Files
life-echo/api/.agents/skills/redis-development/rules/security-network.md
Sully 53e0065e3e refactor(api): TOML 配置 SSOT、统一错误契约、Auth/事务加固与可观测性 (#33)
配置 SSOT(TOML + .env)
统一错误契约
Auth 与事务边界
Redis / Celery 可靠性:业务 Redis(DB/0)与 Celery broker/backend(DB/1)显式拆分;连接池、sync client
可观测性(OpenTelemetry + LGTM)
2026-05-22 13:44:50 +08:00

53 lines
1.1 KiB
Markdown

---
title: Secure Network Access
impact: HIGH
impactDescription: Reduces attack surface and prevents unauthorized access
tags: security, network, firewall, bind, tls
description: Secure Network Access
alwaysApply: true
---
## Secure Network Access
Restrict network access to Redis to only trusted sources.
**Correct:** Bind to specific interfaces.
```
# redis.conf
bind 127.0.0.1 192.168.1.100
protected-mode yes
```
**Correct:** Use firewall rules.
```bash
# Allow only application servers
iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP
```
**Incorrect:** Exposing Redis to the internet.
```
# Bad: Binds to all interfaces
bind 0.0.0.0
protected-mode no
```
**Security checklist:**
- Use TLS for connections
- Bind to specific interfaces, not `0.0.0.0`
- Use firewall rules to restrict access
- Disable dangerous commands in production
```
# Disable dangerous commands
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command CONFIG ""
```
Reference: [Redis Security](https://redis.io/docs/latest/operate/oss_and_stack/management/security/)