Security Configuration

Security configuration is critical for deploying Geode in production environments. This comprehensive guide covers all aspects of security configuration, from authentication and authorization to encryption and audit logging, ensuring your graph database meets enterprise security requirements. <h3 id="configuration-file-structure" class="position-relative d-flex align-items-center group"> Configuration File Structure <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="configuration-file-structure" aria-haspopup="dialog" aria-label="Share link: Configuration File Structure"> Share link </button> </h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Geode supports multiple configuration methods: <h4 id="configuration-file-recommended" class="position-relative d-flex align-items-center group"> Configuration File (Recommended) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="configuration-file-recommended" aria-haspopup="dialog" aria-label="Share link: Configuration File (Recommended)"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># /etc/geode/geode.yml server: listen: "0.0.0.0:3141" max_connections: 10000 security: authentication: method: ldap ldap: server: "ldap://ldap.example.com:389" base_dn: "dc=example,dc=com" bind_dn: "cn=geode,ou=services,dc=example,dc=com" bind_password_file: "/etc/geode/secrets/ldap-password.txt" authorization: enabled: true default_role: "viewer" encryption: at_rest: enabled: true algorithm: "aes-256-gcm" key_source: "hsm" in_transit: tls_cert: "/etc/geode/certs/server.crt" tls_key: "/etc/geode/certs/server.key" tls_min_version: "1.3" audit: enabled: true level: "comprehensive" output: "/var/log/geode/audit.log" retention_days: 2555 </code></pre></div>Start with configuration file: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">geode serve --config=/etc/geode/geode.yml </code></pre></div> <h4 id="environment-variables" class="position-relative d-flex align-items-center group"> Environment Variables <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="environment-variables" aria-haspopup="dialog" aria-label="Share link: Environment Variables"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Security settings via environment variables export GEODE_AUTH_METHOD=ldap export GEODE_LDAP_SERVER=ldap://ldap.example.com:389 export GEODE_TLS_CERT=/etc/geode/certs/server.crt export GEODE_TLS_KEY=/etc/geode/certs/server.key export GEODE_AUDIT_ENABLED=true geode serve </code></pre></div> <h4 id="command-line-arguments" class="position-relative d-flex align-items-center group"> Command-Line Arguments <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="command-line-arguments" aria-haspopup="dialog" aria-label="Share link: Command-Line Arguments"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">geode serve \ --auth-method=ldap \ --ldap-server=ldap://ldap.example.com:389 \ --tls-cert=/etc/geode/certs/server.crt \ --tls-key=/etc/geode/certs/server.key \ --audit-enabled=true </code></pre></div> <h3 id="authentication-configuration" class="position-relative d-flex align-items-center group"> Authentication Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authentication-configuration" aria-haspopup="dialog" aria-label="Share link: Authentication Configuration"> Share link </button> </h3> <h4 id="password-authentication" class="position-relative d-flex align-items-center group"> Password Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="password-authentication" aria-haspopup="dialog" aria-label="Share link: Password Authentication"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: authentication: method: password password: min_length: 14 require_uppercase: true require_lowercase: true require_digits: true require_special_chars: true max_age_days: 90 history_count: 12 lockout_threshold: 5 lockout_duration: 1800 </code></pre></div> <h4 id="ldapactive-directory" class="position-relative d-flex align-items-center group"> LDAP/Active Directory <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="ldapactive-directory" aria-haspopup="dialog" aria-label="Share link: LDAP/Active Directory"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: authentication: method: ldap ldap: server: "ldaps://ad.example.com:636" base_dn: "dc=example,dc=com" bind_dn: "cn=geode,ou=services,dc=example,dc=com" bind_password_file: "/etc/geode/secrets/ldap-password.txt" user_search_filter: "(sAMAccountName={0})" group_search_base: "ou=groups,dc=example,dc=com" group_search_filter: "(member={0})" connection_timeout: 30 read_timeout: 30 pool_size: 10 </code></pre></div> <h4 id="oauth-20--openid-connect" class="position-relative d-flex align-items-center group"> OAuth 2.0 / OpenID Connect <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="oauth-20--openid-connect" aria-haspopup="dialog" aria-label="Share link: OAuth 2.0 / OpenID Connect"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: authentication: method: oauth2 oauth2: provider: "https://auth.example.com" client_id: "geode-server" client_secret_file: "/etc/geode/secrets/oauth-secret.txt" scopes: ["openid", "profile", "email"] jwks_uri: "https://auth.example.com/.well-known/jwks.json" issuer: "https://auth.example.com" audience: "geode-api" token_validation: validate_signature: true validate_expiry: true validate_issuer: true clock_skew_seconds: 60 </code></pre></div> <h4 id="jwt-token-authentication" class="position-relative d-flex align-items-center group"> JWT Token Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="jwt-token-authentication" aria-haspopup="dialog" aria-label="Share link: JWT Token Authentication"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: authentication: method: jwt jwt: secret_key_file: "/etc/geode/secrets/jwt-secret.key" algorithm: "HS256" issuer: "geode.example.com" audience: "geode-api" expiry_seconds: 3600 refresh_enabled: true refresh_expiry_seconds: 86400 </code></pre></div> <h4 id="multi-factor-authentication" class="position-relative d-flex align-items-center group"> Multi-Factor Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="multi-factor-authentication" aria-haspopup="dialog" aria-label="Share link: Multi-Factor Authentication"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: authentication: mfa: enabled: true required_for_roles: ["admin", "dba"] providers: ["totp", "webauthn"] grace_period_seconds: 0 remember_device_days: 30 backup_codes: 10 </code></pre></div> <h3 id="authorization-configuration" class="position-relative d-flex align-items-center group"> Authorization Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-configuration" aria-haspopup="dialog" aria-label="Share link: Authorization Configuration"> Share link </button> </h3> <h4 id="role-based-access-control" class="position-relative d-flex align-items-center group"> Role-Based Access Control <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="role-based-access-control" aria-haspopup="dialog" aria-label="Share link: Role-Based Access Control"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: authorization: enabled: true default_role: "viewer" roles: - name: "viewer" permissions: - "read:*" - name: "analyst" permissions: - "read:*" - "write:temporary_data" - name: "developer" permissions: - "read:*" - "write:*" - "create:index" - name: "admin" permissions: - "*:*" role_mapping: ldap_groups: "CN=Geode-Admins,OU=Security,DC=example,DC=com": "admin" "CN=Geode-Developers,OU=Engineering,DC=example,DC=com": "developer" "CN=Geode-Analysts,OU=Business,DC=example,DC=com": "analyst" </code></pre></div> <h4 id="row-level-security-policies" class="position-relative d-flex align-items-center group"> Row-Level Security Policies <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="row-level-security-policies" aria-haspopup="dialog" aria-label="Share link: Row-Level Security Policies"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: authorization: row_level_security: enabled: true default_policy: "deny_all" policies: - name: "tenant_isolation" target: "all_labels" condition: "node.tenant_id = current_tenant_id()" priority: 100 - name: "department_access" target: ["Employee", "Project"] condition: "node.department IN get_user_departments(current_user())" priority: 50 </code></pre></div> <h3 id="encryption-configuration" class="position-relative d-flex align-items-center group"> Encryption Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="encryption-configuration" aria-haspopup="dialog" aria-label="Share link: Encryption Configuration"> Share link </button> </h3> <h4 id="encryption-at-rest" class="position-relative d-flex align-items-center group"> Encryption at Rest <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="encryption-at-rest" aria-haspopup="dialog" aria-label="Share link: Encryption at Rest"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: encryption: at_rest: enabled: true algorithm: "aes-256-gcm" key_source: "hsm" hsm: provider: "pkcs11" library: "/usr/lib/softhsm/libsofthsm2.so" slot: 0 pin_file: "/etc/geode/secrets/hsm-pin.txt" key_rotation: enabled: true master_key_days: 90 data_key_days: 365 rotation_window: "02:00-06:00" fips_mode: true </code></pre></div> <h4 id="cloud-kms-integration" class="position-relative d-flex align-items-center group"> Cloud KMS Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="cloud-kms-integration" aria-haspopup="dialog" aria-label="Share link: Cloud KMS Integration"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: encryption: at_rest: enabled: true # AWS KMS key_source: "aws-kms" aws_kms: key_id: "arn:aws:kms:us-east-1:123456789012:key/abc123" region: "us-east-1" endpoint: "https://kms.us-east-1.amazonaws.com" # Google Cloud KMS # key_source: "gcp-kms" # gcp_kms: # key_name: "projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY" # credentials_file: "/etc/geode/secrets/gcp-credentials.json" # Azure Key Vault # key_source: "azure-keyvault" # azure_keyvault: # vault_name: "mygeodekeys" # key_name: "master-key" # tenant_id: "tenant-id" # client_id: "client-id" # client_secret_file: "/etc/geode/secrets/azure-secret.txt" </code></pre></div> <h4 id="encryption-in-transit" class="position-relative d-flex align-items-center group"> Encryption in Transit <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="encryption-in-transit" aria-haspopup="dialog" aria-label="Share link: Encryption in Transit"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: encryption: in_transit: tls_cert: "/etc/geode/certs/server.crt" tls_key: "/etc/geode/certs/server.key" tls_ca: "/etc/geode/certs/ca-bundle.crt" tls_min_version: "1.3" tls_max_version: "1.3" cipher_suites: - "TLS_AES_256_GCM_SHA384" - "TLS_CHACHA20_POLY1305_SHA256" client_certificates: required: true verify: "strict" ca: "/etc/geode/certs/client-ca.crt" allowlist: "/etc/geode/allowed-clients.txt" certificate_rotation: auto_reload: true check_interval: 3600 graceful_overlap: 86400 </code></pre></div> <h3 id="audit-logging-configuration" class="position-relative d-flex align-items-center group"> Audit Logging Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-logging-configuration" aria-haspopup="dialog" aria-label="Share link: Audit Logging Configuration"> Share link </button> </h3> <h4 id="comprehensive-audit-logging" class="position-relative d-flex align-items-center group"> Comprehensive Audit Logging <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="comprehensive-audit-logging" aria-haspopup="dialog" aria-label="Share link: Comprehensive Audit Logging"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: audit: enabled: true level: "comprehensive" # minimal, security, compliance, comprehensive output: file: path: "/var/log/geode/audit.log" format: "json" rotation: max_size: "100MB" max_files: 100 compress: true permissions: "0400" syslog: enabled: true server: "syslog.example.com:514" protocol: "tcp" facility: "local0" elasticsearch: enabled: false url: "https://elasticsearch.example.com:9200" index_prefix: "geode-audit" username: "geode" password_file: "/etc/geode/secrets/es-password.txt" events: authentication: true authorization: true data_access: true data_modification: true schema_changes: true configuration_changes: true administrative_actions: true retention: days: 2555 # 7 years archive_path: "/var/archive/geode/audit" compress_after_days: 90 encryption: enabled: true key_file: "/etc/geode/secrets/audit-key.pem" signing: true </code></pre></div> <h3 id="network-security-configuration" class="position-relative d-flex align-items-center group"> Network Security Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="network-security-configuration" aria-haspopup="dialog" aria-label="Share link: Network Security Configuration"> Share link </button> </h3> <h4 id="firewall-and-access-control" class="position-relative d-flex align-items-center group"> Firewall and Access Control <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="firewall-and-access-control" aria-haspopup="dialog" aria-label="Share link: Firewall and Access Control"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: network: listen: address: "0.0.0.0" port: 3141 interface: "eth0" ip_allowlist: enabled: true file: "/etc/geode/allowed-ips.txt" # Format: CIDR notation, one per line ip_blocklist: enabled: true file: "/etc/geode/blocked-ips.txt" rate_limiting: enabled: true connections_per_ip: 100 connections_per_minute: 100 queries_per_minute: 1000 bandwidth_mbps: 100 auto_blocking: enabled: true failed_auth_threshold: 5 failed_auth_window: 300 block_duration: 3600 </code></pre></div> <h4 id="ddos-protection" class="position-relative d-flex align-items-center group"> DDoS Protection <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="ddos-protection" aria-haspopup="dialog" aria-label="Share link: DDoS Protection"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: network: ddos_protection: enabled: true syn_cookie: true connection_rate_limit: 1000 max_connections_per_ip: 100 challenge_on_spike: true </code></pre></div> <h3 id="session-security-configuration" class="position-relative d-flex align-items-center group"> Session Security Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="session-security-configuration" aria-haspopup="dialog" aria-label="Share link: Session Security Configuration"> Share link </button> </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: sessions: timeout: 1800 # 30 minutes max_idle: 900 # 15 minutes max_lifetime: 86400 # 24 hours cookie: secure: true http_only: true same_site: "strict" domain: ".example.com" persistence: enabled: true store: "redis" redis: url: "redis://redis.example.com:6379/0" password_file: "/etc/geode/secrets/redis-password.txt" tls: true concurrent_sessions: max_per_user: 5 policy: "terminate_oldest" # terminate_oldest, deny_new, allow_all </code></pre></div> <h3 id="security-hardening" class="position-relative d-flex align-items-center group"> Security Hardening <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-hardening" aria-haspopup="dialog" aria-label="Share link: Security Hardening"> Share link </button> </h3> <h4 id="production-security-baseline" class="position-relative d-flex align-items-center group"> Production Security Baseline <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="production-security-baseline" aria-haspopup="dialog" aria-label="Share link: Production Security Baseline"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: hardening: # Disable unnecessary features disable_shell: false # Set to true in production disable_metrics_endpoint: false disable_debug_endpoints: true # Strict security policies strict_mode: true paranoid_mode: false # Maximum security, may impact performance # Resource limits max_query_complexity: 1000 max_query_execution_time: 300 max_result_size: 100000 # Input validation sanitize_input: true reject_suspicious_queries: true # Security headers http_security_headers: x_frame_options: "DENY" x_content_type_options: "nosniff" x_xss_protection: "1; mode=block" strict_transport_security: "max-age=31536000; includeSubDomains" </code></pre></div> <h3 id="secrets-management" class="position-relative d-flex align-items-center group"> Secrets Management <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="secrets-management" aria-haspopup="dialog" aria-label="Share link: Secrets Management"> Share link </button> </h3> <h4 id="external-secrets" class="position-relative d-flex align-items-center group"> External Secrets <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="external-secrets" aria-haspopup="dialog" aria-label="Share link: External Secrets"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: secrets: provider: "vault" # vault, aws-secrets-manager, azure-keyvault vault: address: "https://vault.example.com:8200" token_file: "/etc/geode/secrets/vault-token.txt" namespace: "geode" mount_path: "secret" secrets: database_password: "secret/geode/db-password" jwt_secret: "secret/geode/jwt-secret" encryption_key: "secret/geode/encryption-key" rotation: enabled: true check_interval: 3600 </code></pre></div> <h3 id="compliance-configuration" class="position-relative d-flex align-items-center group"> Compliance Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance-configuration" aria-haspopup="dialog" aria-label="Share link: Compliance Configuration"> Share link </button> </h3> <h4 id="gdpr-compliance" class="position-relative d-flex align-items-center group"> GDPR Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="gdpr-compliance" aria-haspopup="dialog" aria-label="Share link: GDPR Compliance"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: compliance: gdpr: enabled: true data_retention: default_days: 2555 # 7 years personal_data_days: 1095 # 3 years anonymization_enabled: true right_to_access: enabled: true export_format: "json" right_to_erasure: enabled: true secure_deletion: true audit_deletion: true </code></pre></div> <h4 id="hipaa-compliance" class="position-relative d-flex align-items-center group"> HIPAA Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hipaa-compliance" aria-haspopup="dialog" aria-label="Share link: HIPAA Compliance"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: compliance: hipaa: enabled: true audit_level: "comprehensive" encryption_required: true minimum_necessary: true access_controls: unique_user_ids: true emergency_access: true automatic_logoff: true logoff_timeout: 900 </code></pre></div> <h3 id="monitoring-and-alerting" class="position-relative d-flex align-items-center group"> Monitoring and Alerting <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="monitoring-and-alerting" aria-haspopup="dialog" aria-label="Share link: Monitoring and Alerting"> Share link </button> </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: monitoring: enabled: true metrics: prometheus: enabled: true port: 9090 path: "/metrics" auth_required: true alerts: channels: - type: "email" recipients: ["[email protected]"] - type: "pagerduty" api_key_file: "/etc/geode/secrets/pagerduty-key.txt" - type: "slack" webhook_url_file: "/etc/geode/secrets/slack-webhook.txt" rules: - name: "multiple_failed_logins" condition: "failed_auth_count > 10" window: "5m" severity: "high" - name: "unauthorized_access" condition: "authorization_failures > 5" window: "5m" severity: "critical" </code></pre></div> <h3 id="configuration-validation" class="position-relative d-flex align-items-center group"> Configuration Validation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="configuration-validation" aria-haspopup="dialog" aria-label="Share link: Configuration Validation"> Share link </button> </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Validate configuration file geode config validate --config=/etc/geode/geode.yml # Output: # ✓ Configuration syntax valid # ✓ All required fields present # ✓ TLS certificates valid and not expired # ✓ LDAP connection successful # ⚠ Warning: audit log directory not writable # ✗ Error: HSM connection failed # Test security configuration geode config test-security --config=/etc/geode/geode.yml # Generate secure configuration template geode config generate --template=production-secure \ --output=/etc/geode/geode-secure.yml </code></pre></div> <h3 id="best-practices" class="position-relative d-flex align-items-center group"> Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="best-practices" aria-haspopup="dialog" aria-label="Share link: Best Practices"> Share link </button> </h3><ol> <li>Use Configuration Files: Prefer YAML configuration over command-line arguments</li> <li>Store Secrets Securely: Never commit secrets to version control</li> <li>Enable Audit Logging: Always enable comprehensive audit logging in production</li> <li>Require TLS 1.3: Enforce latest TLS version for all connections</li> <li>Implement MFA: Require multi-factor authentication for administrative access</li> <li>Regular Key Rotation: Automate encryption key rotation</li> <li>Principle of Least Privilege: Grant minimum necessary permissions</li> <li>Monitor Security Events: Set up real-time alerting for security events</li> <li>Regular Security Audits: Periodically review and update security configuration</li> <li>Document Changes: Maintain change log for security configuration modifications</li> </ol> <h3 id="related-topics" class="position-relative d-flex align-items-center group"> Related Topics <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="related-topics" aria-haspopup="dialog" aria-label="Share link: Related Topics"> Share link </button> </h3><ul> <li><a href="/docs/security/authentication/" >Authentication</a> - User authentication systems</li> <li><a href="/docs/security/authorization/" >Authorization</a> - Access control and permissions</li> <li><a href="/tags/encryption/" >Encryption</a> - Data encryption configuration</li> <li><a href="/tags/audit-logging/" >Audit Logging</a> - Comprehensive audit trails</li> <li><a href="/tags/compliance/" >Compliance</a> - Regulatory compliance requirements</li> <li><a href="/tags/row-level-security/" >Row-Level Security</a> - Fine-grained access control</li> <li><a href="/tags/connections/" >Connections</a> - Connection security and management</li> <li><a href="/docs/deployment/" >Deployment</a> - Production deployment guides</li> </ul>

Popular

Related Articles

Server Configuration Reference

Session Management Guide