gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:21:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(deploy): SEC-014 — loopback-bind Postgres host port in compose files

Browse Source 
Acquisition-audit SEC-014 closure (Sprint 2 ACQ, 2026-05-16).

Both deploy/docker-compose.yml and deploy/docker-compose.test.yml
published Postgres on `5432:5432` — the short Docker port-mapping
form, which binds to 0.0.0.0 by default. On any host with a
public-facing NIC, that quietly exposed the Postgres TCP listener to
the internet. The certctl-server-to-postgres traffic itself goes over
the `certctl-network` Docker bridge, not the host port; the host
port mapping is a convenience for operator psql access and for the
integration-test runner that lives on the host.

Switch both mappings to `127.0.0.1:5432:5432` (loopback-only).
Operator psql via `localhost` keeps working; the integration-test
runner keeps working; cross-host exposure goes away.

Audit trail: docs/operator/security.md (Postgres transport encryption
subsection, SEC-014 paragraph).
This commit is contained in:
shankar0123
2026-05-16 17:12:42 +00:00
parent 2e9262cfb7
commit 7e2481b225
2 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/docker-compose.test.yml
+4 -1
View File
@@ -116,8 +116,11 @@ services:
networks: networks:
certctl-test: certctl-test:
ipv4_address: 10.30.50.2 ipv4_address: 10.30.50.2
# Acquisition-audit SEC-014 closure (Sprint 2, 2026-05-16).
# Loopback-only host-port bind — the integration-test runner on
# the host needs reachability, no other interface does.
ports: ports:
- "5432:5432" - "127.0.0.1:5432:5432"
healthcheck: healthcheck:
test: ["CMD-SHELL", "pg_isready -U certctl -d certctl"] test: ["CMD-SHELL", "pg_isready -U certctl -d certctl"]
interval: 5s interval: 5s
deploy/docker-compose.yml
+11 -1
View File
@@ -145,8 +145,18 @@ services:
# default for screenshot/demo use; production deploys never # default for screenshot/demo use; production deploys never
# depend on that fallback. # depend on that fallback.
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
# Acquisition-audit SEC-014 closure (Sprint 2, 2026-05-16). Bind
# the published port to 127.0.0.1 ONLY — the certctl-server
# connection comes in via the `certctl-network` Docker network
# (the host-port mapping is operator convenience for psql / DB
# inspection only). Pre-fix, the "5432:5432" form bound on
# 0.0.0.0, exposing the Postgres TCP listener on every interface
# of any host that happened to be on a public IP. The loopback
# bind keeps host-side psql access working while preventing the
# cross-network exposure landmine for compose deploys that aren't
# behind a firewall.
ports: ports:
- "5432:5432" - "127.0.0.1:5432:5432"
volumes: volumes:
- postgres_data:/var/lib/postgresql/data - postgres_data:/var/lib/postgresql/data
networks: networks: