安全配置
本文档介绍 Croupier 的安全配置和最佳实践。
目录
安全架构
TLS/mTLS 配置
证书结构
Root CA (ca.crt)
|
+----------------+----------------+
| |
Server CA Agent CA
| |
+-------+-------+ +-------+-------+
| | | |
Server.crt Edge.crt Agent1.crt Agent2.crt
生成 CA
# 生成根 CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 \
-key ca.key -out ca.crt \
-subj "/CN=Croupier Root CA/O=Croupier/C=CN"
生成服务器证书
# 生成私钥
openssl genrsa -out server.key 4096
# 生成 CSR
openssl req -new -key server.key -out server.csr \
-subj "/CN=server.example.com/O=Croupier/C=CN"
# 签发证书
openssl x509 -req -days 365 \
-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out server.crt \
-extfile <(echo "subjectAltName=DNS:server.example.com,DNS:*.server.example.com")
生成 Agent 证书
# 生成私钥
openssl genrsa -out agent.key 4096
# 生成 CSR
openssl req -new -key agent.key -out agent.csr \
-subj "/CN=agent-1/O=Croupier/C=CN"
# 签发证书
openssl x509 -req -days 365 \
-in agent.csr -CA ca.crt -CAkey ca.key \
-out agent.crt
Server 配置
server:
tls:
enabled: true
cert_file: "data/server.crt"
key_file: "data/server.key"
ca_file: "data/ca.crt" # 用于验证客户端证书
min_version: "TLS1.2"
max_version: "TLS1.3"
cipher_suites:
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
client_auth:
mode: "require_and_verify" # 要求并验证客户端证书
ca_files:
- "data/agent-ca.crt"
Agent 配置
agent:
tls:
ca_file: "data/ca.crt"
cert_file: "data/agent.crt"
key_file: "data/agent.key"
server_name: "server.example.com"
min_version: "TLS1.2"
认证配置
JWT 配置
server:
auth:
jwt_secret: "${JWT_SECRET}" # 至少 32 字符
jwt_expiry: "24h"
jwt_refresh_expiry: "168h" # 7 天
issuer: "croupier"
JWT Token 示例
{
"header": {
"alg": "HS256",
"typ": "JWT"
},
"payload": {
"user_id": "user_123",
"username": "admin",
"roles": ["admin"],
"exp": 1733140800,
"iat": 1733054400,
"iss": "croupier"
}
}
OIDC 配置
server:
auth:
oidc:
enabled: true
issuer: "https://accounts.example.com"
client_id: "${OIDC_CLIENT_ID}"
client_secret: "${OIDC_CLIENT_SECRET}"
redirect_url: "https://croupier.example.com/auth/callback"
scopes:
- "openid"
- "profile"
- "email"
TOTP 双因素认证
server:
auth:
totp:
enabled: true
issuer: "Croupier"
period: 30
digits: 6
权限配置
RBAC 角色
{
"role_id": "admin",
"name": "管理员",
"permissions": ["*.*"]
}
{
"role_id": "gm",
"name": "游戏管理员",
"permissions": [
"player.*",
"item.*",
"guild.*"
]
}
{
"role_id": "viewer",
"name": "查看者",
"permissions": [
"player.view",
"item.view",
"guild.view"
]
}
ABAC 策略
{
"id": "player.ban",
"auth": {
"permission": "player.ban",
"allow_if": "has_role('admin') || (has_role('gm') && env == 'dev')"
}
}
审批配置
双人规则
{
"id": "player.ban",
"auth": {
"two_person_rule": true,
"approval": {
"enabled": true,
"threshold": 2,
"approvers": ["admin", "senior_gm"],
"timeout": "24h"
}
}
}
审批存储
server:
audit:
approval_storage: "postgres" # memory | postgres | sqlite
approval_db:
dsn: "postgres://user:pass@localhost:5432/croupier"
审计日志
审计配置
server:
audit:
enabled: true
# 敏感字段脱敏
sensitive_fields:
- "password"
- "token"
- "secret"
- "api_key"
# 审计保留天数
retention_days: 365
# 备份配置
backup_enabled: true
backup_location: "s3://audit-logs/"
审计链防篡改
type AuditLog struct {
AuditID string
Previous string // 前一条记录的哈希
Hash string // 本条记录的哈希
Content []byte
}
func (a *AuditLog) ComputeHash() string {
h := sha256.New()
h.Write([]byte(a.Previous))
h.Write(a.Content)
return hex.EncodeToString(h.Sum(nil))
}
网络安全
防火墙配置
# Server
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp # SSH
ufw allow 443/tcp # HTTPS
ufw allow 8443/tcp # gRPC
ufw allow 8080/tcp # HTTP
ufw enable
DDoS 防护
server:
http:
rate_limit:
enabled: true
requests_per_second: 100
burst: 200
ip_whitelist:
- "10.0.0.0/8"
- "192.168.0.0/16"
数据加密
数据库加密
server:
db:
dsn: "postgres://user:pass@localhost:5432/croupier?sslmode=require"
ssl:
enabled: true
cert_file: "data/client.crt"
key_file: "data/client.key"
ca_file: "data/ca.crt"
敏感字段加密
type User struct {
UserID string
Username string
Password string `encrypt:"true"`
APIKey string `encrypt:"true"`
}
安全检查清单
部署前检查
- [ ] 所有组件使用 mTLS
- [ ] JWT Secret 足够复杂
- [ ] 启用了双因素认证
- [ ] 配置了双人规则
- [ ] 审计日志已启用
- [ ] 敏感字段已脱敏
- [ ] 数据库连接加密
- [ ] 防火墙已配置
- [ ] 限流已启用
定期检查
- [ ] 证书有效期检查
- [ ] 审计日志完整性检查
- [ ] 权限审查
- [ ] 安全漏洞扫描
故障排查
TLS 握手失败
# 测试 TLS 连接
openssl s_client -connect server:8443 \
-cert agent.crt -key agent.key -CAfile ca.crt
# 检查证书
openssl x509 -in server.crt -text -noout
认证失败
# 解码 JWT
echo "eyJhbGci..." | jq -R 'split(".") | .[1] | @base64d | fromjson'