fix(selfhost): harden database and redis security for production depl…#14813
Open
LeonardoJaques wants to merge 2 commits intotoeverything:canaryfrom
Open
fix(selfhost): harden database and redis security for production depl…#14813LeonardoJaques wants to merge 2 commits intotoeverything:canaryfrom
LeonardoJaques wants to merge 2 commits intotoeverything:canaryfrom
Conversation
…oyments Remove POSTGRES_HOST_AUTH_METHOD: trust, add Redis password authentication, isolate services on internal Docker network, bind app to 127.0.0.1 only, and add security checklist to README.
|
|
Contributor
📝 WalkthroughWalkthroughUpdates to self-hosted Docker configs and docs to enforce credentials (DB/Redis), bind the app to loopback, enable Redis authentication, segment internal/external networks in Compose, and add a Security Checklist in README with deployment hardening steps. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.docker/selfhost/compose.yml:
- Around line 22-23: The Compose file uses unchecked variable interpolation
(e.g., REDIS_SERVER_PASSWORD=${REDIS_PASSWORD} and
DATABASE_URL=postgresql://${DB_USERNAME}:${DB_PASSWORD}@postgres:5432/${DB_DATABASE:-affine}),
which can expand to empty strings; update these to require the secrets at parse
time using the ${VAR:?message} form for REDIS_PASSWORD and DB_PASSWORD (and
similarly for DB_USERNAME/DB_DATABASE where appropriate) so interpolation fails
fast—replace REDIS_SERVER_PASSWORD=${REDIS_PASSWORD} with
REDIS_SERVER_PASSWORD=${REDIS_PASSWORD:?REDIS_PASSWORD not set} and change the
DATABASE_URL to use ${DB_USERNAME:?DB_USERNAME not
set}:${DB_PASSWORD:?DB_PASSWORD not set} (and apply the same ${VAR:?msg} pattern
to the other occurrences noted at lines 41-42, 55-57, 71-72).
- Line 57: The healthcheck currently uses "incr ping" which mutates Redis state;
change the command in the compose healthcheck from the redis-cli invocation that
contains ['CMD', 'redis-cli', '-a', '${REDIS_PASSWORD}', '--no-auth-warning',
'--raw', 'incr', 'ping'] to use a read-only PING probe instead (e.g., replace
'incr' with 'ping' so it runs redis-cli ... '--raw' 'ping'), preserving
authentication flags and '--no-auth-warning'. Ensure the healthcheck still
returns success on a proper PONG response and does not perform any writes.
In `@README.md`:
- Line 189: Replace the current sentence that says "Schedule regular `pg_dump`
backups of the `DB_DATA_LOCATION` volume" with a clarified statement that
`pg_dump` performs logical backups of the database (connects to the server and
exports SQL/data) and does not back up the `DB_DATA_LOCATION`/PGDATA filesystem;
explicitly instruct operators to use `pg_basebackup` or WAL archiving (or a
filesystem-level backup) for physical/PGDATA backups and keep `pg_dump` guidance
limited to logical backups of the database.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b06a1156-ae4f-4c2c-ac91-9512dc3a2b85
📒 Files selected for processing (3)
.docker/selfhost/.env.example.docker/selfhost/compose.ymlREADME.md
…healthcheck, backup docs
- Use \${VAR:?msg} for REDIS_PASSWORD, DB_PASSWORD, DB_USERNAME in compose so
docker compose fails immediately if secrets are unset instead of silently
passing empty strings to the app/database/redis.
- Fix Redis healthcheck: replace 'incr ping' (mutating) with 'ping' (read-only).
- Clarify backup item in README: pg_dump is for logical backups; pg_basebackup
or WAL archiving should be used for physical PGDATA backups.
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.docker/selfhost/compose.yml (1)
57-57:⚠️ Potential issue | 🔴 CriticalCritical: Redis healthcheck password not interpolated due to single quotes.
On Line 57,
${REDIS_PASSWORD}is wrapped in single quotes within the YAML sequence. Docker Compose does not interpolate variables inside single quotes, causing the literal string${REDIS_PASSWORD}to be passed toredis-cli. This fails to authenticate against the actual password set on Line 55 (redis-server --requirepass ${REDIS_PASSWORD:?...}), causing the healthcheck to fail and blocking dependent services from starting.Switch to double quotes to enable interpolation:
Fix
- test: ['CMD', 'redis-cli', '-a', '${REDIS_PASSWORD}', '--no-auth-warning', '--raw', 'ping'] + test: ['CMD', 'redis-cli', '-a', "${REDIS_PASSWORD:?REDIS_PASSWORD not set}", '--no-auth-warning', '--raw', 'ping']🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.docker/selfhost/compose.yml at line 57, The healthcheck command entry "test: ['CMD', 'redis-cli', '-a', '${REDIS_PASSWORD}', '--no-auth-warning', '--raw', 'ping']" uses single quotes so ${REDIS_PASSWORD} is not interpolated; update that YAML sequence to use double quotes around the ${REDIS_PASSWORD} element (e.g., " ${REDIS_PASSWORD} ") so Docker Compose substitutes the actual REDIS_PASSWORD value and the redis-cli authentication succeeds.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.docker/selfhost/compose.yml:
- Line 57: The healthcheck command entry "test: ['CMD', 'redis-cli', '-a',
'${REDIS_PASSWORD}', '--no-auth-warning', '--raw', 'ping']" uses single quotes
so ${REDIS_PASSWORD} is not interpolated; update that YAML sequence to use
double quotes around the ${REDIS_PASSWORD} element (e.g., " ${REDIS_PASSWORD} ")
so Docker Compose substitutes the actual REDIS_PASSWORD value and the redis-cli
authentication succeeds.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 061a0aa4-1acb-4fda-95ed-b29cba231976
📒 Files selected for processing (2)
.docker/selfhost/compose.ymlREADME.md
✅ Files skipped from review due to trivial changes (1)
- README.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…oyments
Remove POSTGRES_HOST_AUTH_METHOD: trust, add Redis password authentication, isolate services on internal Docker network, bind app to 127.0.0.1 only, and add security checklist to README.
Summary by CodeRabbit
Documentation
Chores