version: '3.8'

services:
  # Vulnerable: nginx-ui v2.3.1
  #   CVE-2026-27944 — GET /api/backup requires no auth, leaks AES key in header
  #   CVE-2026-33032 — POST /mcp_message missing AuthRequired() middleware
  #
  # nginx-ui bundles its own nginx instance. Exposing port 80 here means
  # reload_nginx via MCP reloads the same nginx serving user traffic —
  # no docker exec or host access required.
  nginx-ui:
    image: uozi/nginx-ui:v2.3.1
    container_name: nginx_ui
    ports:
      - "8080:80"
      - "9000:9000"
    environment:
      - NGINX_UI_IGNORE_DOCKER_SOCKET=true
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx-ui/app.ini:/etc/nginx-ui/app.ini
      - nginx_ui_data:/etc/nginx-ui
    networks:
      - lab_net
    restart: unless-stopped

  webapp:
    image: nginx:alpine
    container_name: webapp
    volumes:
      - ./webapp:/usr/share/nginx/html:ro
    networks:
      - lab_net
    restart: unless-stopped

  malicious:
    image: nginx:alpine
    container_name: malicious_site
    volumes:
      - ./malicious:/usr/share/nginx/html:ro
    networks:
      - lab_net
    restart: unless-stopped

networks:
  lab_net:
    driver: bridge

volumes:
  nginx_ui_data: