Skip to content

security: remove mention of "TiFlow" (#20987) #20990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 11, 2025
Merged

security: remove mention of "TiFlow" (#20987) #20990

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bde8ccc
Update best-practices-for-security-configuration.md
hfxsd Oct 11, 2025
18c6a4a
Update best-practices-for-security-configuration.md
hfxsd Oct 11, 2025
f86878a
Update best-practices-for-security-configuration.md
hfxsd Oct 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions best-practices-for-security-configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ TiDB Dashboard 的账号体系与 TiDB SQL 用户一致,并基于 TiDB SQL 用

TiDB 的默认安装中存在许多用于组件间通信的特权接口。这些端口通常不需要向用户端开放,因为它们主要用于内部通信。当这些端口直接暴露在公共网络上时,会增加潜在的攻击面,违反了安全最小化原则,增加了安全风险的产生。下表列出了 TiDB 集群默认监听端口的详细情况:

| 组件 | 默认监听端口 | 协议 |
| 组件 | 默认监听端口 | 协议 |
|-------------------|--------------|------------|
| TiDB | 4000 | MySQL |
| TiDB | 10080 | HTTP |
Expand All @@ -76,13 +76,14 @@ TiDB 的默认安装中存在许多用于组件间通信的特权接口。这些
| TiFlash | 20170 | Protocol |
| TiFlash | 20292 | HTTP |
| TiFlash | 8234 | HTTP |
| TiFlow | 8261/8291 | HTTP |
| TiFlow | 8262 | HTTP |
| TiFlow | 8300 | HTTP |
| DM master | 8261 | HTTP |
| DM master | 8291 | HTTP |
| DM worker | 8262 | HTTP |
| TiCDC | 8300 | HTTP |
| TiDB Lightning | 8289 | HTTP |
| TiDB Operator | 6060 | HTTP |
| TiDB Dashboard | 2379 | HTTP |
| TiDB Binlog | 8250 | HTTP |
| TiDB Binlog | 8250 | HTTP |
| TiDB Binlog | 8249 | HTTP |
| TMS | 8082 | HTTP |
| TEM | 8080 | HTTP |
Expand All @@ -97,7 +98,7 @@ TiDB 的默认安装中存在许多用于组件间通信的特权接口。这些
| AlertManager | 9093 | HTTP |
| AlertManager | 9094 | Protocol |
| Node Exporter | 9100 | HTTP |
| Blackbox Exporter | 9115 | HTTP |
| Blackbox Exporter | 9115 | HTTP |
| NG Monitoring | 12020 | HTTP |

建议向普通用户只公开数据库的 `4000` 端口和 Grafana 面板的 `9000` 端口,并通过网络安全策略组或防火墙限制其他端口。以下是使用 `iptables` 限制端口访问的示例:
Expand Down