LinumIQ/linumiq_net-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3b3f589d646a30c19e8e794100698764535b0eec
linumiq_net-docker/redis/docker-compose.yml
T
gerhards 50ab46dbe1 security: harden remote-access stack (pentest remediation R1-R4) 
App layer (R1): bind frps NewProxy to token-owned subdomain (anti-hijack),
default-deny unknown webhook ops, HMAC-verify stripe-stub billing webhook,
enforce bandwidth quota kill-switch (Ping op), least-privilege table grants
(migrations 0002/0003), GOTRUE_PASSWORD_MIN_LENGTH=12.

Infra/net (R2): unpublish internal host ports (kong/pooler/analytics/frps-dash),
read-only docker-socket-proxy for vector (no host breakout), on-demand-TLS
allow-list authorizer, edge-block machine-only webhooks, no-new-privileges on
custom containers.

Secrets (R3): rotate Postgres password (all roles) + frps dashboard; replace
predictable supavisor defaults; secrets externalized to gitignored .env.

Med/Low (R4): security response headers (HSTS/XCTO/XFO/Referrer/Permissions/COOP),
restrict frp proxy_type to http (no open relay), disable destructive redis
commands, tighten frps.toml perms.

No secrets committed; rotated values live only in gitignored .env files.
2026-05-30 10:45:07 +02:00

47 lines
1.1 KiB
YAML
Raw Blame History

services:
redis:
image: redis:7.2-alpine
container_name: redis
restart: unless-stopped
# SECURITY (R4/I7): drop privileges and disable destructive admin commands.
# The only Redis consumers (auth-webhook, bandwidth-worker) use GET/SET/DEL
# exclusively, so disabling FLUSHALL/FLUSHDB/KEYS/DEBUG is safe and limits
# blast radius if the edge network is ever abused.
security_opt:
- no-new-privileges:true
environment:
REDIS_PASSWORD: ${REDIS_PASSWORD}
command:
- redis-server
- --requirepass
- ${REDIS_PASSWORD}
- --appendonly
- "yes"
- --appendfsync
- everysec
- --rename-command
- FLUSHALL
- ""
- --rename-command
- FLUSHDB
- ""
- --rename-command
- KEYS
- ""
- --rename-command
- DEBUG
- ""
volumes:
- ./data:/data
healthcheck:
test: ["CMD-SHELL", "redis-cli -a \"$$REDIS_PASSWORD\" PING | grep -q PONG"]
interval: 10s
timeout: 3s
retries: 5
networks:
- edge
networks:
edge:
external: true
Reference in New Issue View Git Blame Copy Permalink