53e0065e3e
配置 SSOT(TOML + .env) 统一错误契约 Auth 与事务边界 Redis / Celery 可靠性:业务 Redis(DB/0)与 Celery broker/backend(DB/1)显式拆分;连接池、sync client 可观测性(OpenTelemetry + LGTM)
1.9 KiB
1.9 KiB
title, impact, impactDescription, tags, description, alwaysApply
| title | impact | impactDescription | tags | description | alwaysApply |
|---|---|---|---|---|---|
| Always Use Authentication in Production | HIGH | Prevents unauthorized access to your data | security, authentication, password, tls, ssl | Always Use Authentication in Production | true |
Always Use Authentication in Production
Never run Redis without authentication in production environments.
Correct: Use password and TLS.
Python (redis-py):
r = redis.Redis(
host='localhost',
port=6379,
password='your-strong-password',
ssl=True,
ssl_cert_reqs='required'
)
Java (Jedis):
import redis.clients.jedis.*;
import javax.net.ssl.*;
import java.security.KeyStore;
// Create SSL context with trust store and key store
KeyStore trustStore = KeyStore.getInstance("jks");
trustStore.load(new FileInputStream("./truststore.jks"), "password".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
JedisClientConfig config = DefaultJedisClientConfig.builder()
.ssl(true)
.sslSocketFactory(sslContext.getSocketFactory())
.user("redisUser")
.password("redisPassword")
.build();
JedisPooled jedis = new JedisPooled(new HostAndPort("redis-host", 6379), config);
Incorrect: Connecting without authentication.
Python (redis-py):
# Bad: No authentication
r = redis.Redis(host='localhost', port=6379)
Java (Jedis):
// Bad: No authentication or TLS
UnifiedJedis jedis = new UnifiedJedis("redis://localhost:6379");
Configuration:
# redis.conf
requirepass your-strong-password
tls-port 6380
tls-cert-file /path/to/redis.crt
tls-key-file /path/to/redis.key
Reference: Redis Security