fix(security): close exposed PostgreSQL and Redis ports (BSI/CERT-Bund report)
Some checks failed
Some checks failed
Docker bypasses UFW iptables, so bare port mappings like "5432:5432" exposed the database to the public internet. Removed port mappings for PostgreSQL and Redis (they only need Docker-internal networking), and bound the API port to 127.0.0.1 since only Caddy needs to reach it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -9,8 +9,6 @@ services:
|
||||
POSTGRES_PASSWORD: secure_password
|
||||
volumes:
|
||||
- postgres_data:/var/lib/postgresql/data
|
||||
ports:
|
||||
- "5432:5432"
|
||||
mem_limit: 256m
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U orion_user -d orion_db"]
|
||||
@@ -24,8 +22,6 @@ services:
|
||||
image: redis:7-alpine
|
||||
restart: always
|
||||
command: redis-server --maxmemory 100mb --maxmemory-policy allkeys-lru
|
||||
ports:
|
||||
- "6380:6379" # Use 6380 to avoid conflict with host Redis
|
||||
mem_limit: 128m
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "ping"]
|
||||
@@ -41,7 +37,7 @@ services:
|
||||
profiles:
|
||||
- full # Only start with: docker compose --profile full up -d
|
||||
ports:
|
||||
- "8001:8000" # Use 8001 to avoid conflict with local dev server
|
||||
- "127.0.0.1:8001:8000" # Localhost only — Caddy reverse proxies to this
|
||||
env_file: .env
|
||||
environment:
|
||||
DATABASE_URL: postgresql://orion_user:secure_password@db:5432/orion_db
|
||||
|
||||
Reference in New Issue
Block a user