From 8e9ee1d38b8b2dfcaddac8d8227a8e0da1ed3a65 Mon Sep 17 00:00:00 2001 From: hailin Date: Thu, 19 Feb 2026 20:34:24 -0800 Subject: [PATCH] =?UTF-8?q?fix(docker):=20=E7=AB=AF=E5=8F=A3=E9=81=BF?= =?UTF-8?q?=E8=AE=A9=20+=20admin-service=E4=BE=9D=E8=B5=96=E4=BF=AE?= =?UTF-8?q?=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 所有端口改为不冲突范围: 基础设施4xxxx, 服务4xxx - admin-service添加adbkit-apkreader/unzipper/bplist-parser依赖 - 修复Platform类型推断 Co-Authored-By: Claude Opus 4.6 --- backend/docker-compose.yml | 53 +++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 30 deletions(-) diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml index 21625cf..4e7b4cc 100644 --- a/backend/docker-compose.yml +++ b/backend/docker-compose.yml @@ -13,8 +13,7 @@ services: POSTGRES_PASSWORD: genex_dev_password POSTGRES_DB: genex ports: - # 安全加固: 仅绑定 127.0.0.1, 禁止公网直连数据库 - - "127.0.0.1:5432:5432" + - "127.0.0.1:45432:5432" volumes: - postgres_data:/var/lib/postgresql/data - ./migrations:/docker-entrypoint-initdb.d @@ -44,8 +43,7 @@ services: image: redis:7-alpine container_name: genex-redis ports: - # 安全加固: 仅绑定 127.0.0.1, Redis 无密码保护, 暴露公网极易被利用 - - "127.0.0.1:6379:6379" + - "127.0.0.1:46379:6379" volumes: - redis_data:/data command: redis-server --appendonly yes @@ -68,7 +66,7 @@ services: KAFKA_CONTROLLER_QUORUM_VOTERS: 1@kafka:9093 KAFKA_CONTROLLER_LISTENER_NAMES: CONTROLLER KAFKA_LISTENERS: PLAINTEXT://0.0.0.0:9092,CONTROLLER://0.0.0.0:9093,PLAINTEXT_HOST://0.0.0.0:29092 - KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092,PLAINTEXT_HOST://localhost:29092 + KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092,PLAINTEXT_HOST://localhost:49092 KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 @@ -78,9 +76,8 @@ services: KAFKA_LOG_DIRS: /var/lib/kafka/data CLUSTER_ID: "genex-kafka-cluster-001" ports: - - "9092:9092" - # 安全加固: 外部访问端口仅绑定 127.0.0.1 - - "127.0.0.1:29092:29092" + - "127.0.0.1:49092:9092" + - "127.0.0.1:49093:29092" volumes: - kafka_data:/var/lib/kafka/data healthcheck: @@ -100,9 +97,8 @@ services: MINIO_ROOT_USER: genex-admin MINIO_ROOT_PASSWORD: genex-minio-secret ports: - - "9000:9000" # S3 API - # 安全加固: MinIO Console 仅绑定 127.0.0.1, 带默认密码暴露公网极其危险 - - "127.0.0.1:9001:9001" # Console UI + - "127.0.0.1:49000:9000" # S3 API + - "127.0.0.1:49001:9001" # Console UI volumes: - minio_data:/data command: server /data --console-address ":9001" @@ -157,9 +153,7 @@ services: OFFSET_FLUSH_INTERVAL_MS: 10000 OFFSET_FLUSH_TIMEOUT_MS: 5000 ports: - # 安全加固: 仅绑定 127.0.0.1, 禁止公网访问 Kafka Connect REST API - # 暴露公网会导致 SSRF 攻击 (恶意注入 connector 读取 /etc/passwd 等) - - "127.0.0.1:8083:8083" + - "127.0.0.1:48083:8083" depends_on: kafka: condition: service_healthy @@ -183,9 +177,8 @@ services: KONG_ADMIN_LISTEN: 0.0.0.0:8001 KONG_PROXY_LISTEN: 0.0.0.0:8080 ports: - - "8080:8080" # Proxy (frontend connects here) - # 安全加固: Kong Admin API 仅绑定 127.0.0.1, 暴露公网可被用于篡改路由规则 - - "127.0.0.1:8001:8001" # Admin API + - "48080:8080" # Proxy (frontend connects here) + - "127.0.0.1:48001:8001" # Admin API volumes: - ./kong/kong.yml:/etc/kong/kong.yml:ro healthcheck: @@ -198,7 +191,7 @@ services: - genex-network # ============================================================ - # NestJS Services (5) + # NestJS Services (9) # ============================================================ user-service: @@ -207,7 +200,7 @@ services: dockerfile: services/user-service/Dockerfile container_name: genex-user-service ports: - - "3001:3001" + - "4001:3001" environment: - NODE_ENV=development - PORT=3001 @@ -239,7 +232,7 @@ services: dockerfile: services/issuer-service/Dockerfile container_name: genex-issuer-service ports: - - "3002:3002" + - "4002:3002" environment: - NODE_ENV=development - PORT=3002 @@ -268,7 +261,7 @@ services: dockerfile: services/clearing-service/Dockerfile container_name: genex-clearing-service ports: - - "3004:3004" + - "4004:3004" environment: - NODE_ENV=development - PORT=3004 @@ -293,7 +286,7 @@ services: dockerfile: services/compliance-service/Dockerfile container_name: genex-compliance-service ports: - - "3005:3005" + - "4005:3005" environment: - NODE_ENV=development - PORT=3005 @@ -318,7 +311,7 @@ services: dockerfile: services/notification-service/Dockerfile container_name: genex-notification-service ports: - - "3008:3008" + - "4008:3008" environment: - NODE_ENV=development - PORT=3008 @@ -346,7 +339,7 @@ services: dockerfile: services/telemetry-service/Dockerfile container_name: genex-telemetry-service ports: - - "3011:3011" + - "4011:3011" environment: - NODE_ENV=development - PORT=3011 @@ -380,7 +373,7 @@ services: dockerfile: services/admin-service/Dockerfile container_name: genex-admin-service ports: - - "3012:3012" + - "4012:3012" environment: - NODE_ENV=development - PORT=3012 @@ -414,7 +407,7 @@ services: dockerfile: Dockerfile container_name: genex-trading-service ports: - - "3003:3003" + - "4003:3003" environment: - PORT=3003 - DB_HOST=postgres @@ -442,7 +435,7 @@ services: dockerfile: Dockerfile container_name: genex-translate-service ports: - - "3007:3007" + - "4007:3007" environment: - PORT=3007 - DB_HOST=postgres @@ -467,7 +460,7 @@ services: dockerfile: Dockerfile container_name: genex-chain-indexer ports: - - "3009:3009" + - "4009:3009" environment: - PORT=3009 - KAFKA_BROKERS=kafka:9092 @@ -488,7 +481,7 @@ services: dockerfile: services/auth-service/Dockerfile container_name: genex-auth-service ports: - - "3010:3010" + - "4010:3010" environment: - NODE_ENV=development - PORT=3010 @@ -525,7 +518,7 @@ services: dockerfile: services/ai-service/Dockerfile container_name: genex-ai-service ports: - - "3006:3006" + - "4006:3006" environment: - NODE_ENV=development - PORT=3006