diff --git a/.docker/compose/docker-compose.local.yml b/.docker/compose/docker-compose.local.yml index a7c0f73d..162cca22 100644 --- a/.docker/compose/docker-compose.local.yml +++ b/.docker/compose/docker-compose.local.yml @@ -47,7 +47,7 @@ services: # - :/import/Caddyfile:ro # - :/import/sites:ro # If your Caddyfile imports other files healthcheck: - test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"] + test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"] interval: 30s timeout: 10s retries: 3 diff --git a/.docker/compose/docker-compose.playwright-ci.yml b/.docker/compose/docker-compose.playwright-ci.yml index 94e7d5a3..bc3f80b7 100644 --- a/.docker/compose/docker-compose.playwright-ci.yml +++ b/.docker/compose/docker-compose.playwright-ci.yml @@ -87,7 +87,7 @@ services: - playwright_caddy_config:/config - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests healthcheck: - test: ["CMD", "curl", "-sf", "http://localhost:8080/api/v1/health"] + test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"] interval: 5s timeout: 3s retries: 12 diff --git a/.docker/compose/docker-compose.playwright-local.yml b/.docker/compose/docker-compose.playwright-local.yml index 735fe6b6..de98e202 100644 --- a/.docker/compose/docker-compose.playwright-local.yml +++ b/.docker/compose/docker-compose.playwright-local.yml @@ -52,7 +52,7 @@ services: volumes: - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests healthcheck: - test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"] + test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"] interval: 5s timeout: 5s retries: 10 diff --git a/.docker/compose/docker-compose.yml b/.docker/compose/docker-compose.yml index 852e83a5..e7d9d3fa 100644 --- a/.docker/compose/docker-compose.yml +++ b/.docker/compose/docker-compose.yml @@ -52,7 +52,7 @@ services: # - ./my-existing-Caddyfile:/import/Caddyfile:ro # - ./sites:/import/sites:ro # If your Caddyfile imports other files healthcheck: - test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"] + test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"] interval: 30s timeout: 10s retries: 3 diff --git a/.docker/docker-entrypoint.sh b/.docker/docker-entrypoint.sh index a5e74e7e..cf794707 100755 --- a/.docker/docker-entrypoint.sh +++ b/.docker/docker-entrypoint.sh @@ -365,7 +365,7 @@ echo "Caddy started (PID: $CADDY_PID)" echo "Waiting for Caddy admin API..." i=1 while [ "$i" -le 30 ]; do - if curl -sf http://127.0.0.1:2019/config/ > /dev/null 2>&1; then + if wget -qO /dev/null http://127.0.0.1:2019/config/ 2>/dev/null; then echo "Caddy is ready!" break fi diff --git a/Dockerfile b/Dockerfile index 768431cf..e2e23615 100644 --- a/Dockerfile +++ b/Dockerfile @@ -408,11 +408,10 @@ WORKDIR /app # Install runtime dependencies for Charon, including bash for maintenance scripts # Note: gosu is now built from source (see gosu-builder stage) to avoid CVEs from Debian's pre-compiled version # Explicitly upgrade packages to fix security vulnerabilities -# binutils provides objdump for debug symbol detection in docker-entrypoint.sh # hadolint ignore=DL3018 RUN apk add --no-cache \ - bash ca-certificates sqlite-libs sqlite tzdata curl gettext libcap libcap-utils \ - c-ares binutils libc-utils busybox-extras \ + bash ca-certificates sqlite-libs sqlite tzdata gettext libcap libcap-utils \ + c-ares busybox-extras \ && apk upgrade --no-cache zlib # Copy gosu binary from gosu-builder (built with Go 1.26+ to avoid stdlib CVEs) @@ -434,8 +433,9 @@ ARG GEOLITE2_COUNTRY_SHA256=b79afc28a0a52f89c15e8d92b05c173f314dd4f687719f96cf92 RUN mkdir -p /app/data/geoip && \ if [ -n "$CI" ]; then \ echo "⏱️ CI detected - quick download (10s timeout, no retries)"; \ - if curl -fSL -m 10 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \ - -o /app/data/geoip/GeoLite2-Country.mmdb 2>/dev/null; then \ + if wget -qO /app/data/geoip/GeoLite2-Country.mmdb \ + -T 10 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" 2>/dev/null \ + && [ -s /app/data/geoip/GeoLite2-Country.mmdb ]; then \ echo "✅ GeoIP downloaded"; \ else \ echo "⚠️ GeoIP skipped"; \ @@ -443,9 +443,10 @@ RUN mkdir -p /app/data/geoip && \ fi; \ else \ echo "Local - full download (30s timeout, 3 retries)"; \ - if curl -fSL -m 30 --retry 3 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \ - -o /app/data/geoip/GeoLite2-Country.mmdb; then \ - if echo "${GEOLITE2_COUNTRY_SHA256} /app/data/geoip/GeoLite2-Country.mmdb" | sha256sum -c -; then \ + if wget -qO /app/data/geoip/GeoLite2-Country.mmdb \ + -T 30 -t 4 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb"; then \ + if [ -s /app/data/geoip/GeoLite2-Country.mmdb ] && \ + echo "${GEOLITE2_COUNTRY_SHA256} /app/data/geoip/GeoLite2-Country.mmdb" | sha256sum -c -; then \ echo "✅ GeoIP checksum verified"; \ else \ echo "⚠️ Checksum failed"; \ @@ -578,8 +579,8 @@ EXPOSE 80 443 443/udp 2019 8080 # Security: Add healthcheck to monitor container health # Verifies the Charon API is responding correctly -HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \ - CMD curl -f http://localhost:8080/api/v1/health || exit 1 +HEALTHCHECK --interval=30s --timeout=10s --start-period=15s --retries=3 \ + CMD wget -q -O /dev/null http://localhost:8080/api/v1/health || exit 1 # Create CrowdSec symlink as root before switching to non-root user # This symlink allows CrowdSec to use persistent storage at /app/data/crowdsec/config