forked from username/flaskpaste
8f9868f0d9
Features: - REST API for text/binary pastes with MIME detection - Client certificate auth via X-SSL-Client-SHA1 header - SQLite with WAL mode for concurrent access - Automatic paste expiry with LRU cleanup Security: - HSTS, CSP, X-Frame-Options, X-Content-Type-Options - Cache-Control: no-store for sensitive responses - X-Request-ID tracing for log correlation - X-Proxy-Secret validation for defense-in-depth - Parameterized queries, input validation - Size limits (3 MiB anon, 50 MiB auth) Includes /health endpoint, container support, and 70 tests.
44 lines
1.1 KiB
Docker
44 lines
1.1 KiB
Docker
# FlaskPaste Container Image
|
|
# Build: podman build -t flaskpaste .
|
|
# Run: podman run -d -p 5000:5000 -v flaskpaste-data:/app/data flaskpaste
|
|
|
|
FROM python:3.11-slim
|
|
|
|
LABEL maintainer="FlaskPaste"
|
|
LABEL description="Lightweight secure pastebin REST API"
|
|
|
|
# Create non-root user
|
|
RUN groupadd -r flaskpaste && useradd -r -g flaskpaste flaskpaste
|
|
|
|
# Set working directory
|
|
WORKDIR /app
|
|
|
|
# Install dependencies first (cache layer)
|
|
COPY requirements.txt .
|
|
RUN pip install --no-cache-dir -r requirements.txt gunicorn
|
|
|
|
# Copy application code
|
|
COPY app/ ./app/
|
|
COPY wsgi.py .
|
|
|
|
# Create data directory
|
|
RUN mkdir -p /app/data && chown -R flaskpaste:flaskpaste /app
|
|
|
|
# Switch to non-root user
|
|
USER flaskpaste
|
|
|
|
# Environment defaults
|
|
ENV FLASK_ENV=production
|
|
ENV FLASKPASTE_DB=/app/data/pastes.db
|
|
ENV PYTHONUNBUFFERED=1
|
|
|
|
# Expose port
|
|
EXPOSE 5000
|
|
|
|
# Health check
|
|
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
|
|
CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:5000/health')" || exit 1
|
|
|
|
# Run with gunicorn
|
|
CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "2", "--access-logfile", "-", "wsgi:application"]
|