From 9e05b09a3854621ae215afb46318a8abded4c033 Mon Sep 17 00:00:00 2001
From: 3452078359-xuexue <3452078359@qq.com>
Date: Wed, 10 Jun 2026 10:49:58 +0800
Subject: [PATCH] Restrict data service ports to localhost

---
 .env.example       | 4 ++++
 docker-compose.yml | 8 ++++----
 docs/DEPLOYMENT.md | 5 +++++
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/.env.example b/.env.example
index 4b2c63a..8655a6e 100644
--- a/.env.example
+++ b/.env.example
@@ -45,7 +45,11 @@ TRAVEL_KG_EXPORT_ROOT=./data/exports
 TRAVEL_KG_ENV_PATH=./.env
 
 # Docker host ports
+API_HOST_BIND=0.0.0.0
 API_PORT=8102
+POSTGRES_HOST_BIND=127.0.0.1
 POSTGRES_PORT=5433
+FALKORDB_HOST_BIND=127.0.0.1
 FALKORDB_PORT=6380
+FALKORDB_BROWSER_HOST_BIND=127.0.0.1
 FALKORDB_BROWSER_PORT=3002
diff --git a/docker-compose.yml b/docker-compose.yml
index ce8bada..26c052b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,7 @@ services:
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-password}
       POSTGRES_DB: ${POSTGRES_DB:-kg_admin}
     ports:
-      - "${POSTGRES_PORT:-5433}:5432"
+      - "${POSTGRES_HOST_BIND:-127.0.0.1}:${POSTGRES_PORT:-5433}:5432"
     volumes:
       - postgres-data:/var/lib/postgresql/data
       - ./snapshots/postgres/kg_admin_new2.dump:/snapshots/kg_admin_new2.dump:ro
@@ -42,8 +42,8 @@ services:
     container_name: travel-kg-falkordb
     restart: unless-stopped
     ports:
-      - "${FALKORDB_PORT:-6380}:6379"
-      - "${FALKORDB_BROWSER_PORT:-3002}:3000"
+      - "${FALKORDB_HOST_BIND:-127.0.0.1}:${FALKORDB_PORT:-6380}:6379"
+      - "${FALKORDB_BROWSER_HOST_BIND:-127.0.0.1}:${FALKORDB_BROWSER_PORT:-3002}:3000"
     volumes:
       - falkordb-data:/var/lib/falkordb/data
     depends_on:
@@ -90,7 +90,7 @@ services:
       AMAP_SECURITY_JSCODE: ${AMAP_SECURITY_JSCODE:-}
       GAODE_CRAWLER_PATH: ${GAODE_CRAWLER_PATH:-}
     ports:
-      - "${API_PORT:-8102}:8000"
+      - "${API_HOST_BIND:-0.0.0.0}:${API_PORT:-8102}:8000"
     depends_on:
       postgres:
         condition: service_healthy
diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md
index 9d3796e..0938c43 100644
--- a/docs/DEPLOYMENT.md
+++ b/docs/DEPLOYMENT.md
@@ -119,9 +119,13 @@ docker compose up -d --build
 
 | 变量 | 默认值 | 说明 |
 | --- | --- | --- |
+| `API_HOST_BIND` | `0.0.0.0` | API/后台监听地址 |
 | `API_PORT` | `8102` | FastAPI 与管理后台 |
+| `POSTGRES_HOST_BIND` | `127.0.0.1` | PostgreSQL 只绑定服务器本机 |
 | `POSTGRES_PORT` | `5433` | PostgreSQL 映射端口 |
+| `FALKORDB_HOST_BIND` | `127.0.0.1` | FalkorDB Redis 协议只绑定服务器本机 |
 | `FALKORDB_PORT` | `6380` | FalkorDB Redis 协议端口 |
+| `FALKORDB_BROWSER_HOST_BIND` | `127.0.0.1` | FalkorDB Browser 只绑定服务器本机 |
 | `FALKORDB_BROWSER_PORT` | `3002` | FalkorDB Browser |
 
 ## 环境变量
@@ -173,6 +177,7 @@ POST http://8.163.40.99:8102/v1/admin/travel/customer-service-query
 ```
 
 服务器安全组需要放行 TCP `8102`。如果服务器本机 `curl http://127.0.0.1:8102/v1/admin/health` 正常，但外部访问 `http://8.163.40.99:8102` 超时，优先检查云控制台安全组/防火墙入方向规则。
+不要把 `5433`、`6380`、`3002` 暴露到公网；默认 Compose 已把这些数据端口绑定到 `127.0.0.1`。
 
 请求示例：