feat: add nginx reverse proxy

This commit is contained in:
bisco
2026-06-24 08:59:35 +02:00
parent 8155d94fee
commit b36cd2a754
14 changed files with 228 additions and 37 deletions
+5 -1
View File
@@ -4,7 +4,8 @@
and password hashing. The public site does not add accounts or write endpoints.
- The aggregate API is intentionally unauthenticated and returns published editorial
content only; secrets and unpublished drafts must never be serialized.
- PostgreSQL has no host-published port. Web ports bind to loopback for local use.
- PostgreSQL has no host-published port. NGINX and diagnostic application ports bind to
loopback for local use. Unknown NGINX virtual hosts are rejected with 404.
- Containers are unprivileged at the Compose level: no privileged mode, host network,
Docker socket, or added capabilities are used. `no-new-privileges` is enabled and
the application images run as non-root users.
@@ -18,6 +19,9 @@
legitimately exposes only contact details approved for publication.
- Dependency and image versions are explicit. Operators remain responsible for patch
upgrades, vulnerability scans, and production digest pinning.
- NGINX forwards the original host and standard client/protocol headers. The local
configuration is HTTP-only; production must add TLS and ensure application ports are
not externally reachable.
Manual production hardening remains required for reverse proxy headers, TLS, media
storage, backup retention, monitoring, and admin network policy.