Production Hardening

The default TracePcap configuration is optimised for quick local testing. Before exposing the application to a wider audience, follow these steps.

Change Default Credentials

MinIO:

In docker-compose.yml, change:

MINIO_ROOT_USER: minioadmin
MINIO_ROOT_PASSWORD: minioadmin

to strong, unique credentials. Update any references in the backend service environment as well.

PostgreSQL:

Change POSTGRES_PASSWORD to a strong password and update the backend’s SPRING_DATASOURCE_PASSWORD to match.

Add an Authentication Layer

TracePcap has no built-in user authentication. For multi-user or internet-facing deployments, place an authentication layer in front of nginx:

  • OAuth2 / OIDC proxy — e.g. oauth2-proxy in front of nginx.

  • Basic auth — configure nginx auth_basic with an .htpasswd file.

  • VPN / firewall — restrict access to trusted IP ranges at the network level.

Configure SSL/TLS

By default nginx serves HTTP. For production, terminate TLS at the nginx layer:

  1. Obtain a certificate (e.g. from your internal CA or Let’s Encrypt on an internet-connected machine).

  2. Mount the certificate and key into the nginx container.

  3. Update nginx/nginx.conf to add an HTTPS server block and redirect HTTP to HTTPS.

Adjust Upload Limits

Set MAX_UPLOAD_SIZE_BYTES in .env appropriate for your storage capacity and user needs:

MAX_UPLOAD_SIZE_BYTES=1073741824  # 1 GB

Configure LLM Privacy

If you use AI features, ensure LLM_API_BASE_URL points to a locally-hosted model. Do not configure a cloud API endpoint if your PCAP data is sensitive.

Restrict MinIO Console Access

The MinIO console is exposed on port 9001 by default. Remove or restrict this port in docker-compose.yml for production:

# Comment out or remove:
# ports:
#   - "9001:9001"