Improve security documentation based on Context7 review

aws-ses-setup.md: - Add SPF records for email authentication - Add DMARC policy configuration - Add bounce/complaint handling with SNS - Add DNS verification commands n8n-setup-guide.md: - Use official Docker registry (docker.n8n.io) - Add N8N_ENCRYPTION_KEY requirement - Add N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS - Add N8N_PUBLIC_API_DISABLED option - Add security headers to nginx config - Add healthcheck configuration gitea-setup.md: - Add password policy (MIN_PASSWORD_LENGTH, PASSWORD_COMPLEXITY) - Add argon2 password hashing - Add DISABLE_GIT_HOOKS for security - Add Docker Secrets configuration - Add file-based secret management (SECRET_KEY_URI) - Add REVERSE_PROXY_TRUSTED_PROXIES setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-16 00:45:40 +09:00
parent 49fe96775a
commit bafc79c81b
3 changed files with 245 additions and 11 deletions
--- a/n8n-setup-guide.md
+++ b/n8n-setup-guide.md
@@ -20,14 +20,16 @@ graph TD

 ### 1. n8n 설치 및 실행
 ```bash
-# Docker Compose로 실행 (권장)
-docker run -it --rm --name n8n -p 5678:5678 n8nio/n8n
+# Docker Compose로 실행 (권장) - 공식 이미지 사용
+docker run -it --rm --name n8n -p 5678:5678 docker.n8n.io/n8nio/n8n

 # 또는 npm으로 설치
 npm install n8n -g
 n8n start
 ```

+> **주의**: `n8nio/n8n` 대신 공식 레지스트리 `docker.n8n.io/n8nio/n8n` 사용 권장
+
 ### 2. Credentials 설정
 n8n에서 다음 Credentials를 생성해야 합니다:

@@ -223,39 +225,93 @@ curl -X POST "http://localhost:5678/webhook/cf-tunnel" \

 ## 🚀 프로덕션 배포

-### 1. Docker Compose 설정
+### 1. Docker Compose 설정 (보안 강화)
 ```yaml
 version: '3.8'
 services:
  n8n:
-    image: n8nio/n8n
+    image: docker.n8n.io/n8nio/n8n
    ports:
-      - "5678:5678"
+      - "127.0.0.1:5678:5678"
    environment:
+      # 기본 설정
      - N8N_HOST=0.0.0.0
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
+      - NODE_ENV=production
+      # 보안 설정 (필수)
+      - N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}  # openssl rand -hex 32 로 생성
+      - N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true
+      # 인증 설정
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=admin
-      - N8N_BASIC_AUTH_PASSWORD=secure-password
+      - N8N_BASIC_AUTH_PASSWORD=${N8N_ADMIN_PASSWORD}
+      # 보안 강화 옵션
+      - N8N_PUBLIC_API_DISABLED=true  # Public API 비활성화
+      - N8N_RUNNERS_ENABLED=true      # Task Runner 활성화
+      - N8N_PROXY_HOPS=1              # 리버스 프록시 사용 시
+      # Webhook 설정
+      - WEBHOOK_URL=https://n8n.yourdomain.com/
+      # 타임존
+      - GENERIC_TIMEZONE=Asia/Seoul
+      - TZ=Asia/Seoul
    volumes:
      - n8n_data:/home/node/.n8n
+      - ./local-files:/files
    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:5678/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3

 volumes:
  n8n_data:
 ```

-### 2. 리버스 프록시 설정
+### 환경변수 파일 (.env)
+```bash
+# 암호화 키 생성 (최초 1회)
+openssl rand -hex 32
+
+# .env 파일 예시
+N8N_ENCRYPTION_KEY=your_generated_key_here
+N8N_ADMIN_PASSWORD=secure_password_here
+```
+
+> **중요**: `N8N_ENCRYPTION_KEY`는 DB에 저장되는 credential을 암호화합니다. 분실 시 모든 credential 재설정 필요.
+
+### 2. 리버스 프록시 설정 (보안 헤더 포함)
 ```nginx
 server {
    listen 80;
    server_name n8n.yourdomain.com;
-    
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name n8n.yourdomain.com;
+
+    ssl_certificate /etc/letsencrypt/live/n8n.yourdomain.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/n8n.yourdomain.com/privkey.pem;
+
+    # 보안 헤더
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
    location / {
-        proxy_pass http://localhost:5678;
+        proxy_pass http://127.0.0.1:5678;
+        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Connection "";
+        proxy_buffering off;
+        proxy_read_timeout 300s;
    }
 }
 ```