senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-backend-api/Dockerfile.production
senke 2d664f9177 fix(security): add SSRF protection, real track access validation, and pagination bounds 
- Add IsURLSafe() function to webhook service blocking private IPs,
  localhost, and cloud metadata endpoints (SSRF protection)
- Implement real validate_track_access() in stream server querying DB
  for track visibility, ownership, and purchase status
- Remove dangerous JWT fallback user in chat server that allowed
  deleted users to maintain access with forged credentials
- Add upper limit (100) on pagination in profile, track, and room handlers
- Fix Dockerfile.production healthcheck path to /api/v1/health

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 22:44:03 +01:00

72 lines
2 KiB
Text
Raw Blame History

# Production Dockerfile for Backend API
# Optimized for smaller size and security
# Build stage
FROM golang:1.23-alpine AS builder
WORKDIR /app
# Install build dependencies
RUN apk add --no-cache git ca-certificates tzdata
# Copy go mod files first for better caching
COPY go.mod go.sum ./
# Download dependencies (this layer will be cached if go.mod/go.sum don't change)
RUN go mod download
# Copy source code
COPY . .
# Build the application with optimizations
# - CGO_ENABLED=0: static binary, no C dependencies
# - -ldflags="-w -s": strip debug info and symbol table
# - -trimpath: remove file system paths from binaries
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
-a -installsuffix cgo \
-ldflags="-w -s -extldflags '-static'" \
-trimpath \
-o veza-api \
./cmd/api/main.go
# Runtime stage - minimal alpine
FROM alpine:latest
# Install only runtime dependencies
RUN apk --no-cache add ca-certificates tzdata && \
# Add wget for health checks
apk --no-cache add wget && \
# Clean up apk cache
rm -rf /var/cache/apk/*
# Create non-root user for security
RUN addgroup -g 1001 -S app && \
adduser -S app -u 1001 -G app -h /app -s /bin/sh
# Create app directory
WORKDIR /app
# Copy binary from builder
COPY --from=builder --chown=app:app /app/veza-api /app/veza-api
# Copy migrations if they exist (optional)
# Use RUN with conditional check to handle missing migrations directory gracefully
RUN --mount=from=builder,source=/app,target=/tmp/builder \
if [ -d /tmp/builder/migrations ] && [ "$(ls -A /tmp/builder/migrations 2>/dev/null)" ]; then \
cp -r /tmp/builder/migrations /app/migrations && \
chown -R app:app /app/migrations; \
fi
# Switch to non-root user
USER app
# Expose port
EXPOSE 8080
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
CMD wget --no-verbose --tries=1 --spider http://localhost:8080/api/v1/health || exit 1
# Run the application
ENTRYPOINT ["./veza-api"]
Reference in a new issue View git blame Copy permalink