这是本节的多页打印视图。 点击此处打印.

返回本页常规视图.

关于Hugo

关于 Hugo

https://gohugo.io/about/

Hugo is not your average static site generator.

​ Hugo 不是一般的静态站点生成器。

1 - Hugo 的安全模型

Hugo’s Security Model - Hugo 的安全模型

https://gohugo.io/about/security-model/

Hugo 安全模型的概述。

运行时安全

​ Hugo 生成静态输出,因此一旦构建完成,运行时就是浏览器(假设输出为 HTML)和任何与之集成的服务器(API)。

​ 但在开发和构建站点时,运行时是 hugo 可执行文件。保护运行时可能是一个真正的挑战

​ Hugo 的主要方法是沙盒化和采用严格默认的安全策略:

  • Hugo 有一个虚拟文件系统,只有主项目(而不是第三方组件)可以挂载项目根目录外的目录或文件。
  • 只有主项目可以遍历符号链接。
  • 用户定义的组件只能以只读方式访问文件系统。
  • 我们调用一些外部二进制文件来支持 Asciidoctor等功能,但这些二进制文件及其标志都是预定义的,并且默认情况下被禁用(请参见以下安全策略)。运行任意外部操作系统命令的一般函数已经讨论过,但由于安全问题而未实现。

安全策略

​ Hugo 具有内置的安全策略,限制对 os/exec、远程通信等的访问。

​ 默认配置如下。任何使用安全策略允许列表中不存在的功能构建都将失败,并显示详细的消息,说明需要进行哪些操作。这些设置大多是允许列表(字符串或切片、正则表达式none不匹配任何内容)。

=== “yaml”

```yaml
security:
  enableInlineShortcodes: false
  exec:
    allow:
    - ^dart-sass-embedded$
    - ^go$
    - ^npx$
    - ^postcss$
    osEnv:
    - (?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+)$
  funcs:
    getenv:
    - ^HUGO_
    - ^CI$
  http:
    methods:
    - (?i)GET|POST
    urls:
    - .*
```

=== “toml”

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+)$']
  [security.funcs]
    getenv = ['^HUGO_', '^CI$']
  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```

=== “json”

```json
{
   "security": {
      "enableInlineShortcodes": false,
      "exec": {
         "allow": [
            "^dart-sass-embedded$",
            "^go$",
            "^npx$",
            "^postcss$"
         ],
         "osEnv": [
            "(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+)$"
         ]
      },
      "funcs": {
         "getenv": [
            "^HUGO_",
            "^CI$"
         ]
      },
      "http": {
         "methods": [
            "(?i)GET|POST"
         ],
         "urls": [
            ".*"
         ]
      }
   }
}
```

​ 注意,Hugo 中的这些和其他配置设置可以被操作系统环境覆盖。如果您想阻止所有远程 HTTP 获取数据:

1
HUGO_SECURITY_HTTP_URLS=none hugo

依赖安全性

​ Hugo 作为一个静态二进制文件使用 Go Modules 来管理其依赖项。Go Modules 有几个保障措施,其中之一是 go.sum 文件。这是所有依赖项(包括传递依赖项)的预期密码校验和的数据库。

Hugo Modules 是在 Go Modules 的功能之上构建的一个功能。像 Go Modules 一样,使用 Hugo Modules 的 Hugo 项目将有一个 go.sum 文件。我们建议将此文件提交到您的版本控制系统中。如果存在校验和不匹配,则 Hugo 构建将失败,这将表明依赖项被篡改

Web 应用程序安全性

​ 以下是 OWASP定义的安全威胁。

​ 对于 HTML 输出,这是核心安全模型:

https://pkg.go.dev/html/template#hdr-Security_Model

简而言之:

​ 模板和配置作者(您)是可信任的,但您发送的数据不是。这就是为什么有时需要使用安全函数,如 safeHTML,以避免转义您知道是安全的数据。正如文档中所指出的一样,上述规则有一个例外:如果您启用内联shortcode,您也表明在内容文件中shortcode和数据处理是可信的,因为这些宏被视为纯文本。值得一提的是,Hugo 是一个静态站点生成器,没有动态用户输入的概念。

​ 对于内容, 默认的 Markdown 渲染器配置为删除或转义潜在的不安全内容。如果您信任自己的内容,则可以重新配置此行为。

另请参阅 :

2 - Hugo and GDPR

Hugo and the General Data Protection Regulation (GDPR)

https://gohugo.io/about/hugo-and-gdpr/

​ 关于如何配置您的 Hugo 站点以符合新的法规。

​ 《一般数据保护条例》(GDPR)是欧盟法律中关于所有在欧盟和欧洲经济区内的个人数据保护和隐私的规定。它于2018年5月25日开始生效。

​ Hugo 是一个静态站点生成器。通过使用 Hugo,您已经站在了非常坚实的地面上。与服务器和数据库驱动的站点相比,磁盘上的静态 HTML 文件要容易理解得多。

​ 但即使是静态站点也可以与外部服务集成,因此从版本0.41开始,Hugo提供了一个隐私配置,涵盖了相关的内置模板。

请注意:

  • 这些设置默认设置为off,即 Hugo 0.41之前的工作方式。您必须对您的站点进行评估,并应用适当的设置。
  • 这些设置适用于内部模板。一些主题可能包含用于嵌入 Google Analytics 等服务的自定义模板。在这种情况下,这些选项将没有效果。
  • 我们将继续这项工作,并在未来的 Hugo 版本中进一步改进。

所有隐私设置

​ 以下是所有隐私设置及其默认值。这些设置需要放置在您的站点配置文件中(例如 config.toml)。

=== “yaml”

```yaml
privacy:
  disqus:
    disable: false
  googleAnalytics:
    anonymizeIP: false
    disable: false
    respectDoNotTrack: false
    useSessionStorage: false
  instagram:
    disable: false
    simple: false
  twitter:
    disable: false
    enableDNT: false
    simple: false
  vimeo:
    disable: false
    enableDNT: false
    simple: false
  youtube:
    disable: false
    privacyEnhanced: false
```

=== “toml”

```toml
[privacy]
  [privacy.disqus]
    disable = false
  [privacy.googleAnalytics]
    anonymizeIP = false
    disable = false
    respectDoNotTrack = false
    useSessionStorage = false
  [privacy.instagram]
    disable = false
    simple = false
  [privacy.twitter]
    disable = false
    enableDNT = false
    simple = false
  [privacy.vimeo]
    disable = false
    enableDNT = false
    simple = false
  [privacy.youtube]
    disable = false
    privacyEnhanced = false
```

=== “json”

```json
{
   "privacy": {
      "disqus": {
         "disable": false
      },
      "googleAnalytics": {
         "anonymizeIP": false,
         "disable": false,
         "respectDoNotTrack": false,
         "useSessionStorage": false
      },
      "instagram": {
         "disable": false,
         "simple": false
      },
      "twitter": {
         "disable": false,
         "enableDNT": false,
         "simple": false
      },
      "vimeo": {
         "disable": false,
         "enableDNT": false,
         "simple": false
      },
      "youtube": {
         "disable": false,
         "privacyEnhanced": false
      }
   }
}
```

禁用所有服务

​ 一个禁用Hugo中所有相关服务的隐私配置示例。使用此配置,其他设置将不会生效。

=== “yaml”

```yaml
privacy:
  disqus:
    disable: true
  googleAnalytics:
    disable: true
  instagram:
    disable: true
  twitter:
    disable: true
  vimeo:
    disable: true
  youtube:
    disable: true
```

=== “toml”

```toml
[privacy]
  [privacy.disqus]
    disable = true
  [privacy.googleAnalytics]
    disable = true
  [privacy.instagram]
    disable = true
  [privacy.twitter]
    disable = true
  [privacy.vimeo]
    disable = true
  [privacy.youtube]
    disable = true
```

=== “json”

```json
{
   "privacy": {
      "disqus": {
         "disable": true
      },
      "googleAnalytics": {
         "disable": true
      },
      "instagram": {
         "disable": true
      },
      "twitter": {
         "disable": true
      },
      "vimeo": {
         "disable": true
      },
      "youtube": {
         "disable": true
      }
   }
}
```

隐私设置的说明

GoogleAnalytics

  • anonymizeIP

    启用此选项将使用户的 IP 地址在 Google Analytics 中匿名化。

  • respectDoNotTrack

    启用此选项将使 GA 模板遵循"Do Not Track"HTTP标头。

  • useSessionStorage

    启用此选项将禁用使用 Cookies,并使用 Session Storage 存储 GA 客户端 ID。

​ 使用 Google Analytics v4(gtag.js)时不支持 useSessionStorage

Instagram

  • simple

    如果启用simple 模式,将构建 Instagram 图像卡的静态和无 JS 版本。请注意,这仅支持图像卡,并且图像本身将从 Instagram 的服务器获取。

注意:如果您使用 Instagram 的simple模式和一个使用 Bootstrap 4 样式的站点,则可能需要禁用 Hugo 提供的内联样式。

=== “yaml”

```yaml
services:
  instagram:
    disableInlineCSS: true
```

=== “toml”

```toml
[services]
  [services.instagram]
    disableInlineCSS = true
```

=== “json”

```json
{
   "services": {
      "instagram": {
         "disableInlineCSS": true
      }
   }
}
```

Twitter

  • enableDNT

    启用此选项后,Twitter/Tweet短代码中的推文及其在您站点上的嵌入页面不会用于包括个性化建议和个性化广告在内的用途。

  • simple

    如果启用simple模式,则会构建一个静态且不包含JavaScript的推文版本。

注意:如果您在Twitter中使用simple模式,并且站点使用Bootstrap 4进行样式设置,则可能需要禁用Hugo提供的内联样式。

=== “yaml”

```
services:
  twitter:
    disableInlineCSS: true
```

=== “toml”

```toml
[services]
  [services.twitter]
    disableInlineCSS = true
```

=== “json”

```
{
   "services": {
      "twitter": {
         "disableInlineCSS": true
      }
   }
}
```

YouTube

  • privacyEnhanced

    启用隐私增强模式后,YouTube将不会存储与访问者有关的信息,除非用户播放嵌入的视频。

Vimeo

  • enableDNT

    启用此选项后,Vimeo shortcode会阻止Vimeo播放器跟踪任何会话数据,包括所有cookie和统计数据。

  • simple

    如果启用简单模式,则会从Vimeo的服务器获取视频缩略图,并在其上覆盖一个播放按钮。如果用户点击播放视频,则会在新标签页中直接打开Vimeo站点中的视频。

另请参阅

3 - 什么是 Hugo

What is Hugo - 什么是 Hugo

https://gohugo.io/about/what-is-hugo/

​ Hugo 是一个用 Go 语言编写的快速现代静态站点生成器,旨在重新让站点创建变得有趣。

​ Hugo 是一个通用的站点框架。从技术上讲,Hugo 是一个静态站点生成器。与每个访问者请求动态构建页面的系统不同,Hugo 在创建或更新内容时构建页面。由于站点被查看的频率远远高于它们被编辑的频率,因此 Hugo 的设计旨在为您站点的最终用户提供最佳的查看体验,为站点作者提供理想的编写体验。

​ 使用 Hugo 构建的站点极快且安全。 Hugo 站点可以托管在任何地方,包括 NetlifyHerokuGoDaddyDreamHostGitHub PagesGitLab PagesSurgeFirebaseGoogle Cloud StorageAmazon S3RackspaceAzureCloudFront ,并且可以很好地与 CDN 协作。 Hugo 站点无需数据库或依赖于昂贵的运行时,如 Ruby、Python 或 PHP。

​ 我们认为 Hugo 是理想的站点创建工具,几乎可以在瞬间完成构建,并能够在进行更改时重新构建。

Hugo 有多快?

Hugo 做了什么?

​ 在技术上,Hugo 接受一个源目录的文件和模板作为输入,并使用这些内容创建一个完整的站点。

谁应该使用 Hugo?

​ Hugo 适用于更喜欢在文本编辑器中编写而不是在浏览器中的人。

​ Hugo 适用于想要手动编写自己站点的人,而不必担心设置复杂的运行时、依赖项和数据库。

​ Hugo 适用于构建博客、公司站点、组合站点、文档、单个着陆页或包含数千个页面的站点的人。

4 - Hugo的特性

Hugo Features - Hugo的特性

https://gohugo.io/about/features/

Hugo boasts blistering speed, robust content management, and a powerful templating language making it a great fit for all kinds of static websites.

Hugo 拥有极快的构建速度、强大的内容管理和功能强大的模板语言,非常适合各种静态站点的开发。

常规

组织

内容

其他特性

5 - 静态站点生成器的好处

The Benefits of Static Site Generators - 静态站点生成器的好处

https://gohugo.io/about/benefits/

​ 改进的性能、安全性和易用性是静态站点生成器如此吸引人的几个原因之一。

​ 站点生成器的目的是将内容渲染成HTML文件。大多数都是"动态站点生成器"。这意味着HTTP服务器——即将文件发送到浏览器以供查看的程序——在每次终端用户请求页面时运行生成器创建一个新的HTML文件。

​ 随着时间的推移,动态站点生成器被编程以缓存其HTML文件,以防止向终端用户提供页面时不必要的延迟。缓存的页面是网页的静态版本。

​ Hugo在缓存方面更进了一步,所有HTML文件都在您的计算机上渲染。您可以在将文件复制到托管HTTP服务器的计算机之前在本地查看这些文件。由于HTML文件不是动态生成的,我们称Hugo是一个静态站点生成器。

​ 这有许多好处。最明显的是性能。HTTP服务器非常擅长发送文件——事实上,您可以使用动态站点所需内存和CPU的一小部分有效地提供相同数量的页面。

更多关于静态站点生成器的信息

另请参阅

6 - Apache License

Apache License

https://gohugo.io/about/license/

Hugo v0.15 and later are released under the Apache 2.0 license.

Hugo v0.15 and later are released under the Apache 2.0 license. Earlier versions of Hugo were released under the Simple Public License.

Version 2.0, January 2004 https://www.apache.org/licenses/LICENSE-2.0

Terms and Conditions for use, reproduction, and distribution

1. Definitions

“License” shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.

“Licensor” shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.

“Legal Entity” shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, “control” means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.

“You” (or “Your”) shall mean an individual or Legal Entity exercising permissions granted by this License.

“Source” form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.

“Object” form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.

“Work” shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).

“Derivative Works” shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

“Contribution” shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, “submitted” means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as “Not a Contribution.”

“Contributor” shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.

Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.

3. Grant of Patent License

Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.

4. Redistribution

You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:

  • (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
  • (b) You must cause any modified files to carry prominent notices stating that You changed the files; and
  • (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
  • (d) If the Work includes a “NOTICE” text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.

You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.

5. Submission of Contributions

Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.

6. Trademarks

This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.

7. Disclaimer of Warranty

Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.

8. Limitation of Liability

In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.

9. Accepting Warranty or Additional Liability

While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.

END OF TERMS AND CONDITIONS

APPENDIX: How to apply the Apache License to your work

To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets [] replaced with your own identifying information. (Don’t include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same “printed page” as the copyright notice for easier identification within third-party archives.

apache-notice.txt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
Copyright [yyyy] [name of copyright owner]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.