Restrict data service ports to localhost

2026-06-10 10:49:58 +08:00
parent e589073311
commit 9e05b09a38
3 changed files with 13 additions and 4 deletions
--- a/.env.example
+++ b/.env.example
@@ -45,7 +45,11 @@ TRAVEL_KG_EXPORT_ROOT=./data/exports
 TRAVEL_KG_ENV_PATH=./.env

 # Docker host ports
+API_HOST_BIND=0.0.0.0
 API_PORT=8102
+POSTGRES_HOST_BIND=127.0.0.1
 POSTGRES_PORT=5433
+FALKORDB_HOST_BIND=127.0.0.1
 FALKORDB_PORT=6380
+FALKORDB_BROWSER_HOST_BIND=127.0.0.1
 FALKORDB_BROWSER_PORT=3002
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,7 @@ services:
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-password}
      POSTGRES_DB: ${POSTGRES_DB:-kg_admin}
    ports:
-      - "${POSTGRES_PORT:-5433}:5432"
+      - "${POSTGRES_HOST_BIND:-127.0.0.1}:${POSTGRES_PORT:-5433}:5432"
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ./snapshots/postgres/kg_admin_new2.dump:/snapshots/kg_admin_new2.dump:ro
@@ -42,8 +42,8 @@ services:
    container_name: travel-kg-falkordb
    restart: unless-stopped
    ports:
-      - "${FALKORDB_PORT:-6380}:6379"
-      - "${FALKORDB_BROWSER_PORT:-3002}:3000"
+      - "${FALKORDB_HOST_BIND:-127.0.0.1}:${FALKORDB_PORT:-6380}:6379"
+      - "${FALKORDB_BROWSER_HOST_BIND:-127.0.0.1}:${FALKORDB_BROWSER_PORT:-3002}:3000"
    volumes:
      - falkordb-data:/var/lib/falkordb/data
    depends_on:
@@ -90,7 +90,7 @@ services:
      AMAP_SECURITY_JSCODE: ${AMAP_SECURITY_JSCODE:-}
      GAODE_CRAWLER_PATH: ${GAODE_CRAWLER_PATH:-}
    ports:
-      - "${API_PORT:-8102}:8000"
+      - "${API_HOST_BIND:-0.0.0.0}:${API_PORT:-8102}:8000"
    depends_on:
      postgres:
        condition: service_healthy
--- a/docs/DEPLOYMENT.md
+++ b/docs/DEPLOYMENT.md
@@ -119,9 +119,13 @@ docker compose up -d --build

 | 变量 | 默认值 | 说明 |
 | --- | --- | --- |
+| `API_HOST_BIND` | `0.0.0.0` | API/后台监听地址 |
 | `API_PORT` | `8102` | FastAPI 与管理后台 |
+| `POSTGRES_HOST_BIND` | `127.0.0.1` | PostgreSQL 只绑定服务器本机 |
 | `POSTGRES_PORT` | `5433` | PostgreSQL 映射端口 |
+| `FALKORDB_HOST_BIND` | `127.0.0.1` | FalkorDB Redis 协议只绑定服务器本机 |
 | `FALKORDB_PORT` | `6380` | FalkorDB Redis 协议端口 |
+| `FALKORDB_BROWSER_HOST_BIND` | `127.0.0.1` | FalkorDB Browser 只绑定服务器本机 |
 | `FALKORDB_BROWSER_PORT` | `3002` | FalkorDB Browser |

 ## 环境变量
@@ -173,6 +177,7 @@ POST http://8.163.40.99:8102/v1/admin/travel/customer-service-query
 ```

 服务器安全组需要放行 TCP `8102`。如果服务器本机 `curl http://127.0.0.1:8102/v1/admin/health` 正常，但外部访问 `http://8.163.40.99:8102` 超时，优先检查云控制台安全组/防火墙入方向规则。
+不要把 `5433`、`6380`、`3002` 暴露到公网；默认 Compose 已把这些数据端口绑定到 `127.0.0.1`。

 请求示例：