🔧 UPDATE: Add CREDENTIAL_ENCRYPTION_KEY to .env for enhanced security configuration.

.env

@@ -2,7 +2,6 @@
 NODE_ENV=production
 # ====== Database Configuration ======
 POSTGRES_PASSWORD="8*6&Ti3TJxN^"
-PGADMIN_DEFAULT_PASSWORD="8*6&Ti3TJxN^"
 DB_NAME="phoenix"
 DB_HOST="phoenixDB"
 DB_PORT=5432
@@ -23,3 +22,4 @@ REDIS_PASSWORD="8*6&Ti3TJxN^"
 # ====== PHX-SYSTEM Configuration ======
 PHOENIX_SYSTEM_REPLICAS=1
 PHX_HOST_NAME=
+CREDENTIAL_ENCRYPTION_KEY=

README.md

@@ -84,5 +84,5 @@ You can access log services like pgAdmin, Postgres, Phoenix ERP, and others afte
 # 🌐 Accessing the System
 | **Service**     | **URL**                        | **Credentials**                                    |
 |------------------|----------------------------------|----------------------------------------------------|
-| **Phoenix ERP**  | [http://localhost:4200](http://localhost:4200) | login: superadmin and password as configured in `.env`           |
-| **pgAdmin**      | [http://localhost:5050](http://localhost:5050) | Email: `info@phx-erp.de`  <br> Password: from `.env` |
+| **Phoenix ERP**  | [http://HOST_IP](http://HOST_IP) | login: superadmin and password as configured in `.env` -> `SUPER_ADMIN_USER_PASSWORD`           |
+| **pgAdmin**      | [http://HOST_IP/pgadmin4/](http://HOST_IP/pgadmin4/) | Email: `info@phx-erp.de`  <br> Password: from `SUPER_ADMIN_USER_PASSWORD` |

docker-compose.yaml

@@ -44,6 +44,11 @@ services:
     restart: always
     image: "postgres:17.5-alpine"
     container_name: phoenixDB # Hostname
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
+        max-file: "5"
     # logging:
     #   driver: loki
     #   options:
@@ -79,9 +84,14 @@ services:
       retries: 5  # Grace period before health checks start
   pgadmin:
     restart: always
-    image: dpage/pgadmin4:9.6.0
+    image: dpage/pgadmin4:9.8.0
     container_name: pgadmin4-ui
     user: "5050:5050"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
+        max-file: "5"
     # logging:
     #   driver: loki
     #   options:
@@ -151,15 +161,20 @@ services:
       postgres:
         condition: service_healthy
     healthcheck:
-      test: ["CMD", "wget", "-O", "-", "http://localhost:80/misc/ping"]
+      test: ["CMD-SHELL", "wget -qO- http://localhost:80/misc/ping && wget -qO- http://localhost:80/browser/"]
       interval: 15s
       timeout: 10s
       retries: 5
-      start_period: 120s
+      start_period: 150s
   phoenix-app:
     restart: always
     image: "phxerp/phoenix-app:alpha"
     container_name: phoenix-app
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
+        max-file: "5"
     ports:
       - '80:80'
       - '443:443'
@@ -201,6 +216,11 @@ services:
   phoenix-system:
     restart: always
     image: "phxerp/phoenix-system:alpha"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
+        max-file: "5"
     # logging:
     #   driver: loki
     #   options:
@@ -217,6 +237,7 @@ services:
       - "REDIS_PASSWORD=${REDIS_PASSWORD}"
       - NODE_ENV=${NODE_ENV}
       - PHX_HOST_NAME=${PHX_HOST_NAME}
+      - CREDENTIAL_ENCRYPTION_KEY=${CREDENTIAL_ENCRYPTION_KEY}
       - PERFORMANCE_STRUCTURED_LOGGING=${PERFORMANCE_STRUCTURED_LOGGING}
       - PERFORMANCE_WARNING_THRESHOLD=${PERFORMANCE_WARNING_THRESHOLD}
       - PERFORMANCE_DETAILED_MEMORY=${PERFORMANCE_DETAILED_MEMORY}
@@ -250,7 +271,7 @@ services:
       start_period: 60s  # Grace period before health checks start
     volumes:
       - "./assets:/usr/src/app/packages/dev-server/assets"
-      
+      - "./server_custom:/usr/src/app/packages/dev-server/custom"
       # - "./logs:/usr/src/app/packages/dev-server/logs"
   phoenix-worker:
     restart: always
@@ -258,6 +279,11 @@ services:
     container_name: "phoenix-worker"
     ports:
       - "3001:3001" # Restrict to only allow access from Grafana Server IP
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
+        max-file: "5"
     # logging:
     #   driver: loki
     #   options:
@@ -276,6 +302,7 @@ services:
       - REDIS_PASSWORD=${REDIS_PASSWORD}
       - NODE_ENV=${NODE_ENV}
       - PHX_HOST_NAME=${PHX_HOST_NAME}
+      - CREDENTIAL_ENCRYPTION_KEY=${CREDENTIAL_ENCRYPTION_KEY}
       - PERFORMANCE_STRUCTURED_LOGGING=${PERFORMANCE_STRUCTURED_LOGGING}
       - PERFORMANCE_WARNING_THRESHOLD=${PERFORMANCE_WARNING_THRESHOLD}
       - PERFORMANCE_DETAILED_MEMORY=${PERFORMANCE_DETAILED_MEMORY}
@@ -306,13 +333,16 @@ services:
       start_period: 30s  # Grace period before health checks start
     volumes:
       - "./assets:/usr/src/app/packages/dev-server/assets"
-      
+      - "./server_custom:/usr/src/app/packages/dev-server/custom"
       # - "./logs:/usr/src/app/packages/dev-server/logs"
   phoenix-redis:
-    image: 'bitnami/redis:latest'
+    image: redis:7.2-alpine
     container_name: redis
-    command: /opt/bitnami/scripts/redis/run.sh # Not good, but as agreed. At some point i can start using this: --maxmemory + add eviction policy
-    user: root
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
+        max-file: "5"
     # logging:
     #   driver: loki
     #   options:
@@ -324,8 +354,7 @@ services:
       - backend
     restart: always
     environment:
-      ALLOW_EMPTY_PASSWORD: "no"
-      REDIS_PASSWORD: ${REDIS_PASSWORD}
+      TZ: Europe/Berlin
     # deploy:
     #   restart_policy: # Define how the service should restart when it fails
     #     condition: on-failure # Only restart if the container exits with a non-zero code
@@ -339,11 +368,22 @@ services:
     #     reservations: # Guaranteed minimum resources for the container
     #       cpus: "0.05" # Reserved CPU cores (5% of one core)
     #       memory: 32M # Reserved memory (32 megabytes)
+    command: >
+      redis-server
+      --requirepass ${REDIS_PASSWORD}
+    healthcheck:
+      test: [
+        "CMD-SHELL",
+        "redis-cli -a ${REDIS_PASSWORD} ping | grep PONG && test -w /data"
+      ]
+      interval: 5s
+      retries: 10
+      timeout: 5s
     depends_on:
       postgres:
         condition: service_healthy
     volumes:
-      - "./redis/data:/bitnami/redis/data"
+      - ./redis/data:/data
 
 networks:
   backend:

fail2ban/filter.d/nginx-4xx.conf

@@ -1,6 +1,11 @@
 [Definition]
-# Match either x_forwarded_for (preferred) or remote_addr
+
+# ✅ Match any 4xx status (including 401, 499) for all paths
 failregex = ^.*"x_forwarded_for":"<HOST>".*"status":4\d\d.*$
             ^.*"remote_addr":"<HOST>".*"status":4\d\d.*$
 
-ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$
+# ❌ Ignore:
+# - ALL status codes under /pgadmin4 (including 401, 499, 404, etc.)
+# - Static files and known safe URIs
+ignoreregex = ^.*"request_uri":"\/pgadmin4(?:\/[^"]*)?".*$
+              ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|\.well-known\/acme-challenge\/[^"]*|[^"]*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$

fail2ban/jail.d/nginx-phoenix.local

@@ -47,7 +47,7 @@ filter    = nginx-4xx
 logpath   = /data/nginx-logs/access_json.log
 port      = 80,443,3000
 findtime  = 5m
-maxretry  = 20
+maxretry  = 50
 bantime   = 15m
 
 # -----------------------------