Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(security): harden production Docker — bind DB/Redis to localhost, add Redis auth

Browse Source 
- Postgres and Redis ports now bind to 127.0.0.1 only, preventing exposure
  to the network even if the host firewall has a gap
- Redis requires a password (REDIS_PASSWORD) via --requirepass; REDIS_URL in
  app and migrator services updated to include the credential
- Redis healthcheck updated to pass -a flag so it still works with auth enabled
- REDIS_PASSWORD added to .env.example with generation hint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-09 21:41:15 +02:00
parent afabaa0b7a
commit 20fb39fd05
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docker-compose.prod.yml
+6 -6
View File
@@ -5,7 +5,7 @@ services:
image: postgres:16-alpine
restart: unless-stopped
ports:
- "${POSTGRES_PORT:-5432}:5432"
- "127.0.0.1:${POSTGRES_PORT:-5432}:5432"
environment:
POSTGRES_DB: capakraken
POSTGRES_USER: capakraken
@@ -31,12 +31,12 @@ services:
image: redis:7-alpine
restart: unless-stopped
ports:
- "${REDIS_PORT:-6379}:6379"
command: redis-server --maxmemory 256mb --maxmemory-policy allkeys-lru
- "127.0.0.1:${REDIS_PORT:-6379}:6379"
command: redis-server --maxmemory 256mb --maxmemory-policy allkeys-lru --requirepass ${REDIS_PASSWORD}
volumes:
- capakraken_prod_redis:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "--no-auth-warning", "ping"]
interval: 10s
timeout: 5s
retries: 5
@@ -50,7 +50,7 @@ services:
- .env.production
environment:
DATABASE_URL: postgresql://capakraken:${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}@postgres:5432/capakraken
REDIS_URL: redis://redis:6379
REDIS_URL: redis://:${REDIS_PASSWORD}@redis:6379
RATE_LIMIT_BACKEND: ${RATE_LIMIT_BACKEND:-redis}
depends_on:
postgres:
@@ -68,7 +68,7 @@ services:
- .env.production
environment:
DATABASE_URL: postgresql://capakraken:${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}@postgres:5432/capakraken
REDIS_URL: redis://redis:6379
REDIS_URL: redis://:${REDIS_PASSWORD}@redis:6379
RATE_LIMIT_BACKEND: ${RATE_LIMIT_BACKEND:-redis}
depends_on:
postgres: