diff --git a/Dockerfile b/Dockerfile index edcf602..5c529a8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,43 +1,54 @@ -FROM python:3.11-slim-bookworm +FROM python:3.11-alpine -ENV PYTHONDONTWRITEBYTECODE 1 -ENV PYTHONUNBUFFERED 1 -ENV VIRTUAL_ENV=/opt/venv -ENV PATH="$VIRTUAL_ENV/bin:$PATH" -ENV DEBUG=False - -RUN apt-get update && \ - apt-get install -y --no-install-recommends nginx python3-venv && \ - rm -rf /var/lib/apt/lists/* - -RUN python -m venv $VIRTUAL_ENV - -RUN groupadd -r nginxgroup && \ - useradd -r -g nginxgroup -s /bin/false nginxuser - -RUN mkdir -p /run/nginx && \ - chown -R nginxuser:nginxgroup /run/nginx /var/log/nginx /var/lib/nginx +ENV PYTHONDONTWRITEBYTECODE=1 \ + PYTHONUNBUFFERED=1 \ + VIRTUAL_ENV=/opt/venv \ + PATH="/opt/venv/bin:$PATH" \ + DEBUG=False + +RUN apk add --no-cache \ + nginx \ + bash \ + ca-certificates \ + libffi \ + libffi-dev \ + openssl \ + openssl-dev \ + libsodium \ + linux-headers \ + gcc \ + musl-dev \ + cargo \ + && python -m venv /opt/venv \ + && addgroup -S nginxgroup \ + && adduser -S nginxuser -G nginxgroup \ + && mkdir -p \ + /run/nginx \ + /var/log/nginx \ + /var/lib/nginx \ + && chown -R nginxuser:nginxgroup \ + /run/nginx \ + /var/log/nginx \ + /var/lib/nginx WORKDIR /app COPY requirements.txt . -RUN /opt/venv/bin/pip install --no-cache-dir -r requirements.txt +RUN pip install --upgrade pip wheel \ + && pip install --no-cache-dir -r requirements.txt COPY . . -RUN /opt/venv/bin/python manage.py collectstatic --noinput && \ - find . -type f -name '*.env' -delete && \ - find . -type f -name '*.secret' -delete +RUN python manage.py collectstatic --noinput \ + && find . -type f \( -name '*.env' -o -name '*.secret' \) -delete -RUN rm -f /etc/nginx/sites-enabled/default +RUN rm -f /etc/nginx/http.d/default.conf COPY nginx.conf /etc/nginx/nginx.conf COPY entrypoint.sh /app/entrypoint.sh - -RUN chmod 755 /app/entrypoint.sh && \ - chmod a-w /app/entrypoint.sh - -RUN chown -R nginxuser:nginxgroup /app +RUN chown nginxuser:nginxgroup /app/entrypoint.sh \ + && chmod 550 /app/entrypoint.sh \ + && chown -R nginxuser:nginxgroup /app EXPOSE 8080 diff --git a/README.md b/README.md index bc2ccf4..16f92d5 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ You can visit my portfolio online at [My Portfolio](https://myportfolio-kn09.onr #### Prerequisites -- Python 3.11 or 3.12 +- Python 3.11+ - python3-virtualenv or python3-venv - Redis (for caching) - Docker (optional) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..54b4a26 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,45 @@ +# Security Policy + +## Reporting a Vulnerability + +If you believe you have found a security issue in this project, please **do not open a public issue**. + +Instead, report it privately using one of the contacts below: + +- **Email:** brunoriansouza@gmail.com + +Please include: + +* A brief description of the issue +* Steps to reproduce (if possible) +* Potential impact + +This is a **hobby project**. I will respond **as soon as possible**, but **no response time is guaranteed**. + +## Supported Versions + +Only the **latest version** of this project is supported. + +Older versions do not receive security updates. + +## Scope and Disclaimer + +This project is provided **as-is**, without any warranty or guarantee of security. + +The following are generally out of scope: + +- Issues caused by misconfiguration or improper deployment +- Vulnerabilities in third-party services or dependencies +- Denial-of-service attacks + +Users are responsible for deploying and running this software securely. + +## Responsible Disclosure + +Please: + +- Act in good faith +- Avoid publicly disclosing vulnerabilities before a fix is available +- Do not exploit issues beyond a proof of concept + +Thank you for helping keep this project safer. diff --git a/docs/LICENSE.md b/docs/LICENSE.md index fcd8c23..00ed468 100644 --- a/docs/LICENSE.md +++ b/docs/LICENSE.md @@ -1,6 +1,6 @@ # GNU GENERAL PUBLIC LICENSE -![Icon](./icon.png) +![Icon](docs/icon.png) Version 3, 29 June 2007 @@ -674,4 +674,4 @@ program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, -please read . \ No newline at end of file +please read . diff --git a/entrypoint.sh b/entrypoint.sh index 0224bd2..7dfbecb 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,20 +1,10 @@ -#!/bin/bash +#!/bin/sh +set -e -PORT=${PORT:-8080} - -sed -i "s/listen 8080;/listen $PORT;/" /etc/nginx/nginx.conf - -mkdir -p /run/nginx -chown nginxuser:nginxgroup /run/nginx - -/opt/venv/bin/gunicorn \ + /opt/venv/bin/gunicorn \ + server.asgi:application \ --bind 0.0.0.0:8000 \ - --workers 3 \ - --worker-class gthread \ - --threads 2 \ - --timeout 30 \ - server.wsgi & - -sleep 5 + --workers 2 \ + --worker-class uvicorn.workers.UvicornWorker & exec nginx -g "daemon off;" diff --git a/nginx.conf b/nginx.conf index 7158541..fa3dee5 100644 --- a/nginx.conf +++ b/nginx.conf @@ -24,27 +24,35 @@ http { server { listen 8080; server_name _; - + location ~* ^/(\.env|__debug__|debug|env|secrets) { deny all; return 403; } location / { - proxy_pass http://localhost:8000; + proxy_pass http://127.0.0.1:8000; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - + proxy_connect_timeout 15s; proxy_read_timeout 30s; proxy_send_timeout 30s; } server_tokens off; + add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options "DENY"; add_header Referrer-Policy "same-origin"; + add_header X-XSS-Protection "1; mode=block"; + add_header Permissions-Policy "geolocation=()"; } }