53e0065e3e
配置 SSOT(TOML + .env) 统一错误契约 Auth 与事务边界 Redis / Celery 可靠性:业务 Redis(DB/0)与 Celery broker/backend(DB/1)显式拆分;连接池、sync client 可观测性(OpenTelemetry + LGTM)
1.1 KiB
1.1 KiB
title, impact, impactDescription, tags, description, alwaysApply
| title | impact | impactDescription | tags | description | alwaysApply |
|---|---|---|---|---|---|
| Secure Network Access | HIGH | Reduces attack surface and prevents unauthorized access | security, network, firewall, bind, tls | Secure Network Access | true |
Secure Network Access
Restrict network access to Redis to only trusted sources.
Correct: Bind to specific interfaces.
# redis.conf
bind 127.0.0.1 192.168.1.100
protected-mode yes
Correct: Use firewall rules.
# Allow only application servers
iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP
Incorrect: Exposing Redis to the internet.
# Bad: Binds to all interfaces
bind 0.0.0.0
protected-mode no
Security checklist:
- Use TLS for connections
- Bind to specific interfaces, not
0.0.0.0 - Use firewall rules to restrict access
- Disable dangerous commands in production
# Disable dangerous commands
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command CONFIG ""
Reference: Redis Security