safe
安全加固的高可用配置模板,采用高标准的安全最佳实践
safe 配置模板基于 trio 模板修改,是一个安全加固的专用配置模板,采用高标准的安全最佳实践。
配置概览
- 配置名称:
safe(位于ha/safe.yml) - 节点数量: 四节点
- 配置说明:安全加固的高可用配置模板,采用高标准的安全最佳实践
- 适用系统:
el8,el9,d12,u22,u24 - 适用架构:
x86_64(部分安全扩展在 ARM64 不可用) - 相关配置:
trio,full
启用方式:
./configure -c ha/safe [-i <primary_ip>]
安全加固措施
safe 模板实现了以下安全加固:
- 强制 SSL 加密:PostgreSQL 和 PgBouncer 均启用 SSL
- 强密码策略:使用
passwordcheck扩展强制密码复杂度 - 用户过期时间:所有用户设置 20 年过期时间
- 最小化连接范围:限制 PostgreSQL/Patroni/PgBouncer 监听地址
- 严格 HBA 规则:强制 SSL 认证,管理员需证书认证
- 审计日志:记录连接和断开事件
- 延迟副本:可选的 1 小时延迟副本,用于误操作恢复
- 关键模板:使用
crit.yml调优模板,零数据丢失
配置内容
源文件地址:pigsty/conf/ha/safe.yml
all:
children:
#----------------------------------------------#
# INFRA 三节点高可用基础设施
#----------------------------------------------#
infra:
hosts:
10.10.10.10: { infra_seq: 1 }
10.10.10.11: { infra_seq: 2, repo_enabled: false }
10.10.10.12: { infra_seq: 3, repo_enabled: false }
vars: { patroni_watchdog_mode: off }
#----------------------------------------------#
# MinIO 备份存储
#----------------------------------------------#
minio: { hosts: { 10.10.10.10: { minio_seq: 1 } }, vars: { minio_cluster: minio } }
#----------------------------------------------#
# ETCD 三节点高可用 DCS
#----------------------------------------------#
etcd:
hosts:
10.10.10.10: { etcd_seq: 1 }
10.10.10.11: { etcd_seq: 2 }
10.10.10.12: { etcd_seq: 3 }
vars:
etcd_cluster: etcd
etcd_safeguard: false
etcd_clean: true
#----------------------------------------------#
# PostgreSQL 三节点高可用集群
#----------------------------------------------#
pg-meta:
hosts:
10.10.10.10: { pg_seq: 1, pg_role: primary }
10.10.10.11: { pg_seq: 2, pg_role: replica }
10.10.10.12: { pg_seq: 3, pg_role: replica , pg_offline_query: true }
vars:
pg_cluster: pg-meta
pg_conf: crit.yml # 关键业务调优模板
pg_users:
- { name: dbuser_meta , password: Pleas3-ChangeThisPwd ,expire_in: 7300 ,pgbouncer: true ,roles: [ dbrole_admin ] ,comment: pigsty admin user }
- { name: dbuser_view , password: Make.3ure-Compl1ance ,expire_in: 7300 ,pgbouncer: true ,roles: [ dbrole_readonly ] ,comment: read-only viewer }
pg_databases:
- { name: meta ,baseline: cmdb.sql ,comment: pigsty meta database ,schemas: [ pigsty ] ,extensions: [ { name: vector } ] }
pg_services:
- { name: standby , ip: "*" ,port: 5435 , dest: default ,selector: "[]" , backup: "[? pg_role == `primary`]" }
pg_listen: '${ip},${vip},${lo}' # 限制监听地址
pg_vip_enabled: true
pg_vip_address: 10.10.10.2/24
pg_vip_interface: eth1
#----------------------------------------------#
# 延迟副本(可选,1小时延迟)
#----------------------------------------------#
pg-meta-delay:
hosts: { 10.10.10.13: { pg_seq: 1, pg_role: primary, pg_upstream: 10.10.10.10, pg_delay: 1h } }
vars: { pg_cluster: pg-meta-delay }
vars:
version: v4.0.0
admin_ip: 10.10.10.10
region: default
node_tune: oltp
pg_conf: oltp.yml
# 安全加固选项
patroni_ssl_enabled: true # Patroni API 启用 SSL
pgbouncer_sslmode: require # PgBouncer 强制 SSL
pg_default_service_dest: postgres # 默认直连 PostgreSQL 而非 PgBouncer
pgbackrest_method: minio # 使用 MinIO 远程备份
#----------------------------------------------#
# 强密码
#----------------------------------------------#
grafana_admin_password: You.Have2Use-A_VeryStrongPassword
pg_admin_password: PessWorb.Should8eStrong-eNough
pg_monitor_password: MekeSuerYour.PassWordI5secured
pg_replication_password: doNotUseThis-PasswordFor.AnythingElse
patroni_password: don.t-forget-to-change-thEs3-password
haproxy_admin_password: GneratePasswordWith-pwgen-s-16-1
#----------------------------------------------#
# MinIO 备份配置
#----------------------------------------------#
minio_users:
- { access_key: dba , secret_key: S3User.DBA.Strong.Password, policy: consoleAdmin }
- { access_key: pgbackrest , secret_key: Min10.bAckup ,policy: readwrite }
pgbackrest_repo:
local:
path: /pg/backup
retention_full_type: count
retention_full: 2
minio:
s3_key: pgbackrest
s3_key_secret: Min10.bAckup
cipher_pass: 'pgBR.${pg_cluster}' # 使用集群名作为加密密码
type: s3
s3_endpoint: sss.pigsty
s3_region: us-east-1
s3_bucket: pgsql
s3_uri_style: path
path: /pgbackrest
storage_port: 9000
storage_ca_file: /etc/pki/ca.crt
bundle: y
cipher_type: aes-256-cbc
retention_full_type: time
retention_full: 14
#----------------------------------------------#
# 强密码策略扩展
#----------------------------------------------#
pg_libs: '$libdir/passwordcheck, pg_stat_statements, auto_explain'
pg_extensions:
- passwordcheck, supautils, pgsodium, pg_vault, pg_session_jwt, anonymizer, pgsmcrypto, pgauditlogtofile, pgaudit
- pg_auth_mon, credcheck, pgcryptokey, pg_jobmon, logerrors, login_hook, set_user, pgextwlist, pg_auditor, sslutils, noset
#----------------------------------------------#
# 严格的默认角色配置
#----------------------------------------------#
pg_default_roles:
- { name: dbrole_readonly ,login: false ,comment: role for global read-only access }
- { name: dbrole_offline ,login: false ,comment: role for restricted read-only access }
- { name: dbrole_readwrite ,login: false ,roles: [ dbrole_readonly ] ,comment: role for global read-write access }
- { name: dbrole_admin ,login: false ,roles: [ pg_monitor, dbrole_readwrite ] ,comment: role for object creation }
- { name: postgres ,superuser: true ,expire_in: 7300 ,comment: system superuser }
- { name: replicator ,replication: true ,expire_in: 7300 ,roles: [ pg_monitor, dbrole_readonly ] ,comment: system replicator }
- { name: dbuser_dba ,superuser: true ,expire_in: 7300 ,roles: [ dbrole_admin ] ,pgbouncer: true ,pool_mode: session, pool_connlimit: 16 , comment: pgsql admin user }
- { name: dbuser_monitor ,roles: [ pg_monitor ] ,expire_in: 7300 ,pgbouncer: true ,parameters: { log_min_duration_statement: 1000 } ,pool_mode: session ,pool_connlimit: 8 ,comment: pgsql monitor user }
#----------------------------------------------#
# 严格的 HBA 规则
#----------------------------------------------#
pg_default_hba_rules:
- { user: '${dbsu}' ,db: all ,addr: local ,auth: ident ,title: 'dbsu access via local os user ident' }
- { user: '${dbsu}' ,db: replication ,addr: local ,auth: ident ,title: 'dbsu replication from local os ident' }
- { user: '${repl}' ,db: replication ,addr: localhost ,auth: ssl ,title: 'replicator replication from localhost' }
- { user: '${repl}' ,db: replication ,addr: intra ,auth: ssl ,title: 'replicator replication from intranet' }
- { user: '${repl}' ,db: postgres ,addr: intra ,auth: ssl ,title: 'replicator postgres db from intranet' }
- { user: '${monitor}' ,db: all ,addr: localhost ,auth: pwd ,title: 'monitor from localhost with password' }
- { user: '${monitor}' ,db: all ,addr: infra ,auth: ssl ,title: 'monitor from infra host with password' }
- { user: '${admin}' ,db: all ,addr: infra ,auth: ssl ,title: 'admin @ infra nodes with pwd & ssl' }
- { user: '${admin}' ,db: all ,addr: world ,auth: cert ,title: 'admin @ everywhere with ssl & cert' }
- { user: '+dbrole_readonly',db: all ,addr: localhost ,auth: ssl ,title: 'pgbouncer read/write via local socket' }
- { user: '+dbrole_readonly',db: all ,addr: intra ,auth: ssl ,title: 'read/write biz user via password' }
- { user: '+dbrole_offline' ,db: all ,addr: intra ,auth: ssl ,title: 'allow etl offline tasks from intranet' }
pgb_default_hba_rules:
- { user: '${dbsu}' ,db: pgbouncer ,addr: local ,auth: peer ,title: 'dbsu local admin access with os ident' }
- { user: 'all' ,db: all ,addr: localhost ,auth: pwd ,title: 'allow all user local access with pwd' }
- { user: '${monitor}' ,db: pgbouncer ,addr: intra ,auth: ssl ,title: 'monitor access via intranet with pwd' }
- { user: '${monitor}' ,db: all ,addr: world ,auth: deny ,title: 'reject all other monitor access addr' }
- { user: '${admin}' ,db: all ,addr: intra ,auth: ssl ,title: 'admin access via intranet with pwd' }
- { user: '${admin}' ,db: all ,addr: world ,auth: deny ,title: 'reject all other admin access addr' }
- { user: 'all' ,db: all ,addr: intra ,auth: ssl ,title: 'allow all user intra access with pwd' }
配置解读
safe 模板是 Pigsty 的安全加固配置,专为对安全性有较高要求的生产环境设计。
安全特性汇总:
| 安全措施 | 说明 |
|---|---|
| SSL 加密 | PostgreSQL/PgBouncer/Patroni 全链路 SSL |
| 强密码策略 | passwordcheck 扩展强制密码复杂度 |
| 用户过期 | 所有用户 20 年过期(expire_in: 7300) |
| 严格 HBA | 管理员远程访问需要证书认证 |
| 备份加密 | MinIO 备份启用 AES-256-CBC 加密 |
| 审计日志 | pgaudit 扩展记录 SQL 审计日志 |
| 延迟副本 | 1 小时延迟副本用于误操作恢复 |
适用场景:
- 金融、医疗、政务等高安全要求行业
- 需要满足合规审计要求的环境
- 对数据安全有极高要求的关键业务
注意事项:
- 部分安全扩展在 ARM64 架构不可用,请酌情启用
- 所有默认密码必须修改为强密码
- 建议配合定期安全审计使用