Ajout de BIND_ADDRESS pour le déploiement derrière un reverse-proxy distant
Permet de restreindre l'écoute à l'interface réseau exposée au reverse-proxy, sans toucher aux interfaces non concernées (ex. loopback, interfaces LAN). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -34,6 +34,18 @@ INITIAL_ADMIN_PASSWORD=
|
|||||||
# ALLOWED_ORIGINS= (empty — disables CORS headers)
|
# ALLOWED_ORIGINS= (empty — disables CORS headers)
|
||||||
ALLOWED_ORIGINS=*
|
ALLOWED_ORIGINS=*
|
||||||
|
|
||||||
|
# ── Bind address ─────────────────────────────────────────────────────────────
|
||||||
|
# IP address the application listens on (port 8080).
|
||||||
|
# Default: 0.0.0.0 (all interfaces).
|
||||||
|
# Set to the IP of the interface facing the reverse proxy when the reverse proxy
|
||||||
|
# runs on a separate machine — avoids exposing the app on unintended interfaces.
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
# BIND_ADDRESS=0.0.0.0 (default — all interfaces)
|
||||||
|
# BIND_ADDRESS=192.168.1.10 (LAN interface only)
|
||||||
|
# BIND_ADDRESS=127.0.0.1 (loopback — reverse proxy on the same host)
|
||||||
|
BIND_ADDRESS=0.0.0.0
|
||||||
|
|
||||||
# ── Container user IDs ───────────────────────────────────────────────────────
|
# ── Container user IDs ───────────────────────────────────────────────────────
|
||||||
# UID and GID used to run the backend process inside the container.
|
# UID and GID used to run the backend process inside the container.
|
||||||
# Must match the host user owning ./db_data/ to allow read/write on the
|
# Must match the host user owning ./db_data/ to allow read/write on the
|
||||||
|
|||||||
@@ -70,6 +70,7 @@ All configuration is via environment variables. See `.env.example` for the full
|
|||||||
| `SECRET_KEY` | auto-generated | JWT signing key. Set explicitly in production. |
|
| `SECRET_KEY` | auto-generated | JWT signing key. Set explicitly in production. |
|
||||||
| `INITIAL_ADMIN_PASSWORD` | _(empty)_ | Bootstrap admin password. If unset, `admin/admin` is used with forced change. |
|
| `INITIAL_ADMIN_PASSWORD` | _(empty)_ | Bootstrap admin password. If unset, `admin/admin` is used with forced change. |
|
||||||
| `ALLOWED_ORIGINS` | `*` | CORS allowed origins (comma-separated). Set to your domain in production. |
|
| `ALLOWED_ORIGINS` | `*` | CORS allowed origins (comma-separated). Set to your domain in production. |
|
||||||
|
| `BIND_ADDRESS` | `0.0.0.0` | IP address to listen on. Set to the interface facing the reverse proxy. |
|
||||||
| `DOCKER_UID` / `DOCKER_GID` | `1000` | UID/GID for the backend process. Must match the host user owning `./db_data/`. |
|
| `DOCKER_UID` / `DOCKER_GID` | `1000` | UID/GID for the backend process. Must match the host user owning `./db_data/`. |
|
||||||
|
|
||||||
### Using .env with Docker Compose
|
### Using .env with Docker Compose
|
||||||
|
|||||||
+1
-1
@@ -43,7 +43,7 @@ services:
|
|||||||
frontend:
|
frontend:
|
||||||
build: ./frontend
|
build: ./frontend
|
||||||
ports:
|
ports:
|
||||||
- "8080:8080"
|
- "${BIND_ADDRESS:-0.0.0.0}:8080:8080"
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- ALL
|
- ALL
|
||||||
security_opt:
|
security_opt:
|
||||||
|
|||||||
Reference in New Issue
Block a user