spotlightcam/docker-compose.prod.yml

# Production environment configuration
# Usage: docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d

services:
  nginx:
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx/conf.d:/etc/nginx/conf.d:ro
      - ./ssl:/etc/nginx/ssl:ro  # SSL certificates
    restart: always
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

  frontend:
    build:
      context: ./frontend
      dockerfile: Dockerfile.prod
      args:
        - NODE_ENV=production
    environment:
      - NODE_ENV=production
    volumes: []  # No volumes in production (baked into image)
    command: ["nginx", "-g", "daemon off;"]
    restart: always
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

  backend:
    build:
      context: ./backend
      dockerfile: Dockerfile.prod
      args:
        - NODE_ENV=production
    environment:
      - NODE_ENV=production
      # Security: Strict for production
      - RATE_LIMIT_ENABLED=true
      - RATE_LIMIT_AUTH_MAX=5
      - RATE_LIMIT_EMAIL_MAX=3
      - ENABLE_CSRF=true
      - BODY_SIZE_LIMIT=10kb
      - LOG_LEVEL=warn
      # Secrets should come from environment or secrets manager
      # Do not hardcode in docker-compose.prod.yml
    volumes: []  # No volumes in production
    command: ["node", "src/server.js"]
    restart: always
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: 512M
        reservations:
          cpus: '0.5'
          memory: 256M

  db:
    # In production, consider using managed database (AWS RDS, etc.)
    # This is for self-hosted production
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_DB=${POSTGRES_DB}
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./backups:/backups  # For database backups
    # Don't expose port in production (only internal)
    # ports: []
    restart: always
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 2G
        reservations:
          cpus: '1'
          memory: 1G

volumes:
  postgres_data:
    driver: local
security: implement CRITICAL and MEDIUM security fixes with environment profiles This commit addresses all CRITICAL and MEDIUM security vulnerabilities identified in the security audit with environment-aware configuration. ## Docker Compose Profiles - Added docker-compose.dev.yml for development (relaxed security) - Added docker-compose.prod.yml for production (strict security) - Environment-specific configurations for rate limiting, CSRF, logging ## CRITICAL Fixes (P0) 1. Fixed insecure random number generation - Replaced Math.random() with crypto.randomBytes() for verification codes - Now cryptographically secure 2. Implemented rate limiting - express-rate-limit for all endpoints - Strict limits on auth endpoints (5 attempts in dev=off, prod=5) - Email endpoint limits (20 in dev, 3 in prod) - API-wide rate limiting 3. Added request body size limits - Development: 50MB (for testing) - Production: 10KB (security) 4. Fixed user enumeration vulnerability - Generic error message for registration - No disclosure of which field exists 5. Added security headers - helmet.js with CSP, HSTS, XSS protection - No-sniff, hide powered-by headers ## MEDIUM Fixes (P1) 6. Strengthened password policy - Environment-aware validation (8+ chars) - Production: requires uppercase, lowercase, number - Development: relaxed for testing 7. Enhanced input validation - Validation for all auth endpoints - WSDC ID validation (numeric, max 10 digits) - Name validation (safe characters only) - Email normalization 8. Added input sanitization - DOMPurify for XSS prevention - Sanitize all user inputs in emails - Timing-safe string comparison for tokens 9. Improved error handling - Generic errors in production - Detailed errors only in development - Proper error logging 10. Enhanced CORS configuration - Whitelist-based origin validation - Environment-specific allowed origins - Credentials support ## New Files - backend/src/config/security.js - Environment-aware security config - backend/src/middleware/rateLimiter.js - Rate limiting middleware - backend/src/utils/sanitize.js - Input sanitization utilities - backend/.env.example - Development environment template - backend/.env.production.example - Production environment template - docker-compose.dev.yml - Development overrides - docker-compose.prod.yml - Production configuration - docs/DEPLOYMENT.md - Complete deployment guide - docs/SECURITY_AUDIT.md - Full security audit report - .gitignore - Updated to exclude .env files ## Dependencies Added - helmet (^8.1.0) - Security headers - express-rate-limit (^8.2.1) - Rate limiting - dompurify (^3.3.0) - XSS prevention - jsdom (^27.2.0) - DOM manipulation for sanitization ## Testing - ✅ Password validation works (weak passwords rejected) - ✅ User enumeration fixed (generic error messages) - ✅ WSDC lookup functional - ✅ Registration flow working - ✅ Rate limiting active (environment-aware) - ✅ Security headers present ## Usage Development: docker compose -f docker-compose.yml -f docker-compose.dev.yml up Production: docker compose -f docker-compose.yml -f docker-compose.prod.yml up See docs/DEPLOYMENT.md for detailed instructions. 2025-11-13 16:39:27 +01:00			`# Production environment configuration`
			`# Usage: docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d`

			`services:`
			`nginx:`
			`ports:`
			`- "80:80"`
			`- "443:443"`
			`volumes:`
			`- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro`
			`- ./nginx/conf.d:/etc/nginx/conf.d:ro`
			`- ./ssl:/etc/nginx/ssl:ro # SSL certificates`
			`restart: always`
			`logging:`
			`driver: "json-file"`
			`options:`
			`max-size: "10m"`
			`max-file: "3"`

			`frontend:`
			`build:`
			`context: ./frontend`
			`dockerfile: Dockerfile.prod`
			`args:`
			`- NODE_ENV=production`
			`environment:`
			`- NODE_ENV=production`
			`volumes: [] # No volumes in production (baked into image)`
			`command: ["nginx", "-g", "daemon off;"]`
			`restart: always`
			`logging:`
			`driver: "json-file"`
			`options:`
			`max-size: "10m"`
			`max-file: "3"`

			`backend:`
			`build:`
			`context: ./backend`
			`dockerfile: Dockerfile.prod`
			`args:`
			`- NODE_ENV=production`
			`environment:`
			`- NODE_ENV=production`
			`# Security: Strict for production`
			`- RATE_LIMIT_ENABLED=true`
			`- RATE_LIMIT_AUTH_MAX=5`
			`- RATE_LIMIT_EMAIL_MAX=3`
			`- ENABLE_CSRF=true`
			`- BODY_SIZE_LIMIT=10kb`
			`- LOG_LEVEL=warn`
			`# Secrets should come from environment or secrets manager`
			`# Do not hardcode in docker-compose.prod.yml`
			`volumes: [] # No volumes in production`
			`command: ["node", "src/server.js"]`
			`restart: always`
			`logging:`
			`driver: "json-file"`
			`options:`
			`max-size: "10m"`
			`max-file: "3"`
			`deploy:`
			`resources:`
			`limits:`
			`cpus: '1'`
			`memory: 512M`
			`reservations:`
			`cpus: '0.5'`
			`memory: 256M`

			`db:`
			`# In production, consider using managed database (AWS RDS, etc.)`
			`# This is for self-hosted production`
			`environment:`
			`- POSTGRES_USER=${POSTGRES_USER}`
			`- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}`
			`- POSTGRES_DB=${POSTGRES_DB}`
			`volumes:`
			`- postgres_data:/var/lib/postgresql/data`
			`- ./backups:/backups # For database backups`
			`# Don't expose port in production (only internal)`
			`# ports: []`
			`restart: always`
			`logging:`
			`driver: "json-file"`
			`options:`
			`max-size: "10m"`
			`max-file: "3"`
			`deploy:`
			`resources:`
			`limits:`
			`cpus: '2'`
			`memory: 2G`
			`reservations:`
			`cpus: '1'`
			`memory: 1G`

			`volumes:`
			`postgres_data:`
			`driver: local`