[Bug] Doesn't allow connection from external applications and denies user #500
Description
What is the bug or the crash?
Here is my Dockerfile
# Start from the official PostGIS image
# Use an ARG to make the version easily configurable from docker-compose.yml
ARG POSTGRES_VERSION=17-3.5
FROM kartoza/postgis:${POSTGRES_VERSION}
# Create directories
RUN mkdir -p /docker-entrypoint-initdb.d
# Copy initialization scripts
COPY ./docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
Here is my docker-compose.yml section for this image:
postgres:
restart: unless-stopped
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
healthcheck:
test: ["CMD-SHELL", "pg_isready -h localhost -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
interval: 10s
timeout: 5s
retries: 5
build:
context: ./postgres
args:
- POSTGRES_VERSION=${POSTGRES_MAJOR_VERSION}-${POSTGIS_MAJOR_VERSION}.${POSTGIS_MINOR_RELEASE}
- POSTGRES_MAJOR_VERSION=${POSTGRES_MAJOR_VERSION}
volumes:
- ${DATA_PATH_HOST}/data/postgres:/var/lib/postgresql/data
- ./postgres/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
# - ./postgres/configuration/pg_hba.conf:/etc/postgresql/pg_hba.conf:ro
# - ./postgres/configuration/pg_hba.conf:/tmp/pg_hba.conf:ro
ports:
- "${POSTGRES_PORT}:5432"
environment:
- PASSWORD_AUTHENTICATION=md5
- POSTGRES_DBNAME=${POSTGRES_DB}
- POSTGRES_DB=${POSTGRES_DB}
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASS=${POSTGRES_PASSWORD}
- GITLAB_POSTGRES_INIT=${GITLAB_POSTGRES_INIT}
- GITLAB_POSTGRES_USER=${GITLAB_POSTGRES_USER}
- GITLAB_POSTGRES_PASSWORD=${GITLAB_POSTGRES_PASSWORD}
- GITLAB_POSTGRES_DB=${GITLAB_POSTGRES_DB}
- KEYCLOAK_POSTGRES_INIT=${KEYCLOAK_POSTGRES_INIT}
- KEYCLOAK_POSTGRES_USER=${KEYCLOAK_POSTGRES_USER}
- KEYCLOAK_POSTGRES_PASSWORD=${KEYCLOAK_POSTGRES_PASSWORD}
- KEYCLOAK_POSTGRES_DB=${KEYCLOAK_POSTGRES_DB}
- JUPYTERHUB_POSTGRES_INIT=${JUPYTERHUB_POSTGRES_INIT}
- JUPYTERHUB_POSTGRES_USER=${JUPYTERHUB_POSTGRES_USER}
- JUPYTERHUB_POSTGRES_PASSWORD=${JUPYTERHUB_POSTGRES_PASSWORD}
- JUPYTERHUB_POSTGRES_DB=${JUPYTERHUB_POSTGRES_DB}
- SONARQUBE_POSTGRES_INIT=${SONARQUBE_POSTGRES_INIT}
- SONARQUBE_POSTGRES_DB=${SONARQUBE_POSTGRES_DB}
- SONARQUBE_POSTGRES_USER=${SONARQUBE_POSTGRES_USER}
- SONARQUBE_POSTGRES_PASSWORD=${SONARQUBE_POSTGRES_PASSWORD}
- POSTGRES_CONFLUENCE_INIT=${CONFLUENCE_POSTGRES_INIT}
- POSTGRES_CONFLUENCE_DB=${CONFLUENCE_POSTGRES_DB}
- POSTGRES_CONFLUENCE_USER=${CONFLUENCE_POSTGRES_USER}
- POSTGRES_CONFLUENCE_PASSWORD=${CONFLUENCE_POSTGRES_PASSWORD}
- PGDATA=/var/lib/postgresql/data/pgdata
- POSTGRES_MULTIPLE_EXTENSIONS=postgis,hstore,postgis_topology,postgis_raster,pgrouting,pgvector,pg_repack,pg_trgm,pgcrypto,pg_stat_statements
networks:
- backend
# Postgres Backups
dbbackups:
image: kartoza/pg-backup:$POSTGRES_MAJOR_VERSION-$POSTGIS_MAJOR_VERSION.${POSTGIS_MINOR_RELEASE}
environment:
- DUMPPREFIX=PG
- POSTGRES_HOST=postgres
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_PORT=5432
- RUN_AS_ROOT=true
# - STORAGE_BACKEND=S3
# - ACCESS_KEY_ID=minio_admin
# - SECRET_ACCESS_KEY=secure_minio_secret
# - DEFAULT_REGION=us-west-2
# - BUCKET=backups
# - HOST_BASE=minio:9000
# - HOST_BUCKET=backup
# - SSL_SECURE=False
- CRON_SCHEDULE="*/5 * * * *"
restart: on-failure
networks:
- backend
depends_on:
postgres:
condition: service_healthy
I have an application that is trying to connect to the postgres. I am able to run the command
docker exec -i IMAGE_NAME psql -U USER_NAME -h localhost -p 5432 -d DB_NAME
I have a FrankenPHP Server that spins up a Laravel application. It throws:
2025-07-07 08:44:37.947 UTC [209] a2@a2 FATAL: password authentication failed for user "a2"
2025-07-07 08:44:37.947 UTC [209] a2@a2 DETAIL: Password does not match for user "a2".
Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 133: "host all all 172.0.0.0/8 md5 "
2025-07-07 08:44:37.950 UTC [210] a2@a2 FATAL: password authentication failed for user "a2"
2025-07-07 08:44:37.950 UTC [210] a2@a2 DETAIL: Password does not match for user "a2".
Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 133: "host all all 172.0.0.0/8 md5 "
2025-07-07 08:44:37.988 UTC [211] a2@postgres FATAL: password authentication failed for user "a2"
2025-07-07 08:44:37.988 UTC [211] a2@postgres DETAIL: Password does not match for user "a2".
Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 133: "host all all 172.0.0.0/8 md5 "
2025-07-07 08:44:37.990 UTC [212] a2@postgres FATAL: password authentication failed for user "a2"
2025-07-07 08:44:37.990 UTC [212] a2@postgres DETAIL: Password does not match for user "a2".
Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 133: "host all all 172.0.0.0/8 md5 "
2025-07-07 08:45:01.165 UTC [231] a2@postgres FATAL: password authentication failed for user "a2"
2025-07-07 08:45:01.165 UTC [231] a2@postgres DETAIL: Password does not match for user "a2".
Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 133: "host all all 172.0.0.0/8 md5 "
2025-07-07 08:45:01.168 UTC [232] a2@postgres FATAL: password authentication failed for user "a2"
2025-07-07 08:45:01.168 UTC [232] a2@postgres DETAIL: Password does not match for user "a2".
Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 133: "host all all 172.0.0.0/8 md5 "
2025-07-07 08:45:01.174 UTC [233] a2@template1 FATAL: password authentication failed for user "a2"
2025-07-07 08:45:01.174 UTC [233] a2@template1 DETAIL: Password does not match for user "a2".
Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 133: "host all all 172.0.0.0/8 md5 "
2025-07-07 08:45:01.176 UTC [234] a2@template1 FATAL: password authentication failed for user "a2"
2025-07-07 08:45:01.176 UTC [234] a2@template1 DETAIL: Password does not match for user "a2".
Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 133: "host all all 172.0.0.0/8 md5 "
2025-07-07 08:49:31.775 UTC [194] LOG: checkpoint starting: time
2025-07-07 08:49:31.793 UTC [194] LOG: checkpoint complete: wrote 3 buffers (0.0%); 0 WAL file(s) added, 0 removed, 0 recycled; write=0.005 s, sync=0.002 s, total=0.018 s; sync files=2, longest=0.001 s, average=0.001 s; distance=0 kB, estimate=0 kB; lsn=0/35F4A60, redo lsn=0/35F4A08```
Here is my pg_hba.conf file
Database administrative login by Unix domain socket
local all postgres peer
TYPE DATABASE USER ADDRESS METHOD
"local" is for Unix domain socket connections only
local all all peer
IPv4 local connections:
host all all 127.0.0.1/32 ${PASSWORD_AUTHENTICATION}
IPv6 local connections:
host all all ::1/128 ${PASSWORD_AUTHENTICATION}
Allow replication connections from localhost, by a user with the
replication privilege.
local replication all peer
host replication all 127.0.0.1/32 ${PASSWORD_AUTHENTICATION}
host replication all ::1/128 ${PASSWORD_AUTHENTICATION}
host all all 172.0.0.0/8 md5
host all all 192.168.0.0/16 md5
host all all 0.0.0.0/0 md5
host replication replicator 0.0.0.0/0 md5
Here is my FrankenPHP Dockerfile
1. ARGUMENTS
ARG PHP_VERSION=8.4
ARG FRANKENPHP_VERSION=1.7
ARG TZ=UTC
ARG WWWUSER=1000
ARG WWWGROUP=1000
ARG APP_DIR=/var/www/
ARG APP_ENV=production
ARG APP_HOST=localhost
2. UPSTREAM: Build custom FrankenPHP binary
FROM dunglas/frankenphp:${FRANKENPHP_VERSION}-builder-php${PHP_VERSION}-alpine AS upstream
RUN CGO_ENABLED=1
XCADDY_SETCAP=1
XCADDY_GO_BUILD_FLAGS="-ldflags='-w -s' -tags=nobadger,nomysql,nopgx"
CGO_CFLAGS=$(php-config --includes)
CGO_LDFLAGS="$(php-config --ldflags) $(php-config --libs)"
xcaddy build
--output /usr/local/bin/frankenphp
--with github.com/dunglas/frankenphp=./
--with github.com/dunglas/frankenphp/caddy=./caddy/
--with github.com/dunglas/caddy-cbrotli
3. BASE: The main application image
FROM dunglas/frankenphp:${FRANKENPHP_VERSION}-php${PHP_VERSION}-alpine AS base
ARG WWWUSER WWWGROUP TZ APP_DIR APP_ENV APP_HOST
ENV DEBIAN_FRONTEND=noninteractive
TERM=xterm-color
OCTANE_SERVER=frankenphp
TZ=${TZ}
USER=sbpuser
ROOT=${APP_DIR}
APP_ENV=${APP_ENV}
SERVER_NAME=${APP_HOST:-:80}
WORKDIR ${ROOT}
SHELL ["/bin/sh", "-eou", "pipefail", "-c"]
Install system dependencies and PHP extensions
RUN apk update && apk upgrade && apk add --no-cache
supervisor tzdata git unzip procps wget curl vim ncdu
libsodium-dev brotli
&& install-php-extensions
bz2 pcntl mbstring bcmath sockets pgsql pdo_pgsql opcache exif
pdo_mysql zip uv vips intl gd redis rdkafka memcached igbinary ldap
&& docker-php-source delete
&& rm -rf /var/cache/apk/* /tmp/* /var/tmp/*
Install Supercronic for cron jobs
RUN arch="$(apk --print-arch)"
&& case "$arch" in
armhf) _cronic_fname='supercronic-linux-arm' ;;
aarch64) _cronic_fname='supercronic-linux-arm64' ;;
x86_64) _cronic_fname='supercronic-linux-amd64' ;;
) echo >&2 "error: unsupported architecture: $arch"; exit 1 ;;
esac
&& wget -q "https://github.com/aptible/supercronic/releases/download/v0.2.29/${_cronic_fname}" -O /usr/bin/supercronic
&& chmod +x /usr/bin/supercronic
&& mkdir -p /etc/supercronic
&& echo "/1 * * * * php ${ROOT}/artisan schedule:run --no-interaction" > /etc/supercronic/laravel
Install Composer
COPY --from=composer:2.8 /usr/bin/composer /usr/bin/composer
Create user, group, and necessary directories
RUN addgroup -g ${WWWGROUP} sbpuser
&& adduser -D -h ${ROOT} -G sbpuser -u ${WWWUSER} -s /bin/sh sbpuser
&& mkdir -p
${ROOT}/storage/framework/{cache,sessions,views}
${ROOT}/storage/logs
${ROOT}/bootstrap/cache
/var/log/supervisor
/var/run/supervisor
/etc/supervisor/conf.d
&& setcap -r /usr/local/bin/frankenphp
Copy application files and install dependencies
COPY --chown=${WWWUSER}:${WWWUSER} sbp/composer.json sbp/composer.lock ./
RUN composer install --no-dev --no-scripts --no-interaction --optimize-autoloader
&& composer require laravel/octane --no-interaction
COPY --chown=${WWWUSER}:${WWWUSER} sbp/ ${ROOT}/
RUN php artisan octane:install --server=frankenphp --no-interaction
&& php artisan optimize:clear
&& php artisan config:cache
&& php artisan route:cache
&& php artisan view:cache
Copy configurations
COPY --chown=${WWWUSER}:${WWWUSER} deployment/frankenphp/configuration/supervisord.conf /etc/supervisor/supervisord.conf
COPY --chown=${WWWUSER}:${WWWUSER} deployment/frankenphp/configuration/supervisord.*.conf /etc/supervisor/conf.d/
COPY --chown=${WWWUSER}:${WWWUSER} deployment/frankenphp/configuration/start-container /usr/local/bin/start-container
COPY --chown=${WWWUSER}:${WWWUSER} deployment/frankenphp/configuration/healthcheck /usr/local/bin/healthcheck
COPY --chown=${WWWUSER}:${WWWUSER} deployment/frankenphp/configuration/php.ini /usr/local/etc/php/conf.d/99-octane.ini
Set final permissions and user
RUN chmod +x /usr/local/bin/start-container /usr/local/bin/healthcheck
&& chown -R ${WWWUSER}:${WWWUSER} ${ROOT} /var/log/supervisor /var/run/supervisor /etc/supervisor
&& chmod -R 775 ${ROOT}/storage ${ROOT}/bootstrap/cache
USER sbpuser
Expose ports and define entrypoint
EXPOSE 8000 443 443/udp 2019 8080
ENTRYPOINT ["start-container"]
HEALTHCHECK --start-period=5s --interval=2s --timeout=5s --retries=8 CMD healthcheck
Here is the FrankenPHP part of my docker-compose.yml
FrankenPHP Server
frankenphp:
restart: unless-stopped
container_name: frankenphp
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
start_period: 10s
interval: 30s
timeout: 10s
retries: 3
build:
context: ../
dockerfile: deployment/frankenphp/Dockerfile
args:
- PHP_VERSION=${PHP_VERSION}
- FRANKENPHP_VERSION=${FRANKENPHP_VERSION}
- COMPOSER_VERSION=${FRANKENPHP_COMPOSER_VERSION}
- BUN_VERSION=${FRANKENPHP_BUN_VERSION}
- APP_ENV=${FRANKENPHP_APP_ENV}
- WWWUSER=${FRANKENPHP_USER}
- WWWGROUP=${FRANKENPHP_GROUP}
- APP_HOST=${APP_DOMAIN}
- ROOT=${APP_CODE_PATH_CONTAINER}
- APP_HOME=${APP_CODE_PATH_CONTAINER}
- TZ=${WORKSPACE_TIMEZONE}
volumes:
- ${APP_CODE_PATH_HOST}:${APP_CODE_PATH_CONTAINER}:cached
# Mount storage directories as writable volumes
- ${APP_CODE_PATH_HOST}/storage:${APP_CODE_PATH_CONTAINER}/storage:delegated
- ${APP_CODE_PATH_HOST}/bootstrap/cache:${APP_CODE_PATH_CONTAINER}/bootstrap/cache:delegated
- ./logs/frankenphp:/var/log:delegated
# Mount Laravel's storage and cache directories as writable
# - ${APP_CODE_PATH_HOST}/storage:${APP_CODE_PATH_CONTAINER}/storage
# - ${APP_CODE_PATH_HOST}/bootstrap/cache:${APP_CODE_PATH_CONTAINER}/bootstrap/cache
environment:
- APP_ENV=${FRANKENPHP_APP_ENV}
- APP_DEBUG=${APP_DEBUG:-false}
- APP_KEY=${APP_KEY}
- APP_URL=${APP_URL}
- APP_NAME=${APP_NAME:-Swarna Bharat Party}
- DB_CONNECTION=pgsql
- DB_HOST=postgres
- DB_PORT=${POSTGRES_PORT}
- DB_DATABASE=${POSTGRES_DB}
- DB_USERNAME=${POSTGRES_USER}
- DB_PASSWORD=${POSTGRES_PASSWORD}
- REDIS_HOST=${REDIS_HOST}
- REDIS_PORT=${REDIS_PORT}
- CACHE_DRIVER=${FRANKENPHP_CACHE_DRIVER}
- SESSION_DRIVER=${FRANKENPHP_SESSION_DRIVER}
- QUEUE_CONNECTION=${FRANKENPHP_QUEUE_DRIVER}
# Octane specific settings
- OCTANE_SERVER=${FRANKENPHP_OCTANE_SERVER}
- OCTANE_WORKERS=${FRANKENPHP_OCTANE_WORKER_COUNT}
- OCTANE_MAX_REQUESTS=${FRANKENPHP_OCTANE_MAX_REQUESTS}
- TZ=${WORKSPACE_TIMEZONE:-UTC}
ports:
- "8000:8000" # Laravel Octane
- "2019:2019" # Caddy admin
- "80:8000" # Map port 8000 in the container to port 80 on the host
networks:
- frontend
- backend
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
workspace:
condition: service_started
### Steps to reproduce the issue
1. Start the containers with docker-compose up -d
2. Logs of postgres mention above problem.
2025-07-07 08:44:28.807 UTC [114] LOG: database system is ready to accept connections
2025-07-07 08:44:28.825 UTC [124] LOG: pg_cron scheduler started
/var/run/postgresql:5432 - accepting connections
postgres ready
Creating user a2
[Entrypoint] Creating/Updating user a2
ALTER ROLE
Creating user replicator
[Entrypoint] Creating/Updating user replicator
ALTER ROLE
[Entrypoint] Database sbp_prod_db already exists
List of databases
Name | Owner | Encoding | Locale Provider | Collate | Ctype | Locale | ICU Rules | Access privileges
-------------+----------+----------+-----------------+-------------+-------------+--------+-----------+-----------------------
postgres | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | |
sbp_prod_db | a2 | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | |
template0 | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | | =c/postgres +
| | | | | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | | =c/postgres +
| | | | | | | | postgres=CTc/postgres
(4 rows)
2025-07-07 08:44:30.014 UTC [114] LOG: received smart shutdown request
/var/run/postgresql/17-main.pid
2025-07-07 08:44:30.016 UTC [124] LOG: pg_cron scheduler shutting down
2025-07-07 08:44:30.018 UTC [114] LOG: background worker "pg_cron launcher" (PID 124) exited with exit code 1
2025-07-07 08:44:30.018 UTC [114] LOG: background worker "logical replication launcher" (PID 125) exited with exit code 1
2025-07-07 08:44:30.018 UTC [119] LOG: shutting down
2025-07-07 08:44:30.020 UTC [119] LOG: checkpoint starting: shutdown immediate
2025-07-07 08:44:30.037 UTC [119] LOG: checkpoint complete: wrote 4 buffers (0.0%); 0 WAL file(s) added, 0 removed, 0 recycled; write=0.005 s, sync=0.004 s, total=0.019 s; sync files=3, longest=0.002 s, average=0.002 s; distance=4 kB, estimate=4 kB; lsn=0/35F4958, redo lsn=0/35F4958
2025-07-07 08:44:30.040 UTC [114] LOG: database system is shut down
[Entrypoint] Postgres initialisation process completed .... restarting in foreground
2025-07-07 08:44:31.085 UTC [192] LOG: starting PostgreSQL 17.4 (Debian 17.4-1.pgdg120+2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
2025-07-07 08:44:31.086 UTC [192] LOG: listening on IPv4 address "0.0.0.0", port 5432
2025-07-07 08:44:31.086 UTC [192] LOG: listening on IPv6 address "::", port 5432
2025-07-07 08:44:31.090 UTC [192] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2025-07-07 08:44:31.095 UTC [196] LOG: database system was shut down at 2025-07-07 08:44:30 UTC
2025-07-07 08:44:31.101 UTC [192] LOG: database system is ready to accept connections
2025-07-07 08:44:31.106 UTC [199] LOG: pg_cron scheduler started
2025-07-07 08:44:37.947 UTC [209] a2@a2 FATAL: password authentication failed for user "a2"
2025-07-07 08:44:37.947 UTC [209] a2@a2 DETAIL: Password does not match for user "a2".
Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 133: "host all all 172.0.0.0/8 md5 "
2025-07-07 08:44:37.950 UTC [210] a2@a2 FATAL: password authentication failed for user "a2"
2025-07-07 08:44:37.950 UTC [210] a2@a2 DETAIL: Password does not match for user "a2".
### Versions
17-3.5
### Additional context
_No response_