Restrict data service ports to localhost
This commit is contained in:
@@ -45,7 +45,11 @@ TRAVEL_KG_EXPORT_ROOT=./data/exports
|
|||||||
TRAVEL_KG_ENV_PATH=./.env
|
TRAVEL_KG_ENV_PATH=./.env
|
||||||
|
|
||||||
# Docker host ports
|
# Docker host ports
|
||||||
|
API_HOST_BIND=0.0.0.0
|
||||||
API_PORT=8102
|
API_PORT=8102
|
||||||
|
POSTGRES_HOST_BIND=127.0.0.1
|
||||||
POSTGRES_PORT=5433
|
POSTGRES_PORT=5433
|
||||||
|
FALKORDB_HOST_BIND=127.0.0.1
|
||||||
FALKORDB_PORT=6380
|
FALKORDB_PORT=6380
|
||||||
|
FALKORDB_BROWSER_HOST_BIND=127.0.0.1
|
||||||
FALKORDB_BROWSER_PORT=3002
|
FALKORDB_BROWSER_PORT=3002
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ services:
|
|||||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-password}
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-password}
|
||||||
POSTGRES_DB: ${POSTGRES_DB:-kg_admin}
|
POSTGRES_DB: ${POSTGRES_DB:-kg_admin}
|
||||||
ports:
|
ports:
|
||||||
- "${POSTGRES_PORT:-5433}:5432"
|
- "${POSTGRES_HOST_BIND:-127.0.0.1}:${POSTGRES_PORT:-5433}:5432"
|
||||||
volumes:
|
volumes:
|
||||||
- postgres-data:/var/lib/postgresql/data
|
- postgres-data:/var/lib/postgresql/data
|
||||||
- ./snapshots/postgres/kg_admin_new2.dump:/snapshots/kg_admin_new2.dump:ro
|
- ./snapshots/postgres/kg_admin_new2.dump:/snapshots/kg_admin_new2.dump:ro
|
||||||
@@ -42,8 +42,8 @@ services:
|
|||||||
container_name: travel-kg-falkordb
|
container_name: travel-kg-falkordb
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
ports:
|
ports:
|
||||||
- "${FALKORDB_PORT:-6380}:6379"
|
- "${FALKORDB_HOST_BIND:-127.0.0.1}:${FALKORDB_PORT:-6380}:6379"
|
||||||
- "${FALKORDB_BROWSER_PORT:-3002}:3000"
|
- "${FALKORDB_BROWSER_HOST_BIND:-127.0.0.1}:${FALKORDB_BROWSER_PORT:-3002}:3000"
|
||||||
volumes:
|
volumes:
|
||||||
- falkordb-data:/var/lib/falkordb/data
|
- falkordb-data:/var/lib/falkordb/data
|
||||||
depends_on:
|
depends_on:
|
||||||
@@ -90,7 +90,7 @@ services:
|
|||||||
AMAP_SECURITY_JSCODE: ${AMAP_SECURITY_JSCODE:-}
|
AMAP_SECURITY_JSCODE: ${AMAP_SECURITY_JSCODE:-}
|
||||||
GAODE_CRAWLER_PATH: ${GAODE_CRAWLER_PATH:-}
|
GAODE_CRAWLER_PATH: ${GAODE_CRAWLER_PATH:-}
|
||||||
ports:
|
ports:
|
||||||
- "${API_PORT:-8102}:8000"
|
- "${API_HOST_BIND:-0.0.0.0}:${API_PORT:-8102}:8000"
|
||||||
depends_on:
|
depends_on:
|
||||||
postgres:
|
postgres:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
|
|||||||
@@ -119,9 +119,13 @@ docker compose up -d --build
|
|||||||
|
|
||||||
| 变量 | 默认值 | 说明 |
|
| 变量 | 默认值 | 说明 |
|
||||||
| --- | --- | --- |
|
| --- | --- | --- |
|
||||||
|
| `API_HOST_BIND` | `0.0.0.0` | API/后台监听地址 |
|
||||||
| `API_PORT` | `8102` | FastAPI 与管理后台 |
|
| `API_PORT` | `8102` | FastAPI 与管理后台 |
|
||||||
|
| `POSTGRES_HOST_BIND` | `127.0.0.1` | PostgreSQL 只绑定服务器本机 |
|
||||||
| `POSTGRES_PORT` | `5433` | PostgreSQL 映射端口 |
|
| `POSTGRES_PORT` | `5433` | PostgreSQL 映射端口 |
|
||||||
|
| `FALKORDB_HOST_BIND` | `127.0.0.1` | FalkorDB Redis 协议只绑定服务器本机 |
|
||||||
| `FALKORDB_PORT` | `6380` | FalkorDB Redis 协议端口 |
|
| `FALKORDB_PORT` | `6380` | FalkorDB Redis 协议端口 |
|
||||||
|
| `FALKORDB_BROWSER_HOST_BIND` | `127.0.0.1` | FalkorDB Browser 只绑定服务器本机 |
|
||||||
| `FALKORDB_BROWSER_PORT` | `3002` | FalkorDB Browser |
|
| `FALKORDB_BROWSER_PORT` | `3002` | FalkorDB Browser |
|
||||||
|
|
||||||
## 环境变量
|
## 环境变量
|
||||||
@@ -173,6 +177,7 @@ POST http://8.163.40.99:8102/v1/admin/travel/customer-service-query
|
|||||||
```
|
```
|
||||||
|
|
||||||
服务器安全组需要放行 TCP `8102`。如果服务器本机 `curl http://127.0.0.1:8102/v1/admin/health` 正常,但外部访问 `http://8.163.40.99:8102` 超时,优先检查云控制台安全组/防火墙入方向规则。
|
服务器安全组需要放行 TCP `8102`。如果服务器本机 `curl http://127.0.0.1:8102/v1/admin/health` 正常,但外部访问 `http://8.163.40.99:8102` 超时,优先检查云控制台安全组/防火墙入方向规则。
|
||||||
|
不要把 `5433`、`6380`、`3002` 暴露到公网;默认 Compose 已把这些数据端口绑定到 `127.0.0.1`。
|
||||||
|
|
||||||
请求示例:
|
请求示例:
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user