From af2a01b16987101bc87b82591b43c92d2406ca47 Mon Sep 17 00:00:00 2001 From: Olivier Date: Sun, 17 May 2026 09:35:30 +0200 Subject: [PATCH] =?UTF-8?q?Ajout=20de=20BIND=5FADDRESS=20pour=20le=20d?= =?UTF-8?q?=C3=A9ploiement=20derri=C3=A8re=20un=20reverse-proxy=20distant?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Permet de restreindre l'écoute à l'interface réseau exposée au reverse-proxy, sans toucher aux interfaces non concernées (ex. loopback, interfaces LAN). Co-Authored-By: Claude Sonnet 4.6 --- .env.example | 12 ++++++++++++ README.md | 1 + docker-compose.yml | 2 +- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.env.example b/.env.example index fa58bbb..6ae9fec 100644 --- a/.env.example +++ b/.env.example @@ -34,6 +34,18 @@ INITIAL_ADMIN_PASSWORD= # ALLOWED_ORIGINS= (empty — disables CORS headers) ALLOWED_ORIGINS=* +# ── Bind address ───────────────────────────────────────────────────────────── +# IP address the application listens on (port 8080). +# Default: 0.0.0.0 (all interfaces). +# Set to the IP of the interface facing the reverse proxy when the reverse proxy +# runs on a separate machine — avoids exposing the app on unintended interfaces. +# +# Examples: +# BIND_ADDRESS=0.0.0.0 (default — all interfaces) +# BIND_ADDRESS=192.168.1.10 (LAN interface only) +# BIND_ADDRESS=127.0.0.1 (loopback — reverse proxy on the same host) +BIND_ADDRESS=0.0.0.0 + # ── Container user IDs ─────────────────────────────────────────────────────── # UID and GID used to run the backend process inside the container. # Must match the host user owning ./db_data/ to allow read/write on the diff --git a/README.md b/README.md index e59eee4..3caa4de 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ All configuration is via environment variables. See `.env.example` for the full | `SECRET_KEY` | auto-generated | JWT signing key. Set explicitly in production. | | `INITIAL_ADMIN_PASSWORD` | _(empty)_ | Bootstrap admin password. If unset, `admin/admin` is used with forced change. | | `ALLOWED_ORIGINS` | `*` | CORS allowed origins (comma-separated). Set to your domain in production. | +| `BIND_ADDRESS` | `0.0.0.0` | IP address to listen on. Set to the interface facing the reverse proxy. | | `DOCKER_UID` / `DOCKER_GID` | `1000` | UID/GID for the backend process. Must match the host user owning `./db_data/`. | ### Using .env with Docker Compose diff --git a/docker-compose.yml b/docker-compose.yml index 29e72ac..babb03e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -43,7 +43,7 @@ services: frontend: build: ./frontend ports: - - "8080:8080" + - "${BIND_ADDRESS:-0.0.0.0}:8080:8080" cap_drop: - ALL security_opt: