r/mnemosyne
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(web): trust XFF for real client IP and correct port to 23081
All checks were successful
CVE Scan & Docker Build / security-scan (push) Successful in 3m41s
Details
Build & Deploy Docs / build-and-deploy (push) Successful in 1m9s
Details
CVE Scan & Docker Build / build-and-push (push) Successful in 3m29s
Details

Browse Source 
- Configure nginx `set_real_ip_from` for RFC1918 ranges and enable
  `real_ip_recursive` so allowlists evaluate the true client IP
  instead of Docker's NAT gateway, preventing public exposure of
  `/metrics` and `/nginx_status`
- Update published port from 23181 to 23081 in docker-compose
This commit is contained in:
Robert Helewka
2026-06-17 06:58:36 -04:00
parent ec4f12d601
commit 4dde063299
2 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docker-compose.yaml
View File

@@ -377,7 +377,7 @@ services:
retries: 3
start_period: 60s
# ── Web: nginx reverse proxy, public port 23181 ────────────────────────────
# ── Web: nginx reverse proxy, public port 23081 ────────────────────────────
# No Django env — nginx only knows how to route. Public listener is
# templated into the conf file by Ansible if the port ever needs to change.
web:
@@ -390,7 +390,7 @@ services:
mcp:
condition: service_healthy
ports:
- "23181:80"
- "23081:80"
volumes:
- ./nginx/mnemosyne.conf:/etc/nginx/conf.d/default.conf:ro
- static:/var/www/static:ro