chore: update Docker configuration with latest versions and best practices

- Upgrade Alpine from 3.22.0 to 3.23.3 (security fixes)
- Add multi-platform build support (ARM64, ARM, x86)
- Add Go module caching for faster builds
- Add non-root user for security
- Add health check configuration
- Add resource limits in docker-compose
- Add logging configuration with rotation
- Add ca-certificates for HTTPS support
- Add volume mount as read-only for config

Author: Assistant

Dockerfile

@@ -1,35 +1,48 @@
-FROM golang:1.26-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS builder
 
 WORKDIR /app
 
+RUN apk add --no-cache git make
+
 COPY go.mod go.sum ./
 
-RUN go mod download
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
 
 COPY . .
 
 ARG VERSION=dev
 ARG COMMIT=none
 ARG BUILD_DATE=unknown
+TARGETOS=${TARGETOS:-linux}
+TARGETARCH=${TARGETARCH:-amd64}
 
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X 'main.Version=${VERSION}-plus' -X 'main.Commit=${COMMIT}' -X 'main.BuildDate=${BUILD_DATE}'" -o ./CLIProxyAPIPlus ./cmd/server/
+RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build \
+    -ldflags="-s -w -X 'main.Version=${VERSION}-plus' -X 'main.Commit=${COMMIT}' -X 'main.BuildDate=${BUILD_DATE}'" \
+    -o ./CLIProxyAPIPlus ./cmd/server/
 
-FROM alpine:3.22.0
+FROM alpine:3.23.3
 
-RUN apk add --no-cache tzdata
+RUN addgroup -g 1000 appgroup && \
+    adduser -u 1000 -G appgroup -s /bin/sh -D appuser
 
-RUN mkdir /CLIProxyAPI
+RUN apk add --no-cache tzdata ca-certificates
 
-COPY --from=builder ./app/CLIProxyAPIPlus /CLIProxyAPI/CLIProxyAPIPlus
+RUN mkdir -p /CLIProxyAPI && chown -R appuser:appgroup /CLIProxyAPI
 
-COPY config.example.yaml /CLIProxyAPI/config.example.yaml
+COPY --from=builder --chown=appuser:appgroup /app/CLIProxyAPIPlus /CLIProxyAPI/CLIProxyAPIPlus
+COPY --chown=appuser:appgroup config.example.yaml /CLIProxyAPI/config.example.yaml
 
 WORKDIR /CLIProxyAPI
 
-EXPOSE 8317
+USER appuser
 
-ENV TZ=Asia/Shanghai
+EXPOSE 8317 8085 1455 54545 51121 11451
 
+ENV TZ=Asia/Shanghai
 RUN cp /usr/share/zoneinfo/${TZ} /etc/localtime && echo "${TZ}" > /etc/timezone
 
-CMD ["./CLIProxyAPIPlus"]
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD wget --no-verbose --tries=1 --spider http://localhost:8317/health || exit 1
+
+CMD ["./CLIProxyAPIPlus"]

docker-compose.yml

@@ -10,10 +10,9 @@ services:
         COMMIT: ${COMMIT:-none}
         BUILD_DATE: ${BUILD_DATE:-unknown}
     container_name: cli-proxy-api-plus
-    # env_file:
-    #   - .env
     environment:
       DEPLOY: ${DEPLOY:-}
+      TZ: ${TZ:-Asia/Shanghai}
     ports:
       - "8317:8317"
       - "8085:8085"
@@ -22,7 +21,26 @@ services:
       - "51121:51121"
       - "11451:11451"
     volumes:
-      - ${CLI_PROXY_CONFIG_PATH:-./config.yaml}:/CLIProxyAPI/config.yaml
+      - ${CLI_PROXY_CONFIG_PATH:-./config.yaml}:/CLIProxyAPI/config.yaml:ro
       - ${CLI_PROXY_AUTH_PATH:-./auths}:/root/.cli-proxy-api
       - ${CLI_PROXY_LOG_PATH:-./logs}:/CLIProxyAPI/logs
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8317/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    deploy:
+      resources:
+        limits:
+          cpus: '${CLI_PROXY_CPU_LIMIT:-1}'
+          memory: ${CLI_PROXY_MEMORY_LIMIT:-512M}
+        reservations:
+          cpus: '${CLI_PROXY_CPU_RESERVE:-0.1}'
+          memory: ${CLI_PROXY_MEMORY_RESERVE:-128M}
     restart: unless-stopped
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"