在开始部署档案管理软件之前,必须确保服务器环境符合信息安全的基本要求。本指南以Ubuntu 22.04 LTS为例,使用Docker容器化部署Paperless-ngx(一款开源档案管理软件),并配置Nginx反向代理以满足等保三级中关于网络通信和身份鉴别的技术要求。
更新系统源并安装必要的依赖包。执行以下命令:
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl wget gnupg2 ca-certificates lsb-release ubuntu-keyring
接着,安装Docker和Docker Compose。这是保证应用环境隔离且易于维护的关键步骤:
curl -fsSL https://get.docker.com | bash
sudo usermod -aG docker $USER
sudo apt install -y docker-compose-plugin
为了满足等保中对访问控制的要求,我们需要配置防火墙UFW,仅开放SSH、HTTP和HTTPS端口:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
执行sudo ufw status确认防火墙规则已生效。
创建项目目录并设置权限,确保数据目录的安全性:
sudo mkdir -p /opt/paperless/data
sudo mkdir -p /opt/paperless/media
sudo mkdir -p /opt/paperless/export
sudo mkdir -p /opt/paperless/consume
sudo chown -R $USER:$USER /opt/paperless
cd /opt/paperless
在/opt/paperless目录下创建docker-compose.yml文件。该配置文件集成了PostgreSQL数据库、Redis缓存服务以及Brokkoli模型用于OCR识别,所有服务均通过内网通信,避免端口暴露。
version: "3.4"
services:
broker:
image: docker.io/library/redis:7
restart: always
volumes:
- ./redisdata:/data
db:
image: docker.io/library/postgres:15
restart: always
volumes:
- ./pgdata:/var/lib/postgresql/data
environment:
POSTGRES_DB: paperless
POSTGRES_USER: paperless
POSTGRES_PASSWORD: 请在此处修改为强密码
healthcheck:
test: ["CMD", "pg_isready", "-U", "paperless"]
interval: 5s
timeout: 5s
retries: 5
webserver:
image: ghcr.io/paperless-ngx/paperless-ngx:latest
restart: always
depends_on:
db:
condition: service_healthy
broker:
ports:
- "8000:8000"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8000"]
interval: 30s
timeout: 10s
retries: 5
volumes:
- ./data:/usr/src/paperless/data
- ./media:/usr/src/paperless/media
- ./export:/usr/src/paperless/export
- ./consume:/usr/src/paperless/consume
environment:
PAPERLESS_REDIS: redis://broker:6379
PAPERLESS_DBHOST: db
PAPERLESS_DBPASS: 请在此处修改为与上方相同的强密码
PAPERLESS_SECRET_KEY: 请生成一个随机字符串并填入此处
PAPERLESS_TIME_ZONE: Asia/Shanghai
PAPERLESS_OCR_LANGUAGE: chi_sim+eng
PAPERLESS_OCR_MY_LANGUAGE: chi_sim+eng
启用两步验证,满足等保身份鉴别要求
PAPERLESS_ENABLE_TOTP: true
禁用注册功能,防止未授权访问
PAPERLESS_DISABLE_REGISTRATION: true
webserver_exporter:
image: ghcr.io/paperless-ngx/paperless-ngx:latest
restart: always
depends_on:
- webserver
volumes:
- ./export:/usr/src/paperless/export
- ./data:/usr/src/paperless/data
command: ["document_exporter"]
gotenberg:
image: docker.io/gotenberg/gotenberg:8.7.1
restart: always
tika:
image: apache/tika:latest
restart: always
注意:请务必替换PAPERLESS_DBPASS和PAPERLESS_SECRET_KEY。可以使用命令openssl rand -hex 32生成高强度的随机密钥。
启动服务:
docker compose up -d
查看服务启动状态:
docker compose ps
为了满足等保中“通信传输应采用加密技术”的要求,必须配置HTTPS。我们使用Nginx作为反向代理,并利用Certbot申请Let's Encrypt免费证书。
安装Nginx和Certbot:
sudo apt install -y nginx certbot python3-certbot-nginx
创建Nginx配置文件/etc/nginx/sites-available/paperless:
server {
listen 80;
server_name your-domain.com; 替换为你的实际域名或公网IP
强制HTTPS跳转
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name your-domain.com; 替换为你的实际域名或公网IP
SSL证书配置路径(Certbot自动填充)
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
SSL安全配置,符合等保要求
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
安全头信息设置
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
client_max_body_size 100M;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $aadd;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
静态文件直接由Nginx处理,提高性能
location /static/ {
alias /opt/paperless/data/static/;
}
}
创建软链接启用配置:
sudo ln -s /etc/nginx/sites-available/paperless /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl restart nginx
申请SSL证书。请确保域名已正确解析到服务器IP,且80端口已开放:
sudo certbot --nginx -d your-domain.com
按照提示输入邮箱并同意服务条款。Certbot会自动修改Nginx配置文件中的SSL证书路径。
系统部署完成后,需要进行访问控制加固。访问https://your-domain.com,使用默认管理员账号登录。
默认账号:admin
默认密码:admin(首次登录后必须立即修改)
登录后,进入Settings -> Users:
Groups中创建“财务部”、“人事部”等群组。Users中新建普通用户,仅赋予“View”或“Edit”权限,避免赋予“Superuser”权限。在Permissions设置中,将不同档案的访问权限(View, Edit)分配给对应的用户组。为了满足等保中“安全审计”的要求,必须开启系统的日志记录功能,并配置日志定期备份。
Paperless-ngx默认将日志输出到标准输出,可以通过Docker查看:
docker logs -f paperless-webserver-1
为了实现日志留存(建议留存不少于6个月),配置系统日志轮转。创建文件/etc/logrotate.d/paperless:
/var/lib/docker/containers//.log {
daily
rotate 180
compress
delaycompress
missingok
notifempty
copytruncate
}
在Nginx日志中记录访问者的真实IP。检查/etc/nginx/nginx.conf中的日志格式:
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
确保Nginx的access.log和error.log具有写权限:
sudo chown -R www-data:adm /var/log/nginx
sudo chmod -R 750 /var/log/nginx
档案数据的核心价值在于内容,必须建立可靠的异地备份机制。创建脚本/opt/paperless/backup.sh:
!/bin/bash
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/opt/backups/paperless"
mkdir -p $BACKUP_DIR
1. 备份数据库
docker exec paperless-db-1 pg_dump -U paperless paperless > $BACKUP_DIR/db_$DATE.sql
2. 打包数据文件(包含文档、索引等)
tar -czf $BACKUP_DIR/data_$DATE.tar.gz /opt/paperless/data /opt/paperless/media
3. 删除7天前的备份
find $BACKUP_DIR -name ".sql" -mtime +7 -delete
find $BACKUP_DIR -name ".tar.gz" -mtime +7 -delete
echo "Backup completed: $DATE"
赋予执行权限并设置定时任务:
chmod +x /opt/paperless/backup.sh
(crontab -l 2>/dev/null; echo "0 2 /opt/paperless/backup.sh") | crontab -
此脚本每天凌晨2点执行,自动清理7天前的本地备份。为了满足更高等级的等保要求,建议使用rsync将/opt/backups目录同步到异地服务器或对象存储中。
rsync -avz -e "ssh -p 22" /opt/backups/ user@remote-server:/remote-backup-path/
微信咨询
电话联系
QQ客服
微信咨询一对一服务