From 708bbf0496400abe707bccf5f3b4a79a500421f6 Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 11 Sep 2022 11:03:17 -0400 Subject: [PATCH] Drop capabilities Signed-off-by: Tommy --- docker-compose.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index bb915a5..4317828 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,11 +10,22 @@ services: - ./data/certbot/www:/var/www/certbot:Z ports: - "443:443" + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CAP_NET_BIND_SERVICE + - CHOWN nginx-relay: image: nginx:alpine restart: unless-stopped volumes: - ./data/nginx-relay/nginx.conf:/etc/nginx/nginx.conf:Z + security_opt: + - no-new-privileges:true + cap_drop: + - ALL certbot: image: certbot/certbot restart: unless-stopped @@ -23,4 +34,10 @@ services: - ./data/certbot/www:/var/www/certbot:Z ports: - "80:80" - entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" \ No newline at end of file + entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CAP_NET_BIND_SERVICE \ No newline at end of file