Refactor Docker Compose for PostgreSQL and Redis services

2025-02-17 09:09:51 +00:00
parent 56756d7c85
commit 709362b1c0
5 changed files with 91 additions and 24 deletions
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -16,6 +16,8 @@ services:
      - "POSTGRES_PASSWORD=${POSTGRES_PASSWORD}"
    volumes:
      - "./database:/var/lib/postgresql/data"
+      - "./database/pg_hba.conf:/etc/postgresql/pg_hba.conf"  # Correct location
+    command: ["postgres", "-c", "hba_file=/etc/postgresql/pg_hba.conf"]  # ✅ Tell PostgreSQL where to find it
    healthcheck:
      test:
        - CMD-SHELL
@@ -128,8 +130,8 @@ services:
  phoenix-redis:
    image: 'bitnami/redis:latest'
    container_name: redis
-    command: /opt/bitnami/scripts/redis/run.sh --maxmemory 100mb
-    user: root
+    command: /opt/bitnami/scripts/redis/run.sh --maxmemory 100mb --dir /bitnami/redis/data
+    user: 1001:1001  # Non-root user in Bitnami images The /bitnami/redis/data directory inside the container is already owned by 1001, avoiding permission issues.
    networks:
      - backend
    restart: always
@@ -139,13 +141,22 @@ services:
      REDIS_PASSWORD: ${REDIS_PASSWORD}
    healthcheck:
      test: [ "CMD", "redis-cli", "--raw", "incr", "ping" ]
+      interval: 5s
+      retries: 10  # Increase retries if Redis takes a while to start
+      timeout: 5s  # Increase timeout if needed
    volumes:
      - "./redis/data:/bitnami/redis/data"
+      - /opt/phx/redis/tmp:/opt/bitnami/redis/tmp  # ✅ Fix permission issue
+      - /opt/phx/redis/logs:/opt/bitnami/redis/logs  # ✅ Fix logs permission issue
+      - ./redis.conf:/opt/bitnami/redis/etc/redis.conf  # ✅ Use a writable redis.conf
+    depends_on:
+      postgres:
+        condition: service_healthy
  node_exporter:
    image: quay.io/prometheus/node-exporter:latest
    container_name: node_exporter
-    network_mode: host
-    pid: host
+    networks:
+      - metrics
    restart: unless-stopped
    ports:
      - "9100:9100"
@@ -162,7 +173,6 @@ services:
    container_name: https_portal
    image: "steveltn/https-portal:1.21"
    restart: unless-stopped
-    user: "root"
    networks:
      - frontend # [ PgAdmin, Phoenix-App ]
      - external # [ Outside of the World]
@@ -181,25 +191,50 @@ services:
    volumes:
      - ./https_portal/data:/var/lib/https-portal # ssl_certs, vhost.d, htdocs
      - ./https_portal/log:/var/log/nginx # nginx logs
+      - ./https_portal/config/custom_nginx.conf:/opt/custom_nginx.conf:ro  # ✅ Mount file in a safe path
    depends_on:
      - phoenix-app
      - phoenix-system
      - pgadmin
      - phoenix-redis
      - postgres
-
+  fail2ban:
+    image: crazymax/fail2ban:latest
+    container_name: fail2ban
+    network_mode: 'host'
+    cap_add:
+        - NET_ADMIN
+        - NET_RAW
+    volumes:
+        - ./fail2ban/data:/data
+        - ./fail2ban/jail.d:/etc/fail2ban/jail.d
+        - /var/log:/var/log:ro
+    restart: always
 networks:
  backend:
    driver: bridge
    external: false
+    ipam:
+      config:
+        - subnet: 172.19.0.0/16

  frontend:
    driver: bridge
    external: false
+    ipam:
+      config:
+        - subnet: 172.20.0.0/16

  external:
    driver: bridge
-    external: true
+    external: false
+
+  metrics:
+    driver: bridge
+    external: false
+    ipam:
+      config:
+        - subnet: 172.22.0.0/16

 volumes:
  pgadmin: null
--- a/fail2ban/data/db/fail2ban.sqlite3
+++ b/fail2ban/data/db/fail2ban.sqlite3
--- a/https_portal/config/custom_nginx.conf
+++ b/https_portal/config/custom_nginx.conf
@@ -0,0 +1,41 @@
+# /https_portal/config/custom_nginx.conf
+server {
+    listen 80;
+    server_name yuri.phx-erp.de;
+
+    # Rate limiting
+    limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
+
+    # Global security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+
+    # Enable DDoS protection
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    keepalive_timeout 5s 5s;
+    send_timeout 10s;
+
+    # IP blocking for repeated failed attempts
+    geo $bad_user {
+        default 0;
+        include /etc/nginx/conf.d/blocked_ips.conf;
+    }
+
+    # Block suspicious requests
+    map $http_user_agent $bad_bot {
+        default 0;
+        ~*(curl|wget|python|nikto|sqlmap) 1;
+    }
+
+    location / {
+        proxy_pass http://phoenix-app;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
--- a/redis.conf
+++ b/redis.conf
@@ -0,0 +1,4 @@
+
+rename-command FLUSHDB ""
+rename-command FLUSHALL ""
+rename-command CONFIG ""
--- a/server_custom/config.ts
+++ b/server_custom/config.ts
@@ -9,8 +9,6 @@ import { EmailPlugin, FileBasedTemplateLoader, defaultEmailHandlers } from '@pho
 import { BillBeePlugin } from "@phoenix/bill-bee-plugin";
 import { ChannelPilotProPlugin } from "@phoenix/channel-pilot-pro-plugin";
 import { ShopifyPlugin } from '@phoenix/shopify-plugin';
-//import { BonnAPIPlugin } from '../plugins/bonn-api-plugin/bonn-api-plugin.module';
-// import { DefaultJobQueuePlugin } from '@phoenix/system_service';

 /**
 * Config settings used during development
@@ -89,7 +87,9 @@ export const customConfig: SystemConfig = {
            port: 5002,
            assetUrlPrefix: "\\remote-assets\\" //  to make it relative for client
        }),
-        DefaultJobQueuePlugin.init({}),
+        DefaultJobQueuePlugin.init({
+            useDatabaseForBuffer: true
+        }),
        EmailPlugin.init({
            sendRealEmails: true,
            route: 'mailbox',
@@ -128,20 +128,7 @@ export const customConfig: SystemConfig = {
            }
        }),
        ShopifyPlugin.init({
-            active: process.env.SHOPIFY_ACTIVE === 'true',
-            connectionInfo: {
-                url: process.env.SHOPIFY_HOST_NAME,
-                apiKey: process.env.SHOPIFY_API_KEY,
-                apiSecretKey: process.env.SHOPIFY_API_SECRET,
-                token: process.env.SHOPIFY_TOKEN,
-                // scopes: process.env.SHOPIFY_SCOPES.split(','),
-                hostName: process.env.SHOPIFY_HOST_NAME,
-                hostScheme: process.env.SHOPIFY_HOST_SCHEME === 'https' ? 'https' : 'http',
-                isEmbeddedApp: process.env.SHOPIFY_IS_EMBEDDED_APP === 'true',
-                header: {
-                    'X-Shopify-Access-Token': process.env.SHOPIFY_TOKEN,
-                }
-            }
+            active: process.env.SHOPIFY_ACTIVE === 'true'
        }),
        // DefaultStoragePlaceRankPlugin.init({})
        // new DefaultSearchPlugin(),