首页 文章

在Digital Ocean上使Redis服务器安全

提问于
浏览
0

我使用redis container作为我的Ruby on Rails应用程序 . 我的应用程序部署在Digital Ocean服务器上 . 我收到一封电子邮件,说我的Redis配置不安全,因为Redis服务器命令在 redis-server *:6379 而不是 127.0.0.1:6379 上运行,这使我的Redis服务器不安全 .

如何为Redis配置我的Droplet以使其在 127.0.0.1:6379 上运行?

以下是 docker-compose.yml for redis 的配置:

app:
  build: .
  env_file: .env.production
  environment:
    RAILS_ENV: production
    REDIS_URL: redis://redis:6379/0
  links:
    - db
    - redis
  expose:
    - "3000"
  volumes:
    - .:/usr/src/app
db:
  image: postgres:9.4.5
  volumes:
     - project-postgres:/var/lib/postgresql/data
web:
  build: .
  dockerfile: config/containers/Dockerfile-nginx
  links:
    - app
    - redis
  environment:
    REDIS_URL: redis://redis:6379/0

  # expose the port we configured Nginx to bind to
  ports:
    - "80:80"
elasticsearch:
  #elasticsearch image
  image: elasticsearch
  container_name: elasticsearch
  # expose the port both ports
  ports:
    - '9200:9200'
    - '9300:9300'
  volumes:
     - /data/elasticsearch:/usr/share/elasticsearch/data
  environment:
    ES_JAVA_OPTS: -Xms256m -Xmx256m

redis:
  image: redis:latest
  command: redis-server

  ports:
    - '6379:6379'
  volumes:
    - 'redis:/var/lib/redis/data'

sidekiq:
  build: .
  command: bundle exec sidekiq
  links:
    - db
    - redis
  volumes:
    - .:/app
  env_file:
    - .env
ruby-on-rails docker redis docker-compose digital-ocean

1 回答

  • 1
    app:
      build: .
      env_file: .env.production
      environment:
        RAILS_ENV: production
        REDIS_URL: redis://redis:6379/0
      links:
        - db
        - redis
      expose:
        - "3000"
      volumes:
        - .:/usr/src/app
    db:
      image: postgres:9.4.5
      volumes:
        - project-postgres:/var/lib/postgresql/data
    web:
      build: .
      dockerfile: config/containers/Dockerfile-nginx
      links:
        - app
        - redis
      environment:
        REDIS_URL: redis://redis:6379/0

      # expose the port we configured Nginx to bind to
      ports:
        - "80:80"
    elasticsearch:
      #elasticsearch image
      image: elasticsearch
      container_name: elasticsearch
      # expose the port both ports
      # I don't know why you want to expose this to the world.
      # I also think you should take away the ports here and link
      # the container which you want to interact with Elasticsearch 

      volumes:
        - /data/elasticsearch:/usr/share/elasticsearch/data
      environment:
        ES_JAVA_OPTS: -Xms256m -Xmx256m

      # Lets say you have a Kibana container that talks to Elasticsearch then you would link them this way:
      kibana:
      image: kibana:6.2.3
      links:
        - elasticsearch
      environment:
        ES_URL: http://elasticsearch:9200 
      # If you want people to connect to kibana directly then you can go ahead and open ports.
      # In an ideal world you will put both ES and Kibana behind Nginx as reverse proxy with some authentication on such as HTTP auth or even LDAP auth.
      ports:
        - "5601:5601"


      redis:
        image: docker.io/redis:3.0

      # You don't need to open ports here to the world.
      # As long as the containers that need to communicate with the redis container are linked using "links"
      # keyword, then the containers would be able to talk to each other using their hostname. redis will use the hostname:'redis'  



    sidekiq:
      build: .
      command: bundle exec sidekiq
      links:
        - db
        - redis
      volumes:
        - .:/app
      env_file:
        - .env

    因此,这不允许您在localhost上运行redis,因为请记住容器具有用于彼此通信的内部网络 . 他们使用主机名来引用与之交互的服务或容器 . 因此,例如使用此撰写文件,redis将在redis:6379中提供 . 那有意义吗?

    回复于

相关问题