web UI - init work on using docker-socket-proxy
This commit is contained in:
bunkerity
@@ -294,8 +294,6 @@ docker service create --name anotherapp \
|
||||
|
||||
## Web UI
|
||||
|
||||
**This feature exposes, for now, a security risk because you need to mount the docker socket inside a container exposing a web application. You can test it but you should not use it in servers facing the internet.**
|
||||
|
||||
A dedicated image, *bunkerized-nginx-ui*, lets you manage bunkerized-nginx instances and services configurations through a web user interface. This feature is still in beta, feel free to open a new issue if you find a bug and/or you have an idea to improve it.
|
||||
|
||||
First we need a volume that will store the configurations :
|
||||
@@ -320,6 +318,7 @@ docker run -p 80:8080 \
|
||||
-e AUTO_LETS_ENCRYPT=yes \
|
||||
-e REDIRECT_HTTP_TO_HTTPS=yes \
|
||||
-e DISABLE_DEFAULT_SERVER=yes \
|
||||
-e admin.domain.com_USE_MODSECURITY=no \
|
||||
-e admin.domain.com_SERVE_FILES=no \
|
||||
-e admin.domain.com_USE_AUTH_BASIC=yes \
|
||||
-e admin.domain.com_AUTH_BASIC_USER=admin \
|
||||
@@ -331,7 +330,7 @@ docker run -p 80:8080 \
|
||||
bunkerity/bunkerized-nginx
|
||||
```
|
||||
|
||||
The `AUTH_BASIC` environment variables let you define a login/password that must be provided before accessing to the web UI. At the moment, there is no authentication mechanism integrated into bunkerized-nginx-ui.
|
||||
The `AUTH_BASIC` environment variables let you define a login/password that must be provided before accessing to the web UI. At the moment, there is no authentication mechanism integrated into bunkerized-nginx-ui so **using auth basic with a strong password coupled with a "hard to guess" URI is strongly recommended**.
|
||||
|
||||
We can now create the bunkerized-nginx-ui container that will host the web UI behind bunkerized-nginx :
|
||||
|
||||
|
||||
@@ -211,6 +211,37 @@ Here is the list of related environment variables and their default value :
|
||||
- `USE_BLACKLIST_REVERSE=yes` : enable/disable blacklisting by reverse DNS
|
||||
- `BLACKLIST_REVERSE_LIST=.shodan.io` : the list of reverse DNS suffixes to never trust
|
||||
|
||||
## Web UI
|
||||
|
||||
Mounting the docker socket in a container which is facing the network, like we do with the [web UI](https://bunkerized-nginx.readthedocs.io/en/latest/quickstart_guide.html#web-ui), is not a good security practice. In case of a vulnerability inside the application, attackers can freely use the Docker socket and the whole host can be compromised.
|
||||
|
||||
A possible workaround is to use the [tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) image which acts as a reverse proxy between the application and the Docker socket. It can allow/deny the requests made to the Docker API.
|
||||
|
||||
Before starting the web UI, you need to fire up the docker-socket-proxy (we also need a network because of inter-container communication) :
|
||||
|
||||
```shell
|
||||
docker network create mynet
|
||||
```
|
||||
|
||||
```shell
|
||||
docker run --name mysocketproxy \
|
||||
--network mynet \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
-e POST=1 \
|
||||
-e CONTAINERS=1 \
|
||||
tecnativa/docker-socket-proxy
|
||||
```
|
||||
|
||||
You can now start the web UI container and use the `DOCKER_HOST` environment variable to define the Docker API endpoint :
|
||||
|
||||
```shell
|
||||
docker run --network mynet \
|
||||
-v autoconf:/etc/nginx \
|
||||
-e ABSOLUTE_URI=https://my.webapp.com/admin/ \
|
||||
-e DOCKER_HOST=tcp://mysocketproxy:2375 \
|
||||
bunkerity/bunkerized-nginx-ui
|
||||
```
|
||||
|
||||
## Container hardening
|
||||
|
||||
### Drop capabilities
|
||||
|
||||
Reference in New Issue
Block a user