fix: DockerSecretsResolver - don't normalize absolute paths like /var/www/html/...

2025-11-24 21:28:25 +01:00
parent 4eb7134853
commit 77abc65cd7
1327 changed files with 91915 additions and 9909 deletions
--- a/deployment/legacy/docker-compose-archive/docker-compose.security.yml
+++ b/deployment/legacy/docker-compose-archive/docker-compose.security.yml
@@ -0,0 +1,137 @@
+# Secure Docker Compose Configuration
+# This file contains security hardening for the infrastructure
+# Use: docker-compose -f docker-compose.yml -f docker-compose.security.yml up
+
+services:
+  # Hardened Database Configuration
+  db:
+    image: mariadb:11.4-jammy  # Pinned version for security
+    environment:
+      # Use Docker secrets instead of hardcoded passwords
+      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
+      MYSQL_DATABASE: ${DB_DATABASE:-framework}
+      MYSQL_USER: ${DB_USERNAME:-app_user}
+      MYSQL_PASSWORD_FILE: /run/secrets/db_user_password
+      MYSQL_INITDB_SKIP_TZINFO: 1
+    # Remove exposed ports - only internal container access
+    ports: []
+    expose:
+      - "3306"
+    volumes:
+      - ./docker/mysql/conf.d:/etc/mysql/conf.d:ro
+    secrets:
+      - db_root_password
+      - db_user_password
+    security_opt:
+      - no-new-privileges:true
+    user: "999:999"  # mysql user
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+      - SETGID
+      - SETUID
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+        reservations:
+          memory: 512M
+
+  # Hardened Redis Configuration
+  redis:
+    image: redis:7-alpine  # Stable version
+    volumes:
+      - ./docker/redis/redis-secure.conf:/usr/local/etc/redis/redis.conf:ro
+    secrets:
+      - redis_password
+    healthcheck:
+      test: ["CMD", "redis-cli", "--no-auth-warning", "-a", "$(cat /run/secrets/redis_password)", "ping"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+    security_opt:
+      - no-new-privileges:true
+    user: "999:1000"
+    cap_drop:
+      - ALL
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          cpus: '0.5'
+
+  # Hardened Queue Worker
+  queue-worker:
+    user: "1000:1000"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: '0.5'
+        reservations:
+          memory: 256M
+
+  # Hardened PHP Container
+  php:
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+
+  # Hardened Web Container
+  web:
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+      - NET_BIND_SERVICE
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          cpus: '0.5'
+
+# Docker Secrets Configuration
+secrets:
+  db_root_password:
+    file: ./secrets/db_root_password.txt
+  db_user_password:
+    file: ./secrets/db_user_password.txt
+  redis_password:
+    file: ./secrets/redis_password.txt
+
+# Secure Networks
+networks:
+  frontend:
+    driver: bridge
+    driver_opts:
+      com.docker.network.enable_ipv6: "false"
+    internal: false
+  backend:
+    driver: bridge
+    driver_opts:
+      com.docker.network.enable_ipv6: "false"
+    internal: true
+  cache:
+    driver: bridge
+    driver_opts:
+      com.docker.network.enable_ipv6: "false" 
+    internal: true