tarzzan/queue-med
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
queue-med/docker-compose.yml
Hermes 81c6bccf8a security: Phase 1 hardening - rate limit, helmet, CORS, JWT, session persistence 
- express-rate-limit: 100/15min global, 5/15min on auth.login + auth.register,
  3/hour reserved for password-reset endpoints; trust proxy enabled.
- helmet: enabled with contentSecurityPolicy + crossOriginEmbedderPolicy off
  to keep Vite dev and the SPA bundle working.
- CORS: explicit allowlist (https://attente.cosmolan.fr in prod, localhost in
  dev), credentials true, restricted methods/headers; same allowlist applied
  to socket.io.
- JWT_SECRET: must be set and >= 32 chars; assertAuthEnv() called from the
  server bootstrap so the process refuses to start without one. The insecure
  "changeme-in-production" fallback in docker-compose.yml is removed.
- qm_auth cookie: maxAge reduced from 30d to 7d, JWT expiry matches.
- WhatsApp sessions: path now driven by WHATSAPP_SESSION_DIR and defaults to
  /app/data/whatsapp-sessions; docker-compose.yml mounts a named app_data
  volume so credentials survive container restarts.
- scripts/backup-db.sh: timestamped, gzipped mysqldump into /app/data/backups
  with rotation (keeps last 7); Dockerfile installs mysql-client and bundles
  the script.
- .env.example refreshed with documented placeholders for every required var
  (DATABASE_URL, JWT_SECRET, WHATSAPP_SESSION_DIR, MYSQL_*, BACKUP_*).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 13:06:51 +00:00

60 lines
1.7 KiB
YAML
Raw Blame History

services:
db:
image: mysql:8.4
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD:-rootpassword}
MYSQL_DATABASE: ${MYSQL_DATABASE:-queuemed}
MYSQL_USER: ${MYSQL_USER:-queuemed}
MYSQL_PASSWORD: ${MYSQL_PASSWORD:-queuemed}
volumes:
- mysql_data:/var/lib/mysql
command:
- --character-set-server=utf8mb4
- --collation-server=utf8mb4_unicode_ci
healthcheck:
test:
["CMD", "mysqladmin", "ping", "-h", "127.0.0.1", "-u", "root", "-p${MYSQL_ROOT_PASSWORD:-rootpassword}"]
interval: 10s
timeout: 5s
retries: 10
networks:
- queuemed
app:
build:
context: .
dockerfile: Dockerfile
restart: unless-stopped
depends_on:
db:
condition: service_healthy
environment:
NODE_ENV: production
PORT: 5000
DATABASE_URL: mysql://${MYSQL_USER:-queuemed}:${MYSQL_PASSWORD:-queuemed}@db:3306/${MYSQL_DATABASE:-queuemed}
# JWT_SECRET MUST be provided via .env.docker — there is no insecure fallback.
JWT_SECRET: ${JWT_SECRET:?JWT_SECRET must be set in .env.docker}
PUBLIC_BASE_URL: ${PUBLIC_BASE_URL:-}
WHATSAPP_SESSION_DIR: ${WHATSAPP_SESSION_DIR:-/app/data/whatsapp-sessions}
# MySQL credentials available to scripts/backup-db.sh inside the container
MYSQL_HOST: db
MYSQL_DATABASE: ${MYSQL_DATABASE:-queuemed}
MYSQL_USER: ${MYSQL_USER:-queuemed}
MYSQL_PASSWORD: ${MYSQL_PASSWORD:-queuemed}
volumes:
- app_data:/app/data
ports:
- "5100:5000"
networks:
- queuemed
networks:
queuemed:
driver: bridge
volumes:
mysql_data:
driver: local
app_data:
driver: local
Reference in a new issue View git blame Copy permalink