Isolate internal services from external networks in Docker configuration (#6369)

The database and Redis do not need external connections, so isolate them
and prevent unauthorized access.
This commit is contained in:
Akihiko Odaki 2018-02-04 02:44:22 +09:00 committed by Eugen Rochko
parent d75d2a9f99
commit 9da81a1639

View file

@ -4,6 +4,8 @@ services:
db: db:
restart: always restart: always
image: postgres:9.6-alpine image: postgres:9.6-alpine
networks:
- internal_network
### Uncomment to enable DB persistance ### Uncomment to enable DB persistance
# volumes: # volumes:
# - ./postgres:/var/lib/postgresql/data # - ./postgres:/var/lib/postgresql/data
@ -11,6 +13,8 @@ services:
redis: redis:
restart: always restart: always
image: redis:4.0-alpine image: redis:4.0-alpine
networks:
- internal_network
### Uncomment to enable REDIS persistance ### Uncomment to enable REDIS persistance
# volumes: # volumes:
# - ./redis:/data # - ./redis:/data
@ -21,6 +25,9 @@ services:
restart: always restart: always
env_file: .env.production env_file: .env.production
command: bundle exec rails s -p 3000 -b '0.0.0.0' command: bundle exec rails s -p 3000 -b '0.0.0.0'
networks:
- external_network
- internal_network
ports: ports:
- "3000:3000" - "3000:3000"
depends_on: depends_on:
@ -37,6 +44,9 @@ services:
restart: always restart: always
env_file: .env.production env_file: .env.production
command: npm run start command: npm run start
networks:
- external_network
- internal_network
ports: ports:
- "4000:4000" - "4000:4000"
depends_on: depends_on:
@ -52,6 +62,14 @@ services:
depends_on: depends_on:
- db - db
- redis - redis
networks:
- external_network
- internal_network
volumes: volumes:
- ./public/packs:/mastodon/public/packs - ./public/packs:/mastodon/public/packs
- ./public/system:/mastodon/public/system - ./public/system:/mastodon/public/system
networks:
external_network:
internal_network:
internal: true