paymentlater-api/docker-compose.security.yml at main · blaise-ndizeye/paymentlater-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# Security-focused Docker Compose Override
# Use with: docker-compose -f docker-compose.prod.yml -f docker-compose.security.yml up -d

version: '3.8'

services:
  mongodb:
    # Security hardening
    security_opt:
      - no-new-privileges:true
    read_only: false  # MongoDB needs to write to data directory
    tmpfs:
      - /tmp:noexec,nosuid,size=2g
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    # Resource limits for DoS protection
    mem_limit: 2g
    memswap_limit: 2g
    cpus: 1.0
    pids_limit: 1000
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
    # Network security
    networks:
      payment-later-network:
        aliases:
          - mongodb-secure
    # Additional MongoDB security configuration
    command: [
      "mongod",
      "--auth",
      "--bind_ip_all",
      "--logpath", "/var/log/mongodb/mongod.log",
      "--logappend",
      "--sslMode", "disabled",  # Enable SSL in real production
      "--setParameter", "authenticationMechanisms=SCRAM-SHA-256",
      "--setParameter", "scramIterationCount=15000"
    ]

  payment-later-api:
    # Security hardening
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=100m
      - /app/logs:noexec,nosuid,size=500m
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    # Resource limits for DoS protection
    mem_limit: 1.5g
    memswap_limit: 1.5g
    cpus: 1.0
    pids_limit: 500
    ulimits:
      nofile:
        soft: 8192
        hard: 8192
    # Additional JVM security flags
    environment:
      JAVA_OPTS: >
        -Xms512m
        -Xmx1024m
        -XX:+UseG1GC
        -XX:+UseContainerSupport
        -XX:MaxRAMPercentage=80.0
        -XX:+HeapDumpOnOutOfMemoryError
        -XX:HeapDumpPath=/app/logs/
        -Dspring.profiles.active=prod
        -Djava.security.egd=file:/dev/./urandom
        -Djava.security.policy=/app/security.policy
        -Dcom.sun.management.jmxremote=false
        -Dlog4j2.formatMsgNoLookups=true
    # Network security
    networks:
      payment-later-network:
        aliases:
          - payment-api-secure

  # Security monitoring with Fail2ban (optional)
  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: payment-later-fail2ban
    restart: always
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ./docker/fail2ban:/data
      - /var/log:/var/log:ro
    environment:
      TZ: UTC
      F2B_LOG_LEVEL: INFO
    profiles:
      - security-tools

networks:
  payment-later-network:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: payment-later-br
      com.docker.network.bridge.enable_icc: "false"
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1"
    ipam:
      config:
        - subnet: 172.20.0.0/16
          gateway: 172.20.0.1
    # Network policies for additional security
    labels:
      com.docker.compose.network: "payment-later-secure"