From 0a07c61ca32e997e0478decf993811154b31c63e Mon Sep 17 00:00:00 2001
From: olsch01 <olson2cm@icloud.com>
Date: Tue, 3 Mar 2026 14:52:09 -0500
Subject: [PATCH] perf: remove unnecessary postgres/redis host port mappings in
 production
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backend reaches postgres and redis over the Docker network (hoanet),
so host port mappings are unnecessary. Removing them eliminates 4
docker-proxy processes and closes 0.0.0.0:5432 and 0.0.0.0:6379
which were publicly reachable — a security and performance fix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose.prod.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 1550a01..2fb62c0 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -77,6 +77,9 @@ services:
         -c checkpoint_completion_target=0.9
         -c wal_buffers=16MB
         -c random_page_cost=1.1
+    # No host port mapping — backend reaches postgres via the Docker network.
+    # Removes 2 docker-proxy processes and closes 0.0.0.0:5432 to the internet.
+    ports: []
     deploy:
       resources:
         limits:
@@ -86,4 +89,7 @@ services:
     restart: unless-stopped
 
   redis:
+    # No host port mapping — backend reaches redis via the Docker network.
+    # Removes 2 docker-proxy processes and closes 0.0.0.0:6379 to the internet.
+    ports: []
     restart: unless-stopped