From 1dfa173b3a4f25e4f5577354d5d7c14eb570a27a Mon Sep 17 00:00:00 2001 From: Jakob Date: Thu, 11 Nov 2021 10:13:25 +0100 Subject: [PATCH] fix: Limit rails, postgres and redis container access to localhost (#3354) This change limits the rails, redis and postgres container on `docker-compose.production.yaml` file to localhost only. The default docker-compose configuration will expose redis, postgres and rails directly to the internet when the service is started on a virtual machine. In most cases that is not what you want, and especially for redis and postgres exposing the services could be a potential security risk. By adding 127.0.0.1 access is limited to localhost and access is only possible after nginx oder another web server is configured as reverse proxy. Note: Moving forward, anyone using docker-compose.production.yaml need to have something like Nginxto proxy the requests to the container. If you want to verify whether the installation is working, try curl -I localhost:3000 to see if it returns 200. Also, you could temporarily drop the 127:0.0.1:3000:3000 for rails to 3000:3000 to access your instance at http://:3000. It's recommended to revert this change back and use Nginx in front. Approved-by: Vishnu Narayanan --- docker-compose.production.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.production.yaml b/docker-compose.production.yaml index a910c5c44..d2f5b435c 100644 --- a/docker-compose.production.yaml +++ b/docker-compose.production.yaml @@ -13,7 +13,7 @@ services: - postgres - redis ports: - - 3000:3000 + - '127.0.0.1:3000:3000' environment: - NODE_ENV=production - RAILS_ENV=production @@ -36,7 +36,7 @@ services: image: postgres:12 restart: always ports: - - '5432:5432' + - '127.0.0.1:5432:5432' volumes: - /data/postgres:/var/lib/postgresql/data environment: @@ -53,4 +53,4 @@ services: volumes: - /data/redis:/data ports: - - '6379:6379' + - '127.0.0.1:6379:6379'