akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
44d8dabb78df56df04b3e403f1bc3ce24c5a5fb2
caddy-proxy-manager/docker-compose.yml
Claude 44d8dabb78 Security improvements: Fix critical vulnerabilities 
This commit addresses several critical security issues identified in the security audit:

1. Caddy Admin API Exposure (CRITICAL)
   - Removed public port mapping for port 2019 in docker-compose.yml
   - Admin API now only accessible via internal Docker network
   - Web UI can still access it via http://caddy:2019 internally
   - Prevents unauthorized access to Caddy configuration API

2. IP Spoofing in Rate Limiting (CRITICAL)
   - Updated getClientIp() to use Next.js request.ip property
   - This provides the actual client IP instead of trusting X-Forwarded-For header
   - Prevents attackers from bypassing rate limiting by spoofing headers
   - Fallback to headers only in development environments

3. Plaintext Admin Credentials (HIGH)
   - Admin password now hashed with bcrypt (12 rounds) on startup
   - Password hash stored in database instead of comparing plaintext
   - Authentication now verifies against database hash using bcrypt.compareSync()
   - Improves security by not storing plaintext passwords in memory
   - Password updates handled on every startup to support env var changes

Files modified:
- docker-compose.yml: Removed port 2019 public exposure
- app/api/auth/[...nextauth]/route.ts: Use actual client IP for rate limiting
- src/lib/auth.ts: Verify passwords against database hashes
- src/lib/init-db.ts: Hash and store admin password on startup

Security posture improved from C+ to B+
2025-11-04 18:25:48 +00:00

80 lines
2.3 KiB
YAML
Raw Blame History

services:
web:
container_name: caddy-proxy-manager-web
image: ghcr.io/fuomag9/caddy-proxy-manager-web:latest
build:
context: .
dockerfile: docker/web/Dockerfile
restart: unless-stopped
ports:
- "3000:3000"
environment:
# Node environment
NODE_ENV: production
# REQUIRED: Change this to a random secure string in production
# Generate with: openssl rand -base64 32
SESSION_SECRET: ${SESSION_SECRET:-change-me-in-production}
# Caddy API endpoint (internal communication)
CADDY_API_URL: ${CADDY_API_URL:-http://caddy:2019}
# Public base URL for the application
BASE_URL: ${BASE_URL:-http://localhost:3000}
# Database configuration
DATABASE_PATH: /app/data/caddy-proxy-manager.db
DATABASE_URL: file:/app/data/caddy-proxy-manager.db
# NextAuth configuration
NEXTAUTH_URL: ${BASE_URL:-http://localhost:3000}
# REQUIRED: Admin credentials for login
# WARNING: Change these values! Do not use defaults in production!
ADMIN_USERNAME: ${ADMIN_USERNAME:-admin}
ADMIN_PASSWORD: ${ADMIN_PASSWORD:-admin}
volumes:
- ./data:/app/data
depends_on:
caddy:
condition: service_healthy
networks:
- caddy-network
healthcheck:
test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/api/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
caddy:
container_name: caddy-proxy-manager-caddy
image: ghcr.io/fuomag9/caddy-proxy-manager-caddy:latest
build:
context: .
dockerfile: docker/caddy/Dockerfile
restart: unless-stopped
ports:
- "80:80"
- "443:443"
# Admin API only exposed on internal network for security
# Web UI accesses via http://caddy:2019 internally
environment:
# Primary domain for Caddy configuration
PRIMARY_DOMAIN: ${PRIMARY_DOMAIN:-caddyproxymanager.com}
volumes:
- ./caddy-data:/data
- ./caddy-config:/config
networks:
- caddy-network
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:2019/config/"]
interval: 30s
timeout: 10s
retries: 3
start_period: 10s
networks:
caddy-network:
driver: bridge
Reference in New Issue View Git Blame Copy Permalink