gerhards
50ab46dbe1
App layer (R1): bind frps NewProxy to token-owned subdomain (anti-hijack), default-deny unknown webhook ops, HMAC-verify stripe-stub billing webhook, enforce bandwidth quota kill-switch (Ping op), least-privilege table grants (migrations 0002/0003), GOTRUE_PASSWORD_MIN_LENGTH=12. Infra/net (R2): unpublish internal host ports (kong/pooler/analytics/frps-dash), read-only docker-socket-proxy for vector (no host breakout), on-demand-TLS allow-list authorizer, edge-block machine-only webhooks, no-new-privileges on custom containers. Secrets (R3): rotate Postgres password (all roles) + frps dashboard; replace predictable supavisor defaults; secrets externalized to gitignored .env. Med/Low (R4): security response headers (HSTS/XCTO/XFO/Referrer/Permissions/COOP), restrict frp proxy_type to http (no open relay), disable destructive redis commands, tighten frps.toml perms. No secrets committed; rotated values live only in gitignored .env files.
21 lines
569 B
YAML
21 lines
569 B
YAML
services:
|
|
frps:
|
|
image: snowdreamtech/frps:0.65.0
|
|
container_name: frps
|
|
restart: unless-stopped
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
ports:
|
|
# Tunnel ingress (frpc clients connect here). Must stay public.
|
|
- "7000:7000"
|
|
# SECURITY (R2): dashboard/API port 7500 unpublished. bandwidth-worker
|
|
# reaches it internally via frps:7500 on the edge network.
|
|
volumes:
|
|
- ./frps.toml:/etc/frp/frps.toml:ro
|
|
command: ["frps", "-c", "/etc/frp/frps.toml"]
|
|
networks:
|
|
- edge
|
|
networks:
|
|
edge:
|
|
external: true
|