orion/HangmanLab.Server.T1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: bind all ports to 127.0.0.1

Browse Source 
Docker bypasses ufw and exposes 0.0.0.0-bound ports directly via
iptables DNAT rules, even when ufw default policy is deny. Bind
every service port to 127.0.0.1 so only nginx (and SSH tunnels for
wizard) can reach them from outside.
This commit is contained in:
orion
2026-04-16 08:54:19 +00:00
parent 87e1aae3f6
commit 4ca9e588b5
1 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
docker-compose.yml
View File

@@ -2,7 +2,7 @@ services:
backend: backend:
image: git.hangman-lab.top/hzhang/hangmanlab-backend:latest image: git.hangman-lab.top/hzhang/hangmanlab-backend:latest
ports: ports:
- "$BACKEND_PORT:$BACKEND_PORT" - "127.0.0.1:$BACKEND_PORT:$BACKEND_PORT"
env_file: env_file:
- .env - .env
depends_on: depends_on:
@@ -15,7 +15,7 @@ services:
frontend: frontend:
image: git.hangman-lab.top/hzhang/hangmanlab-frontend:latest image: git.hangman-lab.top/hzhang/hangmanlab-frontend:latest
ports: ports:
- "$FRONTEND_PORT:80" - "127.0.0.1:$FRONTEND_PORT:80"
env_file: env_file:
- .env - .env
depends_on: depends_on:
@@ -27,7 +27,7 @@ services:
image: mysql:8.0 image: mysql:8.0
container_name: mysql container_name: mysql
ports: ports:
- "$DB_PORT:$DB_PORT" - "127.0.0.1:$DB_PORT:$DB_PORT"
environment: environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD} MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MYSQL_DATABASE: ${DB_NAME} MYSQL_DATABASE: ${DB_NAME}
@@ -65,7 +65,7 @@ services:
image: git.hangman-lab.top/zhi/harborforge-backend:multi-stage image: git.hangman-lab.top/zhi/harborforge-backend:multi-stage
restart: "no" restart: "no"
ports: ports:
- "$HF_BACKEND_PORT:8000" - "127.0.0.1:$HF_BACKEND_PORT:8000"
volumes: volumes:
- wizard_config:/config:ro - wizard_config:/config:ro
environment: environment:
@@ -80,10 +80,18 @@ services:
networks: networks:
- app-network - app-network
wizard_init:
image: busybox:1.36
restart: "no"
user: "0:0"
volumes:
- wizard_config:/config
command: ["sh", "-c", "chown -R 65532:65532 /config"]
wizard: wizard:
image: git.hangman-lab.top/nav/abstract-wizard:latest image: git.hangman-lab.top/nav/abstract-wizard:latest
ports: ports:
- "$WIZARD_PORT:8080" - "127.0.0.1:$WIZARD_PORT:8080"
volumes: volumes:
- wizard_config:/config - wizard_config:/config
environment: environment:
@@ -91,13 +99,16 @@ services:
LISTEN_ADDR: "0.0.0.0:8080" LISTEN_ADDR: "0.0.0.0:8080"
MAX_BACKUPS: "5" MAX_BACKUPS: "5"
CORS_ORIGINS: ${HF_FRONTEND_HOST} CORS_ORIGINS: ${HF_FRONTEND_HOST}
depends_on:
wizard_init:
condition: service_completed_successfully
networks: networks:
- app-network - app-network
hf_frontend: hf_frontend:
image: git.hangman-lab.top/zhi/harborforge-frontend:latest image: git.hangman-lab.top/zhi/harborforge-frontend:latest
ports: ports:
- "$HF_FRONTEND_PORT:3000" - "127.0.0.1:$HF_FRONTEND_PORT:3000"
environment: environment:
FRONTEND_DEV_MODE: ${HF_FRONTEND_DEV_MODE:-0} FRONTEND_DEV_MODE: ${HF_FRONTEND_DEV_MODE:-0}
NODE_ENV: production NODE_ENV: production
@@ -112,7 +123,7 @@ services:
container_name: harborforge-monitor container_name: harborforge-monitor
restart: unless-stopped restart: unless-stopped
environment: environment:
HF_MONITER_BACKEND_URL: ${HF_MONITOR_BACKEND_URL:-https://hf.hangman-lab.top} HF_MONITER_BACKEND_URL: ${HF_MONITOR_BACKEND_URL:-https://hf-api.hangman-lab.top}
HF_MONITER_IDENTIFIER: ${HF_MONITOR_IDENTIFIER} HF_MONITER_IDENTIFIER: ${HF_MONITOR_IDENTIFIER}
HF_MONITER_API_KEY: ${HF_MONITOR_API_KEY} HF_MONITER_API_KEY: ${HF_MONITOR_API_KEY}
HF_MONITER_REPORT_INTERVAL: "30" HF_MONITER_REPORT_INTERVAL: "30"