9fd4fb1eb4
Phase 5 включает: 1. SECURITY-REVIEW.md - полный аудит системы безопасности - Анализ всех компонентов (SupplyDataFilter, ParticipantIsolation, ThreatDetection) - Security checklist и метрики - Выявление bottlenecks и рекомендации по оптимизации - ROI анализ и business benefits 2. OPTIMIZATION-PLAN.md - план производительности - Redis caching для partnership validation - Database query optimization с индексами - Object pooling и streaming для больших данных - Worker threads для CPU-intensive операций - Target improvements: latency -55%, throughput +150% 3. DEPLOYMENT-GUIDE.md - руководство по развертыванию - Gradual rollout стратегия с feature flags - Comprehensive monitoring и alerting setup - Security hardening и rate limiting - Automated rollback procedures - Health checks и troubleshooting Система готова к production deployment с полным покрытием безопасности, тестирования и мониторинга. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
13 KiB
13 KiB
🚀 SFERA Security System - Deployment Guide
📋 Pre-Deployment Checklist
Environment Requirements
- Node.js >= 18.0.0
- PostgreSQL >= 14.0
- Redis >= 6.2 (for caching)
- RAM >= 4GB
- CPU >= 2 cores
Infrastructure Setup
# 1. Database Setup
psql -U postgres -c "CREATE DATABASE sfera_security;"
# 2. Redis Setup
docker run -d --name sfera-redis \
-p 6379:6379 \
-v redis-data:/data \
redis:6.2-alpine redis-server --appendonly yes
# 3. Environment Variables
cp .env.example .env.production
🔧 Configuration
Environment Variables
# Security System Configuration
ENABLE_SUPPLY_SECURITY=true
ENABLE_SECURITY_AUDIT=true
SECURITY_STRICT_MODE=false
ENABLE_SECURITY_CACHE=true
# Feature Flags
FEATURE_SUPPLY_DATA_FILTERING=true
FEATURE_COMMERCIAL_AUDIT=true
FEATURE_THREAT_DETECTION=true
FEATURE_REAL_TIME_ALERTS=true
FEATURE_EXTERNAL_MONITORING=true
# Database
DATABASE_URL="postgresql://user:password@localhost:5432/sfera_security"
DATABASE_POOL_MIN=2
DATABASE_POOL_MAX=10
# Redis Cache
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=your_redis_password
REDIS_TLS=false
# Security Settings
JWT_SECRET=your_jwt_secret_here
ENCRYPTION_KEY=your_32_byte_encryption_key
SESSION_TIMEOUT=3600
# Monitoring
SIEM_INTEGRATION_ENABLED=true
SIEM_TYPE=ELASTIC_SIEM
SIEM_ENDPOINT=https://your-siem.example.com
SIEM_API_KEY=your_siem_api_key
# Alerts
SLACK_INTEGRATION_ENABLED=true
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/xxx
EMAIL_ALERTS_ENABLED=true
EMAIL_SMTP_HOST=smtp.example.com
EMAIL_SMTP_PORT=587
# Performance
MAX_CONCURRENT_FILTERS=100
CACHE_TTL_SECONDS=300
BATCH_SIZE_AUDIT_LOGS=100
WORKER_THREADS_ENABLED=true
WORKER_THREADS_COUNT=4
Database Migrations
# Run all migrations
npm run migrate:deploy
# Verify migrations
npm run migrate:status
# Seed initial data (if needed)
npm run seed:security
Security Indexes
-- Run these manually for better performance
CREATE INDEX CONCURRENTLY idx_commercial_audits_lookup
ON commercial_data_audits(user_id, created_at DESC);
CREATE INDEX CONCURRENTLY idx_partnerships_active_lookup
ON partnerships(organization_id, partner_id)
WHERE active = true;
CREATE INDEX CONCURRENTLY idx_supply_orders_security
ON supply_orders(organization_id, status, created_at DESC);
-- Analyze tables for query optimization
ANALYZE commercial_data_audits;
ANALYZE partnerships;
ANALYZE supply_orders;
🚦 Deployment Steps
1. Gradual Rollout with Feature Flags
// config/deployment-stages.ts
export const DEPLOYMENT_STAGES = {
STAGE_1: {
name: 'Basic Security',
duration: '24 hours',
features: {
FEATURE_SUPPLY_DATA_FILTERING: true,
FEATURE_COMMERCIAL_AUDIT: false,
FEATURE_THREAT_DETECTION: false,
FEATURE_REAL_TIME_ALERTS: false,
},
targetUsers: 0.1, // 10% of users
},
STAGE_2: {
name: 'Audit & Monitoring',
duration: '48 hours',
features: {
FEATURE_SUPPLY_DATA_FILTERING: true,
FEATURE_COMMERCIAL_AUDIT: true,
FEATURE_THREAT_DETECTION: false,
FEATURE_REAL_TIME_ALERTS: true,
},
targetUsers: 0.25, // 25% of users
},
STAGE_3: {
name: 'Full Security',
duration: '72 hours',
features: {
FEATURE_SUPPLY_DATA_FILTERING: true,
FEATURE_COMMERCIAL_AUDIT: true,
FEATURE_THREAT_DETECTION: true,
FEATURE_REAL_TIME_ALERTS: true,
},
targetUsers: 0.5, // 50% of users
},
STAGE_4: {
name: 'Complete Rollout',
duration: 'Permanent',
features: {
FEATURE_SUPPLY_DATA_FILTERING: true,
FEATURE_COMMERCIAL_AUDIT: true,
FEATURE_THREAT_DETECTION: true,
FEATURE_REAL_TIME_ALERTS: true,
FEATURE_EXTERNAL_MONITORING: true,
},
targetUsers: 1.0, // 100% of users
},
}
2. Deployment Script
#!/bin/bash
# deploy-security.sh
set -e
echo "🚀 Starting SFERA Security Deployment..."
# Stage 1: Pre-deployment checks
echo "📋 Running pre-deployment checks..."
npm run test:security
npm run lint
# Stage 2: Database backup
echo "💾 Backing up database..."
pg_dump $DATABASE_URL > backup_$(date +%Y%m%d_%H%M%S).sql
# Stage 3: Deploy database changes
echo "🗄️ Applying database migrations..."
npm run migrate:deploy
# Stage 4: Build application
echo "🔨 Building application..."
npm run build
# Stage 5: Deploy with zero downtime
echo "🚀 Deploying application..."
pm2 reload ecosystem.config.js --update-env
# Stage 6: Health check
echo "🏥 Running health checks..."
npm run health:check
# Stage 7: Enable monitoring
echo "📊 Enabling monitoring..."
npm run monitoring:enable
echo "✅ Deployment completed successfully!"
3. PM2 Ecosystem Configuration
// ecosystem.config.js
module.exports = {
apps: [
{
name: 'sfera-security',
script: './dist/index.js',
instances: 'max',
exec_mode: 'cluster',
max_memory_restart: '1G',
env: {
NODE_ENV: 'production',
PORT: 3000,
},
error_file: './logs/err.log',
out_file: './logs/out.log',
log_file: './logs/combined.log',
time: true,
// Graceful shutdown
kill_timeout: 5000,
listen_timeout: 3000,
// Auto-restart
autorestart: true,
watch: false,
max_restarts: 10,
min_uptime: '10s',
},
],
}
📊 Monitoring Setup
1. Health Check Endpoints
// src/graphql/security/health/health-check.ts
export const securityHealthChecks = {
'/health/security': async (req, res) => {
const checks = {
database: await checkDatabase(),
redis: await checkRedis(),
security_filters: await checkSecurityFilters(),
threat_detection: await checkThreatDetection(),
audit_system: await checkAuditSystem(),
}
const allHealthy = Object.values(checks).every((check) => check.status === 'healthy')
res.status(allHealthy ? 200 : 503).json({
status: allHealthy ? 'healthy' : 'unhealthy',
timestamp: new Date().toISOString(),
checks,
})
},
'/health/security/detailed': async (req, res) => {
// Detailed health metrics
const metrics = {
filter_latency_ms: await getFilterLatency(),
cache_hit_rate: await getCacheHitRate(),
active_threats: await getActiveThreatCount(),
audit_backlog: await getAuditBacklog(),
memory_usage_mb: process.memoryUsage().heapUsed / 1024 / 1024,
}
res.json(metrics)
},
}
2. Monitoring Alerts
# prometheus-alerts.yml
groups:
- name: security_alerts
interval: 30s
rules:
- alert: HighFilterLatency
expr: histogram_quantile(0.95, security_filter_latency_ms) > 100
for: 5m
labels:
severity: warning
annotations:
summary: 'High security filter latency'
description: '95th percentile latency is {{ $value }}ms'
- alert: LowCacheHitRate
expr: security_cache_hit_rate < 0.7
for: 10m
labels:
severity: warning
annotations:
summary: 'Low cache hit rate'
description: 'Cache hit rate is {{ $value }}'
- alert: ThreatDetectionSpike
expr: rate(security_threats_detected[5m]) > 10
for: 2m
labels:
severity: critical
annotations:
summary: 'Spike in threat detections'
description: '{{ $value }} threats/second detected'
3. Logging Configuration
// src/config/logging.ts
import winston from 'winston'
import { ElasticsearchTransport } from 'winston-elasticsearch'
export const securityLogger = winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp(),
winston.format.errors({ stack: true }),
winston.format.json(),
),
defaultMeta: { service: 'sfera-security' },
transports: [
// Console logging
new winston.transports.Console({
format: winston.format.simple(),
}),
// File logging
new winston.transports.File({
filename: 'logs/security-error.log',
level: 'error',
maxsize: 10485760, // 10MB
maxFiles: 5,
}),
new winston.transports.File({
filename: 'logs/security-combined.log',
maxsize: 10485760, // 10MB
maxFiles: 10,
}),
// Elasticsearch for centralized logging
new ElasticsearchTransport({
level: 'info',
clientOpts: {
node: process.env.ELASTICSEARCH_URL,
},
index: 'sfera-security-logs',
}),
],
})
🛡️ Security Hardening
1. Rate Limiting
// src/middleware/rate-limit.ts
import rateLimit from 'express-rate-limit'
import RedisStore from 'rate-limit-redis'
export const securityRateLimiter = rateLimit({
store: new RedisStore({
client: redis,
prefix: 'rl:security:',
}),
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // Limit each IP to 100 requests per windowMs
message: 'Too many requests from this IP',
standardHeaders: true,
legacyHeaders: false,
// Custom key generator
keyGenerator: (req) => {
return `${req.ip}:${req.user?.id || 'anonymous'}`
},
// Skip successful requests
skip: (req, res) => {
return res.statusCode < 400
},
})
2. Security Headers
// src/middleware/security-headers.ts
import helmet from 'helmet'
export const securityHeaders = helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
scriptSrc: ["'self'"],
imgSrc: ["'self'", 'data:', 'https:'],
connectSrc: ["'self'"],
fontSrc: ["'self'"],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'none'"],
},
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true,
},
})
🔄 Rollback Plan
Automated Rollback
#!/bin/bash
# rollback-security.sh
set -e
echo "🔄 Starting rollback procedure..."
# Step 1: Disable feature flags
echo "🚫 Disabling security features..."
redis-cli SET "feature:FEATURE_SUPPLY_DATA_FILTERING" "false"
redis-cli SET "feature:FEATURE_THREAT_DETECTION" "false"
# Step 2: Restore previous version
echo "⏮️ Restoring previous version..."
pm2 reload ecosystem.config.js --env previous
# Step 3: Restore database if needed
if [ "$1" == "--restore-db" ]; then
echo "💾 Restoring database..."
psql $DATABASE_URL < $2
fi
# Step 4: Clear cache
echo "🧹 Clearing cache..."
redis-cli FLUSHDB
# Step 5: Health check
echo "🏥 Running health check..."
npm run health:check
echo "✅ Rollback completed!"
Manual Rollback Steps
-
Disable Features
UPDATE feature_flags SET enabled = false WHERE feature_name LIKE 'SECURITY_%'; -
Clear Cache
redis-cli FLUSHALL -
Restore Application
pm2 stop all git checkout previous-release-tag npm install npm run build pm2 start ecosystem.config.js
📈 Post-Deployment Monitoring
Key Metrics to Monitor
| Metric | Alert Threshold | Check Frequency |
|---|---|---|
| Error Rate | > 1% | Every 1 min |
| Response Time (p95) | > 200ms | Every 1 min |
| CPU Usage | > 80% | Every 30 sec |
| Memory Usage | > 3GB | Every 30 sec |
| Cache Hit Rate | < 70% | Every 5 min |
| Active Threats | > 50 | Every 1 min |
Monitoring Dashboard
// monitoring-queries.js
const monitoringQueries = {
// Performance metrics
filterLatency: `
histogram_quantile(0.95,
rate(security_filter_latency_ms_bucket[5m])
)
`,
// Security metrics
threatDetectionRate: `
rate(security_threats_detected_total[5m])
`,
// System health
errorRate: `
rate(http_requests_total{status=~"5.."}[5m])
/ rate(http_requests_total[5m])
`,
// Resource usage
memoryUsage: `
process_resident_memory_bytes / 1024 / 1024
`,
}
✅ Post-Deployment Checklist
Immediate (First Hour)
- All health checks passing
- No error spike in logs
- Performance metrics within limits
- Security filters working correctly
- Audit logs being recorded
Short Term (First 24 Hours)
- Monitor user feedback
- Check cache effectiveness
- Validate threat detection
- Review security alerts
- Performance optimization
Long Term (First Week)
- Analyze security patterns
- Optimize cache strategy
- Fine-tune threat models
- Review resource usage
- Plan next improvements
🆘 Troubleshooting
Common Issues
-
High Memory Usage
# Check memory usage pm2 monit # Force garbage collection pm2 trigger sfera-security gc # Restart if needed pm2 restart sfera-security -
Cache Connection Issues
# Test Redis connection redis-cli ping # Check Redis memory redis-cli info memory # Clear cache if corrupted redis-cli FLUSHDB -
Database Performance
-- Check slow queries SELECT * FROM pg_stat_statements WHERE mean_exec_time > 100 ORDER BY mean_exec_time DESC; -- Update statistics ANALYZE;
📞 Support Contacts
- Security Team: security@sfera.com
- DevOps: devops@sfera.com
- On-Call: +1-XXX-XXX-XXXX
- Slack: #security-incidents
Document Version: 1.0
Last Updated: January 2024
Next Review: Monthly