2d3cb18b7c
- Change default ALLOWED_ORIGINS from wildcard (*) to localhost:5173 in veza-stream-server/docker-compose.yml - Also fixed local .env (untracked) to use specific dev domains Previously, the stream-server docker-compose defaulted to ALLOWED_ORIGINS=* which would allow any origin to access the streaming API. Addresses audit finding: A05 (Security Misconfiguration) — HIGH. Co-authored-by: Cursor <cursoragent@cursor.com>
148 lines
No EOL
3.6 KiB
YAML
148 lines
No EOL
3.6 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
stream-server:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile
|
|
args:
|
|
BUILD_TIME: ${BUILD_TIME:-$(date -u +"%Y-%m-%dT%H:%M:%SZ")}
|
|
RUST_VERSION: ${RUST_VERSION:-$(rustc --version)}
|
|
container_name: stream-server
|
|
restart: unless-stopped
|
|
|
|
# Configuration réseau
|
|
ports:
|
|
- "${HOST_PORT:-8082}:8082"
|
|
|
|
# Variables d'environnement
|
|
environment:
|
|
- SECRET_KEY=${SECRET_KEY}
|
|
- STREAM_SERVER_PORT=8082
|
|
- AUDIO_DIR=/app/audio
|
|
- ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-http://localhost:5173}
|
|
- MAX_FILE_SIZE=${MAX_FILE_SIZE:-104857600}
|
|
- MAX_RANGE_SIZE=${MAX_RANGE_SIZE:-10485760}
|
|
- SIGNATURE_TOLERANCE=${SIGNATURE_TOLERANCE:-60}
|
|
- RUST_LOG=${RUST_LOG:-stream_server=info}
|
|
- ADMIN_TOKEN=${ADMIN_TOKEN:-}
|
|
|
|
# Montage des volumes
|
|
volumes:
|
|
- ./audio:/app/audio:ro
|
|
- ./logs:/app/logs:rw
|
|
- stream_server_cache:/tmp
|
|
|
|
# Limitations de ressources
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 512M
|
|
cpus: '1.0'
|
|
reservations:
|
|
memory: 128M
|
|
cpus: '0.25'
|
|
|
|
# Configuration de sécurité
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- SETGID
|
|
- SETUID
|
|
read_only: true
|
|
tmpfs:
|
|
- /tmp:rw,noexec,nosuid,size=100m
|
|
|
|
# Health check
|
|
healthcheck:
|
|
test: ["CMD", "/usr/local/bin/healthcheck.sh"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 10s
|
|
|
|
# Réseau
|
|
networks:
|
|
- stream_network
|
|
|
|
# Proxy inverse (optionnel)
|
|
nginx:
|
|
image: nginx:alpine
|
|
container_name: stream-nginx
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- stream-server
|
|
ports:
|
|
- "${NGINX_PORT:-80}:80"
|
|
- "${NGINX_SSL_PORT:-443}:443"
|
|
volumes:
|
|
- ./nginx.conf:/etc/nginx/nginx.conf:ro
|
|
- ./ssl:/etc/nginx/ssl:ro
|
|
- nginx_cache:/var/cache/nginx
|
|
networks:
|
|
- stream_network
|
|
profiles:
|
|
- with-proxy
|
|
|
|
# Monitoring avec Prometheus (optionnel)
|
|
prometheus:
|
|
image: prom/prometheus:latest
|
|
container_name: stream-prometheus
|
|
restart: unless-stopped
|
|
ports:
|
|
- "${PROMETHEUS_PORT:-9090}:9090"
|
|
volumes:
|
|
- ./monitoring/prometheus.yml:/etc/prometheus/prometheus.yml:ro
|
|
- prometheus_data:/prometheus
|
|
command:
|
|
- '--config.file=/etc/prometheus/prometheus.yml'
|
|
- '--storage.tsdb.path=/prometheus'
|
|
- '--web.console.libraries=/etc/prometheus/console_libraries'
|
|
- '--web.console.templates=/etc/prometheus/consoles'
|
|
- '--storage.tsdb.retention.time=200h'
|
|
- '--web.enable-lifecycle'
|
|
networks:
|
|
- stream_network
|
|
profiles:
|
|
- monitoring
|
|
|
|
# Grafana pour la visualisation (optionnel)
|
|
grafana:
|
|
image: grafana/grafana:latest
|
|
container_name: stream-grafana
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- prometheus
|
|
ports:
|
|
- "${GRAFANA_PORT:-3000}:3000"
|
|
environment:
|
|
- GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD:-admin}
|
|
- GF_USERS_ALLOW_SIGN_UP=false
|
|
volumes:
|
|
- grafana_data:/var/lib/grafana
|
|
- ./monitoring/grafana/dashboards:/etc/grafana/provisioning/dashboards:ro
|
|
- ./monitoring/grafana/datasources:/etc/grafana/provisioning/datasources:ro
|
|
networks:
|
|
- stream_network
|
|
profiles:
|
|
- monitoring
|
|
|
|
networks:
|
|
stream_network:
|
|
driver: bridge
|
|
ipam:
|
|
config:
|
|
- subnet: 172.20.0.0/16
|
|
|
|
volumes:
|
|
stream_server_cache:
|
|
driver: local
|
|
nginx_cache:
|
|
driver: local
|
|
prometheus_data:
|
|
driver: local
|
|
grafana_data:
|
|
driver: local |