security: hardening docker compose example

.env.example

@@ -4,6 +4,10 @@ TAG=latest
 # set timezone to get correct log timestamp
 TZ=ETC/UTC
 
+# container uid and gid (must match the owner of mounted directories)
+GODOXY_UID=1000
+GODOXY_GID=1000
+
 # API JWT Configuration (common)
 # generate secret with `openssl rand -base64 32`
 GODOXY_API_JWT_SECRET=

compose.example.yml

@@ -1,17 +1,46 @@
 ---
 services:
+  socket-proxy:
+    container_name: socket-proxy
+    image: lscr.io/linuxserver/socket-proxy:latest
+    environment:
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+      - CONTAINERS=1
+      - EVENTS=1
+      - PING=1
+      - POST=1
+      - VERSION=1
+    volumes:
+      - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
+    restart: unless-stopped
+    tmpfs:
+      - /run
+    ports:
+      - 127.0.0.1:2375:2375
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:2375"]
+      interval: 1m30s
+      timeout: 30s
+      retries: 5
+      start_period: 30s
   frontend:
     image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}
     container_name: godoxy-frontend
     restart: unless-stopped
     network_mode: host # do not change this
     env_file: .env
+    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - all
     depends_on:
       - app
     environment:
+      HOSTNAME: 127.0.0.1
       PORT: ${GODOXY_FRONTEND_PORT:-3000}
-
-    # modify below to fit your needs
     labels:
       proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy}
       proxy.godoxy.port: ${GODOXY_FRONTEND_PORT:-3000}
@@ -29,11 +58,19 @@ services:
     restart: always
     network_mode: host # do not change this
     env_file: .env
+    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - all
+    cap_add:
+      - NET_BIND_SERVICE
+    environment:
+      - DOCKER_HOST=127.0.0.1:2375
     volumes:
-      - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
       - ./config:/app/config
       - ./logs:/app/logs
-      - ./error_pages:/app/error_pages
+      - ./error_pages:/app/error_pages:ro
       - ./data:/app/data
 
       # To use autocert, certs will be stored in "./certs".

scripts/setup.sh

@@ -36,6 +36,7 @@ COMPOSE_FILE_NAME="compose.yml"
 COMPOSE_EXAMPLE_FILE_NAME="compose.example.yml"
 CONFIG_FILE_NAME="config.yml"
 CONFIG_EXAMPLE_FILE_NAME="config.example.yml"
+REQUIRED_DIRECTORIES=("config" "logs" "error_pages" "data" "certs")
 
 echo "Setting up GoDoxy"
 echo "Branch: ${BRANCH}"
@@ -149,12 +150,20 @@ get_timezone() {
 	fi
 }
 
+# check if running user is root
+if [ "$EUID" -ne 0 ]; then
+	echo "Error: Please run this script as root"
+	exit 1
+fi
+
 check_pkg "openssl" "openssl"
 check_pkg "docker" "docker-ce"
 
 # Setup required configurations
-# 1. Config base directory
+# 1. Setup required directories
-mkdir_if_not_exists "$CONFIG_BASE_PATH"
+for dir in "${REQUIRED_DIRECTORIES[@]}"; do
+	mkdir_if_not_exists "$dir"
+done
 
 # 2. .env file
 fetch_file "$DOT_ENV_EXAMPLE_PATH" "$DOT_ENV_PATH"
@@ -222,4 +231,10 @@ EOF
 	fi
 fi
 
+# 7. setup permission
+
+echo "Setting up permissions"
+chown -R 1000:1000 .
+chmod -R 644 .
+
 echo "Setup finished"