From 4523e890234c0539a918ad5b246693c535408391 Mon Sep 17 00:00:00 2001 From: kamjin3086 Date: Thu, 2 Apr 2026 16:55:38 +0800 Subject: [PATCH] fix: bind Redis to 127.0.0.1 to prevent exposure in host network mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When running with network_mode: host (common for transparent proxy setups like daed), the bundled Redis server listens on 0.0.0.0 by default, exposing it to the entire network without authentication. This change adds --bind 127.0.0.1 to the redis-server command, ensuring Redis is only accessible from localhost. The application already connects to Redis via localhost:6379, so this has zero impact on functionality. Security impact: - Prevents unauthenticated Redis access from external networks - Critical for users deploying with network_mode: host - No breaking changes — app connects to localhost regardless --- deploy/docker/supervisord.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/docker/supervisord.conf b/deploy/docker/supervisord.conf index a1b994aa2..fe0975f89 100644 --- a/deploy/docker/supervisord.conf +++ b/deploy/docker/supervisord.conf @@ -4,7 +4,7 @@ logfile=/dev/null ; Log supervisord output to stdout/stderr logfile_maxbytes=0 [program:redis] -command=/usr/bin/redis-server --loglevel notice ; Path to redis-server on Alpine +command=/usr/bin/redis-server --bind 127.0.0.1 --loglevel notice ; Bind to localhost only — prevents exposure when using network_mode: host user=appuser ; Run redis as our non-root user autorestart=true priority=10