From bd5b04eeaeb549e7f3592e38252431331d1d2811 Mon Sep 17 00:00:00 2001 From: finn Date: Tue, 6 Aug 2024 09:01:04 -0700 Subject: [PATCH] db user restrict access to container --- compose.yaml | 4 ++++ db/init/01-databases.sql | 8 ++++---- other/dbbu.sh | 16 ++++++++++++++++ other/sqlpass.sh | 4 ++-- proxy/giteaconf | 17 +++++++++++++++++ 5 files changed, 43 insertions(+), 6 deletions(-) create mode 100755 other/dbbu.sh create mode 100644 proxy/giteaconf diff --git a/compose.yaml b/compose.yaml index 6dc2be2..afd9cc9 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,6 +1,7 @@ services: db: image: mariadb:lts + command: "--skip-name-resolve=OFF" restart: always healthcheck: test: ['CMD', 'healthcheck.sh', '--connect', '--innodb_initialized'] @@ -30,6 +31,7 @@ services: restart: always # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi) #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"] + container_name: backend environment: - MYSQL_USER=flasku #- MYSQL_PASSWORD=flaskp @@ -127,4 +129,6 @@ volumes: networks: backnet: + name: backnet frontnet: + name: frontnet diff --git a/db/init/01-databases.sql b/db/init/01-databases.sql index 116c682..a3cbbfc 100644 --- a/db/init/01-databases.sql +++ b/db/init/01-databases.sql @@ -3,10 +3,10 @@ CREATE DATABASE IF NOT EXISTS `gitea`; CREATE DATABASE IF NOT EXISTS `flask`; -- create root user and grant rights -CREATE USER 'gitea' IDENTIFIED BY 'giteap'; -CREATE USER 'flasku' IDENTIFIED BY 'flaskp'; +CREATE USER 'gitea'@'gitea.backnet' IDENTIFIED BY 'giteap'; +CREATE USER 'flasku'@'backend.backnet' IDENTIFIED BY 'flaskp'; --CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'gitea'; --GRANT ALL ON `gitea` TO 'gitea'@'localhost'; -GRANT ALL ON gitea.* TO 'gitea'; -GRANT ALL ON flask.* TO 'flasku'; +GRANT ALL ON gitea.* TO 'gitea'@'gitea.backnet'; +GRANT ALL ON flask.* TO 'flasku'@'backend.backnet'; diff --git a/other/dbbu.sh b/other/dbbu.sh new file mode 100755 index 0000000..6061633 --- /dev/null +++ b/other/dbbu.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# copy do db mount, use as helper + +if [[ -z $1 ]] ; then + echo "dbbu.sh " + exit 0 +fi + +if [[ $1 == "gitea" ]] ; then + mariadb-dump -uroot -p$2 gitea > gitea_bu_$(date +%s).sql +fi + +if [[ $1 == "flask" ]] ; then + mariadb-dump -uroot -p$2 flask > flask_bu_$(date +%s).sql +fi + diff --git a/other/sqlpass.sh b/other/sqlpass.sh index e0d7fa0..b930a65 100755 --- a/other/sqlpass.sh +++ b/other/sqlpass.sh @@ -19,10 +19,10 @@ echo "Changing app db passwords in 5 seconds..." sleep 6 # Flask -docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'flasku' IDENTIFIED BY '"$DOTENV_MYSQL_FLASK_PASSWORD"';" +docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'flasku'@'backend.backnet' IDENTIFIED BY '"$DOTENV_MYSQL_FLASK_PASSWORD"';" # Gitea -docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'gitea' IDENTIFIED BY '"$DOTENV_MYSQL_GITEA_PASSWORD"';" +docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'gitea'@'gitea.backnet' IDENTIFIED BY '"$DOTENV_MYSQL_GITEA_PASSWORD"';" docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "FLUSH PRIVILEGES;" diff --git a/proxy/giteaconf b/proxy/giteaconf new file mode 100644 index 0000000..6291d31 --- /dev/null +++ b/proxy/giteaconf @@ -0,0 +1,17 @@ +server { + + listen 80; + server_name localhost; + + location / { + client_max_body_size 512M; + #proxy_pass http://localhost:3000; + proxy_pass http://gitea:3000; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +}