michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cf0ad6e905610731d26904caff7d7f1ead4a1fa2
michaelschiemer/docker-compose.security.yml
Michael Schiemer 55a330b223 Enable Discovery debug logging for production troubleshooting 
- Add DISCOVERY_LOG_LEVEL=debug
- Add DISCOVERY_SHOW_PROGRESS=true
- Temporary changes for debugging InitializerProcessor fixes on production
2025-08-11 20:13:26 +02:00

137 lines
3.0 KiB
YAML
Raw Blame History

# Secure Docker Compose Configuration
# This file contains security hardening for the infrastructure
# Use: docker-compose -f docker-compose.yml -f docker-compose.security.yml up
services:
# Hardened Database Configuration
db:
image: mariadb:11.4-jammy # Pinned version for security
environment:
# Use Docker secrets instead of hardcoded passwords
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
MYSQL_DATABASE: ${DB_DATABASE:-framework}
MYSQL_USER: ${DB_USERNAME:-app_user}
MYSQL_PASSWORD_FILE: /run/secrets/db_user_password
MYSQL_INITDB_SKIP_TZINFO: 1
# Remove exposed ports - only internal container access
ports: []
expose:
- "3306"
volumes:
- ./docker/mysql/conf.d:/etc/mysql/conf.d:ro
secrets:
- db_root_password
- db_user_password
security_opt:
- no-new-privileges:true
user: "999:999" # mysql user
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
deploy:
resources:
limits:
memory: 1G
cpus: '1.0'
reservations:
memory: 512M
# Hardened Redis Configuration
redis:
image: redis:7-alpine # Stable version
volumes:
- ./docker/redis/redis-secure.conf:/usr/local/etc/redis/redis.conf:ro
secrets:
- redis_password
healthcheck:
test: ["CMD", "redis-cli", "--no-auth-warning", "-a", "$(cat /run/secrets/redis_password)", "ping"]
interval: 30s
timeout: 5s
retries: 3
security_opt:
- no-new-privileges:true
user: "999:1000"
cap_drop:
- ALL
deploy:
resources:
limits:
memory: 256M
cpus: '0.5'
# Hardened Queue Worker
queue-worker:
user: "1000:1000"
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
deploy:
resources:
limits:
memory: 512M
cpus: '0.5'
reservations:
memory: 256M
# Hardened PHP Container
php:
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
deploy:
resources:
limits:
memory: 1G
cpus: '1.0'
# Hardened Web Container
web:
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- NET_BIND_SERVICE
deploy:
resources:
limits:
memory: 256M
cpus: '0.5'
# Docker Secrets Configuration
secrets:
db_root_password:
file: ./secrets/db_root_password.txt
db_user_password:
file: ./secrets/db_user_password.txt
redis_password:
file: ./secrets/redis_password.txt
# Secure Networks
networks:
frontend:
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
internal: false
backend:
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
internal: true
cache:
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
internal: true
Reference in New Issue View Git Blame Copy Permalink