Docker Deployment Guide 中的安全配置部分
【免费下载链接】n8n-mcp 
项目地址: https://gitcode.com/GitHub_Trending/n8/n8n-mcp
🔒 Security Features (v2.16.3+)
Rate Limiting
Protects against brute force authentication attacks:
# Configure in .env or docker-compose.yml
AUTH_RATE_LIMIT_WINDOW=900000 # 15 minutes in milliseconds
AUTH_RATE_LIMIT_MAX=20 # 20 attempts per IP per window
SSRF Protection
Prevents Server-Side Request Forgery when using webhook triggers:
# For production (blocks localhost + private IPs + cloud metadata)
WEBHOOK_SECURITY_MODE=strict
# For local development with local n8n instance
WEBHOOK_SECURITY_MODE=moderate
# For internal testing only (allows private IPs)
WEBHOOK_SECURITY_MODE=permissive
Note: Cloud metadata endpoints (169.254.169.254, etc.) are ALWAYS blocked in all modes.
### 反向代理与HTTPS配置
在生产环境中,始终使用HTTPS加密传输,并通过反向代理增强安全性:
```nginx
# nginx安全配置示例
server {
listen 443 ssl http2;
server_name mcp.yourdomain.com;
# SSL配置
ssl_certificate /etc/letsencrypt/live/mcp.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mcp.yourdomain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
# 安全头部
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
# 反向代理到n8n-mcp
location / {
proxy_pass http://n8n-mcp:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 限制请求大小
client_max_body_size 1M;
# 超时设置
proxy_connect_timeout 10s;
proxy_send_timeout 15s;
proxy_read_timeout 30s;
}
# 健康检查端点无需认证
location /health {
proxy_pass http://n8n-mcp:3000/health;
allow all;
}
}
网络访问控制
限制n8n-mcp仅接受来自可信来源的网络连接:
# 使用ufw限制端口访问
ufw allow from 192.168.1.0/24 to any port 3000
ufw deny 3000/tcp
# Docker网络隔离
docker network create --internal internal-network
docker network create --driver bridge public-network
# 仅允许特定容器访问n8n-mcp
docker run -d --name n8n-mcp --network internal-network ...
docker run -d --name nginx --network public-network --network internal-network ...
安全审计与合规检查
定期安全审计是维持n8n-mcp安全状态的关键环节,帮助发现潜在漏洞和配置问题。
依赖项安全扫描
定期检查并更新依赖项,修复已知安全漏洞:
# 检查依赖项漏洞
npm audit
# 更新安全补丁
npm audit fix
# 检查过时依赖
npm outdated
# 更新依赖项到安全版本
npx npm-check-updates -u
npm install
n8n-mcp的依赖更新策略在SECURITY.md中有详细说明:
## Dependencies
- Regularly update dependencies: `npm audit`
- Review dependency changes carefully
- Use lock files (`package-lock.json`)
- Monitor for security advisories
安全检查清单
部署或更新n8n-mcp前,使用以下清单进行安全检查:
## Security Checklist
Before each release or deployment:
- [ ] No hardcoded credentials in source code
- [ ] All sensitive configuration uses environment variables
- [ ] `.env` files are not tracked in git
- [ ] Dependencies are up to date
- [ ] No sensitive data in logs
- [ ] API endpoints use proper authentication
- [ ] Docker images don't contain secrets
自动化安全检查:
# 运行安全检查脚本
./scripts/security-audit.sh
# 检查代码中的硬编码凭证
grep -rE "(api[_-]?key|secret|token|password)[[:space:]]*=[[:space:]]*['\"][A-Za-z0-9]+['\"]" src/
# 验证Docker镜像不包含敏感文件
docker run --rm --entrypoint sh ghcr.io/czlonkowski/n8n-mcp:latest -c "ls -la /app && cat /app/.env || true"
持续集成安全测试
n8n-mcp的CI/CD流程包含全面的安全测试,确保每次代码提交都经过安全验证:
# .github/workflows/security.yml
name: Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 0' # 每周日运行
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 22
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run npm audit
run: npm audit --production
- name: Run ESLint security rules
run: npx eslint --plugin security src/
- name: Run dependency check
uses: snyk/actions/node@master
with:
args: --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
安全事件响应
即使采取了全面的预防措施,安全事件仍可能发生。建立清晰的响应流程,最小化安全事件影响。
安全漏洞报告
发现安全漏洞时,通过安全渠道报告:
## Reporting Security Vulnerabilities
If you discover a security vulnerability in n8n-mcp, please report it by creating a private security advisory on GitHub or emailing the maintainer directly. Please do not create public issues for security vulnerabilities.
事件响应流程
安全事件响应的基本步骤:
- 检测与分析:确认安全事件,确定影响范围和严重程度
- 控制与隔离:隔离受影响系统,防止攻击扩散
- 消除与恢复:移除恶意代码或攻击者访问权限,恢复系统正常运行
- 事后分析:记录事件详情,分析攻击向量,改进防御措施
# 安全事件响应脚本示例
#!/bin/bash
# security-incident-response.sh
# 1. 隔离受影响系统
iptables -A INPUT -j DROP
systemctl stop n8n-mcp
# 2. 创建系统快照和日志备份
tar -czf /backup/incident_$(date +%Y%m%d_%H%M%S).tar.gz /var/log /app/data
# 3. 收集取证数据
dmesg > /backup/incident_dmesg.log
netstat -tulpn > /backup/incident_netstat.log
ps aux > /backup/incident_ps.log
# 4. 恢复到已知安全状态
rm -rf /app/data
tar -xzf /backup/clean_backup.tar.gz -C /app/
# 5. 轮换所有凭证
./scripts/rotate-credentials.sh
# 6. 启动系统并加强监控
systemctl start n8n-mcp
tail -f /var/log/n8n-mcp.log
</output> 【免费下载链接】n8n-mcp 项目地址: https://gitcode.com/GitHub_Trending/n8/n8n-mcp
创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
