背景
grafana 服务访问需要加强安全校验,防止XSS攻击,优化内存资源使用,禁止匿名操作等进行优化配置。
以下为性能安全要求,可以根据自己的业务需求确认是否需要进行改造
案例实践
一些需要强制执行的优化
[server]
1. protocol = https
2. read_timeout = 15s # 优化连接超时,默认为0 没有连接超时
[security]
1. content_security_policy = false to true # 防止xss 攻击
2. cookie_secure = true # grafana 会依赖https
3. certs & key file
cert_file = /${path}/server.crt # 使用绝对路径
cert_key = /${path}/server.key # 使用绝对路径
[auth]
login_maximum_inactive_lifetime_duration = 10m # 优化减少内存浪费,默认值为7d
创建证书
[root@Huawei /etc/grafana]# openssl req -x509 -out server.crt -keyout server.key -newkey rsa:2048 -nodes -sha256 -days 10000
Generating a 2048 bit RSA private key
..............+++
.........+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN ## CN代表中国
State or Province Name (full name) []:beijing ## 州或省名称
Locality Name (eg, city) [Default City]:beijing ## 地方名字
Organization Name (eg, company) [Default Company Ltd]:xx.xx.xx.xx ## 部署项目的ip
Organizational Unit Name (eg, section) []:xx.xx.xx.xx ## 部署项目的ip
Common Name (eg, your name or your server's hostname) []:xx.xx.xx.xx ## 部署项目的ip
Email Address []:18611111111@126.com ## 邮箱地址
[root@Huawei /etc/grafana]# ls
grafana.ini ldap.toml provisioning server.crt server.key
参考: https://www.cnblogs.com/security-guard/p/15620206.html