theo/agence66-uptime-kuma
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden Uptime Kuma Docker configuration with security best practices

Browse Source 
- Switch to rootless image (2.0.2-rootless) for non-root execution
- Add security hardening: no-new-privileges and drop all capabilities
- Fix router name bug (traefik-dashboardraefik-dashboard → uptime-kuma)
- Add security headers middleware (XSS, frame options, content-type)
- Implement healthcheck for container monitoring
- Configure log rotation (10M max, 3 files)
- Set resource limits (512M RAM, 0.5 CPU)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
BeauTroll
2025-12-22 19:45:09 +01:00
parent 8c7e99fa64
commit fe981e05bc
1 changed files with 33 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
docker-compose.yml
View File

@@ -1,18 +1,46 @@
services: services:
uptime-kuma: uptime-kuma:
image: louislam/uptime-kuma:latest image: louislam/uptime-kuma:2.0.2-rootless
container_name: uptime-kuma container_name: uptime-kuma
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
networks: networks:
- traefik-net - traefik-net
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.traefik-dashboardraefik-dashboard.rule=Host(`${DOMAIN}`)" - "traefik.http.routers.uptime-kuma.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.traefik-dashboardraefik-dashboard.entrypoints=websecure" - "traefik.http.routers.uptime-kuma.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboardraefik-dashboard.tls.certresolver=letsencrypt" - "traefik.http.routers.uptime-kuma.tls.certresolver=letsencrypt"
- "traefik.http.services.uptime-backend.loadbalancer.server.port=3001" - "traefik.http.services.uptime-backend.loadbalancer.server.port=3001"
- "traefik.http.middlewares.uptime-security.headers.customFrameOptionsValue=SAMEORIGIN"
- "traefik.http.middlewares.uptime-security.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.uptime-security.headers.browserXssFilter=true"
- "traefik.http.middlewares.uptime-security.headers.referrerPolicy=strict-origin-when-cross-origin"
- "traefik.http.routers.uptime-kuma.middlewares=uptime-security"
volumes: volumes:
- ./data:/app/data - ./data:/app/data
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:3001 || exit 1"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
deploy:
resources:
limits:
cpus: "0.5"
memory: 512M
reservations:
cpus: "0.25"
memory: 256M
networks: networks:
traefik-net: traefik-net: