TokenShield/docker-compose.yml at main · ppomes/TokenShield · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
version: '3.8'

services:
  # MySQL Database
  mysql:
    image: mysql:8.0
    container_name: tokenshield-mysql
    environment:
      MYSQL_ROOT_PASSWORD: rootpassword123
      MYSQL_DATABASE: tokenshield
      MYSQL_USER: pciproxy
      MYSQL_PASSWORD: pciproxy123
    volumes:
      - mysql_data:/var/lib/mysql
      - ./database/schema.sql:/docker-entrypoint-initdb.d/01-schema.sql
    ports:
      - "3306:3306"
    networks:
      - tokenshield-net
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
      timeout: 20s
      retries: 10

  # Unified Tokenizer Service (HTTP + ICAP)
  unified-tokenizer:
    build: ./unified-tokenizer
    container_name: tokenshield-unified
    environment:
      DB_HOST: mysql
      DB_PORT: 3306
      DB_USER: pciproxy
      DB_PASSWORD: pciproxy123
      DB_NAME: tokenshield
      ENCRYPTION_KEY: ${ENCRYPTION_KEY:-your-256-bit-base64-encoded-key-here}
      APP_ENDPOINT: ${APP_ENDPOINT:-http://dummy-app:8000}
      HTTP_PORT: 8080
      ICAP_PORT: 1344
      DEBUG_MODE: "1"
      TOKEN_FORMAT: ${TOKEN_FORMAT:-prefix}  # "prefix" for tok_ format, "luhn" for Luhn-valid format
      USE_KEK_DEK: ${USE_KEK_DEK:-true}      # "true" to enable KEK/DEK encryption
      TEST_MODE: ${TEST_MODE:-false}         # Set to true to disable rate limiting for testing
    depends_on:
      mysql:
        condition: service_healthy
    ports:
      - "8080:8080"  # HTTP tokenization
      - "1344:1344"  # ICAP detokenization
      - "8090:8090"  # Management API
    networks:
      - tokenshield-net
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "nc", "-z", "localhost", "1344"]
      timeout: 5s
      retries: 5

  # HAProxy - Incoming traffic interceptor
  haproxy:
    image: haproxy:2.8-alpine
    container_name: tokenshield-haproxy
    volumes:
      - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
      - ./haproxy/tokenize.lua:/etc/haproxy/tokenize.lua:ro
      - ./certs:/etc/haproxy/certs:ro
    ports:
      - "80:80"
      - "443:443"
      - "8404:8404"  # Stats page
    depends_on:
      - unified-tokenizer
    networks:
      - tokenshield-net
    environment:
      APP_ENDPOINT: ${APP_ENDPOINT:-http://your-app:8000}
    restart: unless-stopped

  # Squid - Outgoing traffic interceptor
  squid:
    build: ./squid
    container_name: tokenshield-squid
    volumes:
      - ./squid/squid.conf:/etc/squid/squid.conf:ro
      - ./certs:/etc/squid/certs:ro
      - squid_cache:/var/spool/squid
      - squid_logs:/var/log/squid
    ports:
      - "3128:3128"
      - "3129:3129"  # SSL bump port
    depends_on:
      - unified-tokenizer
    networks:
      - tokenshield-net
    restart: unless-stopped

  # Dummy E-commerce Application
  dummy-app:
    build: ./dummy-app
    container_name: dummy-ecommerce-app
    environment:
      PAYMENT_GATEWAY_URL: http://payment-gateway:9000
      CARD_DISTRIBUTOR_URL: http://card-distributor:5001
      HTTP_PROXY: http://squid:3128
      HTTPS_PROXY: http://squid:3128
    ports:
      - "8000:8000"
    networks:
      - tokenshield-net
    depends_on:
      - squid
      - payment-gateway
      - card-distributor
    restart: unless-stopped

  # Dummy Payment Gateway
  payment-gateway:
    build: ./dummy-gateway
    container_name: dummy-payment-gateway
    ports:
      - "9000:9000"
    networks:
      - tokenshield-net
    restart: unless-stopped

  # Card Distributor - Third-party API that returns raw card data
  card-distributor:
    build: ./card-distributor
    container_name: card-distributor-api
    ports:
      - "5001:5001"
    networks:
      - tokenshield-net
    restart: unless-stopped

  # TokenShield GUI Dashboard (Original)
  tokenshield-gui:
    build: ./gui
    container_name: tokenshield-gui
    ports:
      - "8081:80"
    networks:
      - tokenshield-net
    depends_on:
      - unified-tokenizer
    restart: unless-stopped

  # TokenShield React GUI Dashboard
  tokenshield-react-gui:
    build: ./gui-react
    container_name: tokenshield-react-gui
    environment:
      # Optional: Override default API backend (defaults to unified-tokenizer:8090)
      API_BACKEND: ${REACT_API_BACKEND:-unified-tokenizer:8090}
    ports:
      - "8082:80"
    networks:
      - tokenshield-net
    depends_on:
      - unified-tokenizer
    restart: unless-stopped

networks:
  tokenshield-net:
    driver: bridge

volumes:
  mysql_data:
  squid_cache:
  squid_logs: