Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(security): harden production Docker — bind DB/Redis to localhost, add Redis auth

Browse Source 
- Postgres and Redis ports now bind to 127.0.0.1 only, preventing exposure
  to the network even if the host firewall has a gap
- Redis requires a password (REDIS_PASSWORD) via --requirepass; REDIS_URL in
  app and migrator services updated to include the credential
- Redis healthcheck updated to pass -a flag so it still works with auth enabled
- REDIS_PASSWORD added to .env.example with generation hint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-09 21:41:15 +02:00
parent afabaa0b7a
commit 20fb39fd05
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+6
View File
@@ -29,6 +29,12 @@ DATABASE_URL=postgresql://capakraken:capakraken_dev@localhost:5433/capakraken
# ─── Redis ───────────────────────────────────────────────────────────────────
# REQUIRED in production — password for the Redis server.
# The Docker Compose prod stack passes this both to the redis-server process
# (--requirepass) and to the application via REDIS_URL.
# Generate one with: openssl rand -hex 32
REDIS_PASSWORD=
# REQUIRED for SSE (real-time updates) and rate limiting.
# When using Docker Compose this is handled automatically inside the container
# (redis://redis:6379). Only needed when running `pnpm dev` directly on the host.