There are currently some security concerns regarding the services started by the default docker-compose.yml:
Postgres Service
The postgres service is unnecessarily exposed. Both, PgAdmin4 and Wafflemap will be in the same network as Postgres.
Thus, exposing the postgres service to the outside is in the best case completely redundant, and in the worst case a security
risk in case the hosting server allows requests to be made from the outside.
(in the docker-compose.dev.yml the port should stay exposed due to the non-containerized wafflemap requiring access)
Configuration management
Docker Compose automatically loads the .env file if it is found in the directory. This has already introduced bugs where a production environment named .env has messed with some configurations, leading to a failure in application startup.
A way to prevent this is to have a .env file specifying the source for the configuration that should be selected and migrating server configurations into another directory like configurations/{identifier}.env
This .env file could also be used to configure the exposed service ports.
There are currently some security concerns regarding the services started by the default docker-compose.yml:
Postgres Service
The postgres service is unnecessarily exposed. Both, PgAdmin4 and Wafflemap will be in the same network as Postgres. Thus, exposing the postgres service to the outside is in the best case completely redundant, and in the worst case a security risk in case the hosting server allows requests to be made from the outside. (in the
docker-compose.dev.ymlthe port should stay exposed due to the non-containerized wafflemap requiring access)Configuration management
Docker Compose automatically loads the
.envfile if it is found in the directory. This has already introduced bugs where a production environment named.envhas messed with some configurations, leading to a failure in application startup.A way to prevent this is to have a .env file specifying the source for the configuration that should be selected and migrating server configurations into another directory like
configurations/{identifier}.envThis
.envfile could also be used to configure the exposed service ports.