From ae3e3a5586e73072449f4e3c74d3ac92d4ba0e29 Mon Sep 17 00:00:00 2001 From: Junxiang Huang Date: Tue, 19 Nov 2024 14:35:23 +0800 Subject: [PATCH] opt: es issues --- .../download_and_setup_seafile_professional_server.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/manual/deploy_pro/download_and_setup_seafile_professional_server.md b/manual/deploy_pro/download_and_setup_seafile_professional_server.md index 6e953217..85d60223 100644 --- a/manual/deploy_pro/download_and_setup_seafile_professional_server.md +++ b/manual/deploy_pro/download_and_setup_seafile_professional_server.md @@ -471,6 +471,14 @@ sudo docker run -d \ -d elasticsearch:7.16.2 ``` +**Note**: By default, Elasticsearch will only listen on `127.0.0.1`, but this rule may **become invalid** after Docker exposes the service port, ***which will make your Elasticsearch service vulnerable to attackers accessing and extracting sensitive data due to exposure to the external network***. We recommend that you manually configure the Docker firewall, such as + +```sh +sudo iptables -A INPUT -p tcp -s --dport 9200 -j ACCEPT +sudo iptables -A INPUT -p tcp --dport 9200 -j DROP +``` + +The above command will only allow the host where your Seafile service is located to connect to Elasticsearch, and other addresses will be blocked. If you deploy Elasticsearch based on binary packages, you need to refer to the [official document](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/important-settings.html#network.host) to set the address that Elasticsearch binds to. ### Modifying seafevents