feat: 添加 frontend 容器安全配置

2026-06-15 00:44:30 +08:00 · 2026-02-01 20:18:20 +08:00
parent 336a586679
commit 2acc8e99f7
1 changed files with 18 additions and 2 deletions
@@ -1,5 +1,3 @@
-
-
 services:
  # MySQL 数据库
  mysql:
@@ -65,6 +63,24 @@ services:
    networks:
      - ai-cs-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+    read_only: true  # 只读文件系统（防止写入恶意文件）
+    tmpfs:
+      - /tmp
+      - /var/tmp
+      - /app/.next/cache  # Next.js 需要缓存目录
+    resources:
+      limits:
+        cpus: '2.0'
+        memory: 2G
+      reservations:
+        cpus: '0.5'
+        memory: 512M

 volumes:
  mysql_data: