admin/meijiaka-zy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
154b259c829bc4a1f42d80d375b3a09c43d90adf
meijiaka-zy/python-api/docker-compose.test.yml
T
小鱼开发 95e55293c6 security: 全面生产安全加固与部署修复 
后端安全:
- DEBUG 默认 True → False
- 彻底移除 AUTH_BYPASS 认证绕过
- 验证码不再明文打印到日志
- 上传接口增加大小限制(500MB/20MB/100MB)与魔数校验
- python-jose → PyJWT, 更新 requirements.lock/uv.lock
- Bandit 恢复关键规则(B104/B301/B305/B314/B324/B603/B607)
- 修复 5 处 try_except_pass, 15 处加 nosec 注释
- 启用 Bandit pre-commit 钩子

前端安全:
- 配置完整 CSP 策略
- 收紧 Capabilities(fs:allow-read-file → $RESOURCE/**)
- 移除硬编码 devToken
- 清理前端 TODO(美家卡智影命名统一)

部署修复:
- docker-compose.prod 增加 alembic 迁移步骤
- api + scheduler 增加 Redis 心跳健康检查
- Nginx 添加安全响应头
- Nginx client_max_body_size 100M → 500M
- .env.example 补充 UPLOAD_MAX_* 配置与安全注释

其他:
- /voice/upload 合并到 /upload/audio
- Rust 上传增加文件大小检查
- 清理 Rust 19 处 println! + 前端 21 处 console.info
- 修复 VideoCompose.tsx toast 未导入(已有bug)
2026-05-10 23:31:34 +08:00

98 lines
2.4 KiB
YAML
Raw Blame History

# 美家卡智影 - 测试服部署配置
# ==============================
# 用法:
# docker-compose -f docker-compose.test.yml up -d --build
#
# 包含: PostgreSQL + Redis + API + Scheduler
# 独立运行,不依赖外部网络或服务
services:
db:
image: postgres:15-alpine
container_name: meijiaka-zy-db
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: meijiaka_zy
volumes:
- /opt/meijiaka-zy/data/postgres:/var/lib/postgresql/data
ports:
- "127.0.0.1:5432:5432"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 5s
timeout: 5s
retries: 5
networks:
- meijiaka-zy
redis:
image: redis:7-alpine
container_name: meijiaka-zy-redis
volumes:
- /opt/meijiaka-zy/data/redis:/data
ports:
- "127.0.0.1:6379:6379"
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 5s
retries: 5
networks:
- meijiaka-zy
api:
build:
context: .
dockerfile: Dockerfile
container_name: meijiaka-zy-api
env_file: .env
environment:
TZ: Asia/Shanghai
ports:
- "8081:8000"
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
command: >
sh -c "alembic upgrade head && uvicorn app.main:app --host 0.0.0.0 --port 8000"
networks:
- meijiaka-zy
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "python -c \"import urllib.request; urllib.request.urlopen('http://localhost:8000/health')\""]
interval: 30s
timeout: 10s
retries: 3
start_period: 10s
scheduler:
build:
context: .
dockerfile: Dockerfile
container_name: meijiaka-zy-scheduler
env_file: .env
environment:
TZ: Asia/Shanghai
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
command: python -m app.scheduler.main
networks:
- meijiaka-zy
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "python -c \"import asyncio, time; from app.core.redis_client import get_redis_client; r=get_redis_client(); t=asyncio.run(r.get('scheduler:heartbeat')); t=float(t) if t else 0; assert t>0 and time.time()-t<30, 'scheduler heartbeat stale'\""]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
networks:
meijiaka-zy:
driver: bridge
Reference in New Issue View Git Blame Copy Permalink