security: fix docker-compose security vulnerabilities - Remove exposed PostgreSQL/Qdrant/Ollama ports - Use env vars for DB credentials

2026-03-12 12:47:40 +08:00 · 2026-03-12 12:47:40 +08:00 · b8b27cef21
parent dd1c6aba14
commit b8b27cef21
2 changed files with 8 additions and 11 deletions
--- a/.env.example
+++ b/.env.example
@ -1,6 +1,10 @@
 # AI Service Environment Variables
 # Copy this file to .env and modify as needed

+# Database Configuration (IMPORTANT: Use strong passwords!)
+DB_USER=postgres
+DB_PASSWORD=your-strong-password-here
+
 # LLM Configuration (OpenAI)
 AI_SERVICE_LLM_PROVIDER=openai
 AI_SERVICE_LLM_API_KEY=your-api-key-here
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -10,7 +10,7 @@ services:
    environment:
      - AI_SERVICE_DEBUG=false
      - AI_SERVICE_LOG_LEVEL=INFO
-      - AI_SERVICE_DATABASE_URL=postgresql+asyncpg://postgres:postgres@postgres:5432/ai_service
+      - AI_SERVICE_DATABASE_URL=postgresql+asyncpg://${DB_USER:-postgres}:${DB_PASSWORD}@postgres:5432/ai_service
      - AI_SERVICE_QDRANT_URL=http://qdrant:6333
      - AI_SERVICE_LLM_PROVIDER=${AI_SERVICE_LLM_PROVIDER:-openai}
      - AI_SERVICE_LLM_API_KEY=${AI_SERVICE_LLM_API_KEY:-}
@ -54,18 +54,16 @@ services:
    container_name: ai-postgres
    restart: unless-stopped
    environment:
-      - POSTGRES_USER=postgres
-      - POSTGRES_PASSWORD=postgres
+      - POSTGRES_USER=${DB_USER:-postgres}
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_DB=ai_service
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./ai-service/scripts/init_db.sql:/docker-entrypoint-initdb.d/init_db.sql:ro
-    ports:
-      - "5432:5432"
    networks:
      - ai-network
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres -d ai_service"]
+      test: ["CMD-SHELL", "pg_isready -U ${DB_USER:-postgres} -d ai_service"]
      interval: 10s
      timeout: 5s
      retries: 5
@ -74,9 +72,6 @@ services:
    image: qdrant/qdrant:latest
    container_name: ai-qdrant
    restart: unless-stopped
-    ports:
-      - "6333:6333"
-      - "6334:6334"
    volumes:
      - qdrant_data:/qdrant/storage
    networks:
@ -86,8 +81,6 @@ services:
    image: ollama/ollama:latest
    container_name: ai-ollama
    restart: unless-stopped
-    ports:
-      - "11434:11434"
    volumes:
      - ollama_data:/root/.ollama
    networks: