security: bind all ports to 127.0.0.1

Docker bypasses ufw and exposes 0.0.0.0-bound ports directly via iptables DNAT rules, even when ufw default policy is deny. Bind every service port to 127.0.0.1 so only nginx (and SSH tunnels for wizard) can reach them from outside.
2026-04-16 08:54:19 +00:00
parent 87e1aae3f6
commit 4ca9e588b5
1 changed files with 18 additions and 7 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,7 +2,7 @@ services:
  backend:
    image: git.hangman-lab.top/hzhang/hangmanlab-backend:latest
    ports:
-      - "$BACKEND_PORT:$BACKEND_PORT"
+      - "127.0.0.1:$BACKEND_PORT:$BACKEND_PORT"
    env_file:
      - .env
    depends_on:
@@ -15,7 +15,7 @@ services:
  frontend:
    image: git.hangman-lab.top/hzhang/hangmanlab-frontend:latest
    ports:
-      - "$FRONTEND_PORT:80"
+      - "127.0.0.1:$FRONTEND_PORT:80"
    env_file:
      - .env
    depends_on:
@@ -27,7 +27,7 @@ services:
    image: mysql:8.0
    container_name: mysql
    ports:
-      - "$DB_PORT:$DB_PORT"
+      - "127.0.0.1:$DB_PORT:$DB_PORT"
    environment:
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
      MYSQL_DATABASE: ${DB_NAME}
@@ -65,7 +65,7 @@ services:
    image: git.hangman-lab.top/zhi/harborforge-backend:multi-stage
    restart: "no"
    ports:
-      - "$HF_BACKEND_PORT:8000"
+      - "127.0.0.1:$HF_BACKEND_PORT:8000"
    volumes:
      - wizard_config:/config:ro
    environment:
@@ -80,10 +80,18 @@ services:
    networks:
      - app-network

+  wizard_init:
+    image: busybox:1.36
+    restart: "no"
+    user: "0:0"
+    volumes:
+      - wizard_config:/config
+    command: ["sh", "-c", "chown -R 65532:65532 /config"]
+
  wizard:
    image: git.hangman-lab.top/nav/abstract-wizard:latest
    ports:
-      - "$WIZARD_PORT:8080"
+      - "127.0.0.1:$WIZARD_PORT:8080"
    volumes:
      - wizard_config:/config
    environment:
@@ -91,13 +99,16 @@ services:
      LISTEN_ADDR: "0.0.0.0:8080"
      MAX_BACKUPS: "5"
      CORS_ORIGINS: ${HF_FRONTEND_HOST}
+    depends_on:
+      wizard_init:
+        condition: service_completed_successfully
    networks:
      - app-network

  hf_frontend:
    image: git.hangman-lab.top/zhi/harborforge-frontend:latest
    ports:
-      - "$HF_FRONTEND_PORT:3000"
+      - "127.0.0.1:$HF_FRONTEND_PORT:3000"
    environment:
      FRONTEND_DEV_MODE: ${HF_FRONTEND_DEV_MODE:-0}
      NODE_ENV: production
@@ -112,7 +123,7 @@ services:
    container_name: harborforge-monitor
    restart: unless-stopped
    environment:
-      HF_MONITER_BACKEND_URL: ${HF_MONITOR_BACKEND_URL:-https://hf.hangman-lab.top}
+      HF_MONITER_BACKEND_URL: ${HF_MONITOR_BACKEND_URL:-https://hf-api.hangman-lab.top}
      HF_MONITER_IDENTIFIER: ${HF_MONITOR_IDENTIFIER}
      HF_MONITER_API_KEY: ${HF_MONITOR_API_KEY}
      HF_MONITER_REPORT_INTERVAL: "30"