72747668f9
#7 Transport Security: - Removed legacy _ssl_ctx alias from config.py - proxy.py now uses _internal_ssl_ctx directly (explicitly scoped) - No global TLS bypass remains #10 Deployment Hardening: - Inventory Dockerfile: non-root (node user), health check, production deps - Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready - Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check - Added /health endpoints to inventory and budget (before auth middleware) - All 6 containers now run as non-root with health checks All services verified: gateway, trips, fitness, inventory, budget, frontend
19 lines
353 B
Docker
19 lines
353 B
Docker
FROM node:20-alpine
|
|
|
|
WORKDIR /app
|
|
|
|
COPY package.json package-lock.json ./
|
|
RUN npm ci --production
|
|
|
|
COPY server.js ./
|
|
|
|
RUN mkdir -p /app/data && chown -R node:node /app/data
|
|
|
|
EXPOSE 3001
|
|
ENV NODE_ENV=production
|
|
|
|
HEALTHCHECK --interval=30s --timeout=5s --retries=3 CMD wget -qO- http://localhost:3001/health || exit 1
|
|
|
|
USER node
|
|
CMD ["node", "server.js"]
|