Skip to content

chore(ibkr): harden the CP gateway docker harness (baked ips.allow conf, healthcheck, container-IP capture) #130

Description

@NotAProfDev

Follow-up to the CP gateway harness shipped in #127 and the real-fixture capture in #129/#128.

The docker/cpapi/ gateway currently ships no custom conf.yaml, so a fresh docker compose up uses the distribution's restrictive ips.allow (192.*/131.216.*/127.0.0.1). A browser login forwarded through Docker (source 172.*/10.*) is rejected 403 "not allowed", requiring a manual per-container patch. Make the harness self-sufficient and adopt hardening ideas from a reference oath-ibkr-v2 gateway (harness only — not its reqwest client):

  • Bake a dev conf.yaml with a widened ips.allow (loopback + RFC-1918) into the image.
  • Add a container HEALTHCHECK.
  • Harden docker-compose.yml (cap_drop, no-new-privileges, mem/pids limits, log bound).
  • Resolve the container IP in just ibkr-capture (localhost:5000 isn't routable from a devcontainer).

Scope note: touches only docker/cpapi/*, Justfile, and _typos.toml — no crate/capture.sh changes, so it does not overlap #129.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions