From e13724a8be0b23374293430ea3e203c3e1680275 Mon Sep 17 00:00:00 2001
From: y9938 <nbla6302@gmail.com>
Date: Sat, 21 Mar 2026 03:39:34 +0300
Subject: [PATCH] build(docker): optimize image size and security

- add mysql client binaries for database operations
- reduce php extensions to production essentials
- bind mysql and phpmyadmin to localhost only
- replace php-fpm.conf with php.ini for upload limits
---
 .dockerignore     |  2 +-
 compose.yaml      |  7 ++++---
 docker/Dockerfile | 16 +++++++++++-----
 docker/php.ini    |  2 ++
 4 files changed, 18 insertions(+), 9 deletions(-)
 create mode 100644 docker/php.ini

diff --git a/.dockerignore b/.dockerignore
index 32ce416..c063c5a 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,3 @@
 *
 !docker/entrypoint.sh
-!docker/php-fpm.conf
+!docker/php.ini
diff --git a/compose.yaml b/compose.yaml
index 9802b0f..e0ccb00 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -26,11 +26,10 @@ services:
     volumes:
       - ./:/var/www
 
-
   mysql:
     image: mysql:8.0
     ports:
-      - "${DB_PORT:-3306}:3306"
+      - "127.0.0.1:${DB_PORT:-3306}:3306"
     environment:
       - MYSQL_DATABASE=${DB_DATABASE}
       - MYSQL_USER=${DB_USERNAME}
@@ -44,9 +43,11 @@ services:
     image: phpmyadmin:latest
     restart: unless-stopped
     ports:
-      - "8080:80"
+      - "127.0.0.1:8080:80"
     environment:
       - PMA_HOST=mysql
+      - PMA_USER=root
+      - PMA_PASSWORD=${DB_ROOT_PASSWORD}
       - PMA_PORT=${DB_PORT:-3306}
       - UPLOAD_LIMIT=100M
     depends_on:
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 9612359..0311dd7 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,11 +1,15 @@
+FROM mysql:8.0 AS mysql
+
 FROM php:8.3-fpm
 
+COPY --from=mysql /usr/bin/mysql /usr/bin/mysql
+COPY --from=mysql /usr/bin/mysqldump /usr/bin/mysqldump
+
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    libpng-dev libonig-dev libxml2-dev libzip-dev \
-    zip unzip git gosu \
-    netcat-traditional \
-&& docker-php-ext-install pdo_mysql mbstring exif pcntl bcmath gd zip \
-&& apt-get clean && rm -rf /var/lib/apt/lists/*
+    libonig-dev libicu-dev \
+    gosu netcat-traditional \
+ && docker-php-ext-install pdo_mysql mbstring intl \
+ && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
 
@@ -26,6 +30,8 @@ RUN if getent group ${GID}; then \
 RUN sed -i "s/user = www-data/user = www/g" /usr/local/etc/php-fpm.d/www.conf && \
     sed -i "s/group = www-data/group = $group_name/g" /usr/local/etc/php-fpm.d/www.conf
 
+COPY --chmod=644 ./docker/php.ini /usr/local/etc/php/conf.d/laravel.ini
+
 COPY ./docker/entrypoint.sh /usr/local/bin/
 RUN chmod +x /usr/local/bin/entrypoint.sh
 
diff --git a/docker/php.ini b/docker/php.ini
new file mode 100644
index 0000000..4b370d1
--- /dev/null
+++ b/docker/php.ini
@@ -0,0 +1,2 @@
+post_max_size = 20M
+upload_max_filesize = 20M