daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d77a4769c681024b2997b954f87f5f04019d4e72
microdao-daarion/apps/web/Dockerfile.secure
Apple d77a4769c6 🔒 security(daarion-web): Hardening after crypto-mining incidents 
## Root Cause Analysis
- Found CRITICAL RCE vulnerability in Next.js 15.0.3 (GHSA-9qr9-h5gf-34mp)
- 10 vulnerabilities total including SSRF, DoS, Auth Bypass
- Attack vector: exposed port 3000 + vulnerable Next.js → remote code execution

## Security Fixes
- Upgraded Next.js: 15.0.3 → 15.5.9 (0 vulnerabilities)
- Upgraded eslint-config-next: 15.0.3 → 15.5.9

## Hardening (New Files)
- apps/web/Dockerfile.secure: Multi-stage build, read-only FS, no shell
- docker-compose.web.secure.yml: Resource limits, cap_drop ALL, localhost bind
- scripts/rebuild-daarion-web-secure.sh: Local secure rebuild with Trivy scan
- scripts/deploy-daarion-web-node1.sh: Production deployment to NODE1
- SECURITY-REBUILD-REPORT.md: Full incident analysis and remediation report

## Key Security Measures
- restart: "no" (until verified)
- ports: 127.0.0.1:3000 (localhost only, use Nginx reverse proxy)
- read_only: true
- cap_drop: ALL
- resources.limits: 1 CPU, 512M RAM
- no-new-privileges: true

## Related Incidents
- Incident #1 (Jan 8): catcal, G4NQXBp miners
- Incident #2 (Jan 9): softirq, vrarhpb miners
- Hetzner AbuseID: 10F3971:2A

Co-authored-by: Cursor Agent <agent@cursor.sh>
2026-01-09 02:08:13 -08:00

96 lines
2.5 KiB
Docker
Raw Blame History

# DAARION Web Frontend - SECURE Dockerfile
# Multi-stage build with security hardening
# Version: 2.0.0 (Post-Incident Hardening)
# Created: 2026-01-09
# ============================================
# Stage 1: Dependencies (isolated build)
# ============================================
FROM node:20-alpine AS deps
# Security: Remove unnecessary packages
RUN apk add --no-cache libc6-compat \
&& rm -rf /var/cache/apk/*
WORKDIR /app
# Copy only package files for caching
COPY package.json package-lock.json* ./
# Clean install with audit
RUN npm ci --only=production --ignore-scripts \
&& npm cache clean --force
# ============================================
# Stage 2: Builder (compile application)
# ============================================
FROM node:20-alpine AS builder
WORKDIR /app
# Copy dependencies from previous stage
COPY --from=deps /app/node_modules ./node_modules
# Copy source code
COPY . .
# Build-time environment
ENV NEXT_TELEMETRY_DISABLED=1
ENV NODE_ENV=production
# Build the application
RUN npm run build
# Remove dev dependencies and clean
RUN npm prune --production \
&& rm -rf .git .github .next/cache
# ============================================
# Stage 3: Runner (minimal production image)
# ============================================
FROM node:20-alpine AS runner
LABEL maintainer="DAARION Security Team"
LABEL version="2.0.0-secure"
LABEL description="Hardened DAARION Web Frontend"
WORKDIR /app
# Environment
ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
ENV PORT=3000
ENV HOSTNAME="0.0.0.0"
# Create non-root user with specific UID/GID
RUN addgroup --system --gid 1001 nodejs \
&& adduser --system --uid 1001 --ingroup nodejs nextjs
# Security: Remove unnecessary tools
RUN apk del --purge wget curl \
&& rm -rf /var/cache/apk/* /tmp/* /var/tmp/* \
&& rm -f /bin/sh /bin/ash 2>/dev/null || true
# Copy only necessary production files
COPY --from=builder /app/public ./public
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
# Security: Set restrictive permissions
RUN chmod -R 500 /app \
&& chmod -R 400 /app/public \
&& chmod 500 /app/server.js
# Switch to non-root user
USER nextjs
# Expose port (internal only)
EXPOSE 3000
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
CMD node -e "require('http').get('http://localhost:3000/api/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))" || exit 1
# Run application
CMD ["node", "server.js"]
Reference in New Issue View Git Blame Copy Permalink