-Age "86400"
}
# CORS预检请求
@cors_preflight {
method OPTIONS
}
handle @cors_preflight {
respond "" 204
}
# API密钥验证
@api_key_required {
not header X-API-Key
}
respond @api_key_required `{"error": "API key required"}` 401 {
header Content-Type "application/json"
}
# 严格的限流
@authenticated {
header X-API-Key *
}
rate_limit @authenticated {
zone api_auth
key {http.request.header.X-API-Key}
rate 1000r/h
window 1h
response_code 429
response_body `{"error": "Rate limit exceeded"}`
}
# 未认证请求的限流
rate_limit not @authenticated {
zone api_unauth
key {remote_host}
rate 100r/h
window 1h
}
# WAF规则
@api_attacks {
or {
query_regexp "(?i)(union|select|insert|delete|drop|exec)"
header_regexp User-Agent "(?i)(sqlmap|nikto|scanner)"
request_body_regexp "(?i)(<script|javascript:|onload=)"
}
}
respond @api_attacks `{"error": "Malicious request detected"}` 403 {
header Content-Type "application/json"
}
# 请求大小限制
request_body {
max_size 1MB
}
# 代理到后端API
reverse_proxy localhost:8080 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
header_up X-Client-Cert {tls_client_certificate}
# 健康检查
health_uri /health
health_interval 30s
}
# API访问日志
log {
output file /var/log/caddy/api-access.log {
roll_size 100mb
roll_keep 30
}
format json
include http.request.method http.request.uri http.request.headers.X-API-Key http.request.headers.User-Agent http.response.status http.response.duration
}
}
5.10.3 多层安全防护
# 多层安全防护配置
secure.example.com {
# 第一层:网络层防护
# 地理位置限制
@blocked_countries {
header CF-IPCountry CN RU KP IR
}
respond @blocked_countries "Access denied from your location" 403
# IP信誉检查
@known_bad_ips {
remote_ip_in_file /etc/caddy/blacklist.txt
}
respond @known_bad_ips "Access denied" 403
# 第二层:应用层防护
# 高级WAF规则
@advanced_threats {
or {
# SQL注入检测
query_regexp "(?i)(union\s+select|insert\s+into|delete\s+from|drop\s+table)"
path_regexp "(?i)(union\s+select|insert\s+into|delete\s+from|drop\s+table)"
# XSS检测
query_regexp "(?i)(<script[^>]*>|javascript:|onload\s*=|onerror\s*=)"
# 命令注入检测
query_regexp "(?i)(;\s*cat\s+|;\s*ls\s+|;\s*id\s*;|\|\s*cat\s+)"
# 路径遍历检测
path_regexp "(?i)(\.\./|\.\.\\\\/|%2e%2e%2f|%2e%2e%5c)"
# 恶意User-Agent
header_regexp User-Agent "(?i)(sqlmap|nikto|nmap|masscan|burpsuite|owasp|acunetix)"
}
}
# 记录并阻止高级威胁
log @advanced_threats {
output file /var/log/caddy/threats.log
format json
level WARN
}
respond @advanced_threats "Security violation detected" 403
# 第三层:行为分析
# 异常请求模式检测
@suspicious_behavior {
or {
# 高频率请求
rate > 100r/m
# 异常请求大小
request_body_size > 10MB
# 异常请求头
header_count > 50
# 可疑的请求序列
path_sequence "/admin /config /backup"
}
}
# 临时封禁可疑行为
handle @suspicious_behavior {
# 增加封禁计数
rate_limit {
zone suspicious
key {remote_host}
rate 1r/h
window 1h
response_code 429
response_body "Suspicious behavior detected. Access temporarily restricted."
}
}
# 第四层:认证和授权
# 多因素认证区域
@mfa_required {
path /secure/* /admin/* /api/sensitive/*
}
handle @mfa_required {
# 首先检查基本认证
basicauth {
admin $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNqq9qB6FY9gZKOOdOoKw6Uw.
}
# 然后检查MFA令牌
@mfa_token {
header X-MFA-Token *
}
# 验证MFA令牌
reverse_proxy @mfa_token /verify-mfa localhost:9000 {
method POST
header_up X-MFA-Token {http.request.header.X-MFA-Token}
@mfa_valid {
status 200
}
handle_response not @mfa_valid {
respond "MFA verification failed" 403
}
}
respond not @mfa_token "MFA token required" 403
}
# 第五层:数据保护
# 敏感数据端点
@sensitive_data {
path /api/users/* /api/payments/* /api/personal/*
}
handle @sensitive_data {
# 额外的安全头部
header {
Cache-Control "no-store, no-cache, must-revalidate"
Pragma "no-cache"
Expires "0"
}
# 严格的限流
rate_limit {
zone sensitive
key {http.request.header.Authorization}
rate 50r/h
window 1h
}
# 审计日志
log {
output file /var/log/caddy/audit.log
format json
include http.request.method http.request.uri http.request.headers.Authorization http.request.headers.X-User-ID http.response.status
}
reverse_proxy localhost:8080
}
# 默认处理
file_server {
root /var/www/secure
hide .* *.config *.log *.bak
}
# 综合安全日志
log {
output file /var/log/caddy/security-comprehensive.log {
roll_size 100mb
roll_keep 90
}
format json
level INFO
}
}
本章总结
本章我们全面学习了Caddy的HTTPS和安全配置:
- HTTPS基础:理解了HTTPS的重要性和Caddy的自动HTTPS特性
- 证书管理:掌握了Let’s Encrypt、DNS验证、自定义证书等配置
- TLS优化:学习了TLS版本、密码套件、OCSP装订等高级配置
- 安全头部:了解了各种安全头部的配置和最佳实践
- 访问控制:掌握了认证、IP限制、地理位置限制等访问控制方法
- 限流防护:学习了限流、DDoS防护等安全机制
- WAF配置:了解了Web应用防火墙的实现和规则配置
- 监控日志:掌握了安全监控和日志配置
- 实战案例:通过实际案例学习了企业级安全配置
通过本章的学习,你应该能够: - 配置高安全性的HTTPS服务 - 实现全面的Web应用安全防护 - 设计多层安全防护架构 - 监控和响应安全事件 - 满足企业级安全合规要求
练习题
基础练习
HTTPS配置
- 配置自动HTTPS和证书管理
- 实现HTTP到HTTPS的重定向
- 配置自定义TLS设置
安全头部
- 配置基本的安全头部
- 实现内容安全策略(CSP)
- 设置条件性安全头部
访问控制
- 配置基本认证
- 实现IP白名单/黑名单
- 设置基于路径的访问控制
进阶练习
限流和防护
- 配置多层限流策略
- 实现DDoS防护机制
- 设置异常行为检测
WAF规则
- 创建自定义WAF规则
- 实现恶意请求检测
- 配置文件上传安全
证书管理
- 配置DNS验证的通配符证书
- 实现客户端证书认证
- 设置证书监控和告警
实战练习
企业安全架构
- 设计完整的企业安全配置
- 实现多因素认证
- 配置安全审计和合规
API安全
- 构建安全的API网关
- 实现API密钥管理
- 配置API限流和监控
安全运维
- 建立安全监控体系
- 实现自动化安全响应
- 配置安全事件告警
下一章我们将学习Caddy的插件系统和扩展功能,这将帮助你进一步扩展Caddy的能力。
