Isolate backend and db from host: two Docker networks

- backend-net (internal: true): db ↔ backend ↔ frontend reverse proxy - frontend-net: frontend only; single host port binding (80 prod / 5173 dev) - Remove ports: from db (5432) and backend (8000) — unreachable from host - Security auditor: hard rule to never add host ports to db or backend Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-14 00:06:38 +02:00
parent 03fcc6e117
commit d423bea134
5 changed files with 53 additions and 15 deletions
@@ -9,8 +9,6 @@ services:
      POSTGRES_USER: ${POSTGRES_USER:-postgres}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-password}
      POSTGRES_DB: ${POSTGRES_DB:-destroying_sap}
-    ports:
-      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    healthcheck:
@@ -18,6 +16,8 @@ services:
      interval: 5s
      timeout: 5s
      retries: 10
+    networks:
+      - backend-net

  # ── Backend (management) ────────────────────────────────────────────────────
  backend:
@@ -30,11 +30,11 @@ services:
    env_file: ./backend/.env
    environment:
      DATABASE_URL: postgresql+asyncpg://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-password}@db:5432/${POSTGRES_DB:-destroying_sap}
-    ports:
-      - "8000:8000"
    depends_on:
      db:
        condition: service_healthy
+    networks:
+      - backend-net

  # ── Frontend (UI) ────────────────────────────────────────────────────────────
  frontend:
@@ -48,6 +48,16 @@ services:
      - "80:8080"
    depends_on:
      - backend
+    networks:
+      - backend-net
+      - frontend-net

 volumes:
  postgres_data:
+
+networks:
+  # Internal-only: db ↔ backend ↔ frontend reverse proxy. No host routing.
+  backend-net:
+    internal: true
+  # External-facing: only the frontend binds a host port through this network.
+  frontend-net: