From a8e7911514172566d50b905d3264717cfb61a9e4 Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 11 Sep 2022 14:21:12 -0400 Subject: [PATCH] Drop privileges --- docker-compose.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index a3b3635..ab42d52 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,12 +11,23 @@ services: ports: - "443:443" command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'" + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CAP_NET_BIND_SERVICE + - CHOWN nginx-relay: build: ./nginx-relay/ restart: unless-stopped volumes: - ./data/nginx-relay:/etc/nginx/conf.d command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'" + security_opt: + - no-new-privileges:true + cap_drop: + - ALL certbot: image: certbot/certbot restart: unless-stopped @@ -24,3 +35,9 @@ services: - ./data/certbot/conf:/etc/letsencrypt - ./data/certbot/www:/var/www/certbot entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CAP_NET_BIND_SERVICE