Skip to content

fix(docker): fix docker-compose startup failures for fresh installs #2422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
enginer wants to merge 1 commit into
base: main
Choose a base branch
from
+61 −9
Open

fix(docker): fix docker-compose startup failures for fresh installs #2422

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,13 @@ DEL_INSTANCE=false

# Provider: postgresql | mysql | psql_bouncer
DATABASE_PROVIDER=postgresql
DATABASE_CONNECTION_URI='postgresql://user:pass@postgres:5432/evolution_db?schema=evolution_api'
DATABASE_CONNECTION_URI='postgresql://user:pass@evolution-postgres:5432/evolution_db?schema=evolution_api'

# Postgres container settings (used by docker-compose)
POSTGRES_DATABASE=evolution_db
POSTGRES_USERNAME=user
POSTGRES_PASSWORD=pass

# Client name for the database connection
# It is used to separate an API installation from another that uses the same database.
DATABASE_CONNECTION_CLIENT_NAME=evolution_exchange
Expand Down
11 changes: 3 additions & 8 deletions docker-compose.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ services:
- evolution_instances:/evolution/instances
networks:
- evolution-net
- dokploy-network
env_file:
- .env
expose:
Expand All @@ -26,6 +25,8 @@ services:
restart: always
ports:
- "3000:80"
volumes:
- ./nginx.conf:/etc/nginx/conf.d/nginx.conf:ro
networks:
- evolution-net

Expand All @@ -41,9 +42,6 @@ services:
evolution-net:
aliases:
- evolution-redis
dokploy-network:
aliases:
- evolution-redis
expose:
- "6379"

Expand All @@ -67,7 +65,6 @@ services:
- postgres_data:/var/lib/postgresql/data
networks:
- evolution-net
- dokploy-network
expose:
- "5432"

Expand All @@ -79,6 +76,4 @@ volumes:
networks:
evolution-net:
name: evolution-net
driver: bridge
dokploy-network:
external: true
driver: bridge
51 changes: 51 additions & 0 deletions nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
index index.html;

# Gzip compression
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied expired no-cache no-store private auth;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/xml+rss
application/json;

# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
Copy link
Contributor

@sourcery-ai sourcery-ai bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 issue (security): CSP includes unsafe-inline, which largely defeats the protection CSP is meant to provide.

In default-src, this effectively disables CSP protections and leaves any injection point exploitable. Please tighten this by using nonces or hashes for required inline scripts/styles and removing unsafe-inline, or at minimum restrict it to script-src/style-src with a documented justification.

Comment on lines +21 to +26
Copy link
Contributor

@sourcery-ai sourcery-ai bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): X-XSS-Protection is deprecated and can be removed in favor of relying on CSP.

Since most browsers now ignore this header and it can behave unpredictably in older ones, relying on your existing CSP is preferable and keeps the security configuration clearer and more accurate.

Suggested change
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;


# Handle client routing
location / {
try_files $uri $uri/ /index.html;
}

# Cache static assets
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}

# Cache HTML files for a shorter period
location ~* \.html$ {
expires 1h;
add_header Cache-Control "public";
}

# Health check endpoint
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
}