refactor(api): TOML 配置 SSOT、统一错误契约、Auth/事务加固与可观测性 (#33)
配置 SSOT(TOML + .env) 统一错误契约 Auth 与事务边界 Redis / Celery 可靠性:业务 Redis(DB/0)与 Celery broker/backend(DB/1)显式拆分;连接池、sync client 可观测性(OpenTelemetry + LGTM)
This commit is contained in:
@@ -0,0 +1,52 @@
|
||||
---
|
||||
title: Secure Network Access
|
||||
impact: HIGH
|
||||
impactDescription: Reduces attack surface and prevents unauthorized access
|
||||
tags: security, network, firewall, bind, tls
|
||||
description: Secure Network Access
|
||||
alwaysApply: true
|
||||
---
|
||||
|
||||
## Secure Network Access
|
||||
|
||||
Restrict network access to Redis to only trusted sources.
|
||||
|
||||
**Correct:** Bind to specific interfaces.
|
||||
|
||||
```
|
||||
# redis.conf
|
||||
bind 127.0.0.1 192.168.1.100
|
||||
protected-mode yes
|
||||
```
|
||||
|
||||
**Correct:** Use firewall rules.
|
||||
|
||||
```bash
|
||||
# Allow only application servers
|
||||
iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
|
||||
iptables -A INPUT -p tcp --dport 6379 -j DROP
|
||||
```
|
||||
|
||||
**Incorrect:** Exposing Redis to the internet.
|
||||
|
||||
```
|
||||
# Bad: Binds to all interfaces
|
||||
bind 0.0.0.0
|
||||
protected-mode no
|
||||
```
|
||||
|
||||
**Security checklist:**
|
||||
- Use TLS for connections
|
||||
- Bind to specific interfaces, not `0.0.0.0`
|
||||
- Use firewall rules to restrict access
|
||||
- Disable dangerous commands in production
|
||||
|
||||
```
|
||||
# Disable dangerous commands
|
||||
rename-command FLUSHALL ""
|
||||
rename-command DEBUG ""
|
||||
rename-command CONFIG ""
|
||||
```
|
||||
|
||||
Reference: [Redis Security](https://redis.io/docs/latest/operate/oss_and_stack/management/security/)
|
||||
|
||||
Reference in New Issue
Block a user