Ryonez Posted June 8, 2019 Share Posted June 8, 2019 Hi there! I'd like some assistance figuring out how to secure my docker network and some of the various services. So, there some services I'd like to secure away from my home network, and possibly between other docker images. This includes things like services that only provide non secure connections (Such as http, which instead get run through a reverse proxy to secure them), or services that are just to hard to get secured (such as ssl on postgress, or LDAP, omg LDAP just fights so much). For example, I'd like to make something like this: Network: bro Image | Access pihole | IP: Lan IP Network: Docker Bridge (Default Network) I probably won't even use this If I can get the other stuff going. Network: Docker Secure Image | Access Postgres | Internal only Maridb | Internal only Keycloak | Internal only LDAP | Internal only searx | Internal only letsencrypt | Port 80 and 443 Exposed Network: Docker Test Image | Access Postgres | Port 5432 searx | Internal only letsencrypt | Port 80 and 443 Exposed Network: host Image | Access Plex | Host Sadly I can't really look into vlans atm. In terms of HW, I have: FritzBox 7490 (Seems to not support vlan or work as a managed switch) My server as listed in my Sig. I don't have a spare network card, and I can't really earn money, so saving for hardware takes a really long time. Not complaining mind, but it limits what I can do sorry. During tests, I found some weird things I can't explain, like giving the letsencrypt docker it's own ip stopped it from serving any site from the server, citing the gateway was bad. Also I notice linuxserver's images use names to talk to other images lot, however that doesn't work for me and I have to often replace the names with the server's lan ip. Any help would be greatly appreciated! Quote Link to comment
Ryonez Posted June 17, 2019 Author Share Posted June 17, 2019 Got it, learned about docker networks a bit better, and learned that this On 6/9/2019 at 11:45 AM, Ryonez said: Also I notice linuxserver's images use names to talk to other images lot, however that doesn't work for me and I have to often replace the names with the server's lan ip. was just because the default network unRaid makes doesn't have DNS resolution on it. Quote Link to comment
BRiT Posted June 17, 2019 Share Posted June 17, 2019 So what did you end up having to do? Quote Link to comment
Ryonez Posted June 17, 2019 Author Share Posted June 17, 2019 (edited) I found this: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/#simplehtmlwebpagehosting And then I noticed the readme file in /ngnix/proxy-confs. Both of these were created long after I first started using the container >.< As for creating the network I used this: `docker network create [networkname]` That paired with using lowercase characters in the container names and switching the containers into using that network, brought the container name dns resolution up. Then changed unRAID's web ports and switch letsencypt's ones to be exposed in their place. With pihole managing dns for my network, I set up internal domain names to point at the unRAID's ip. This gave me internal site resolution for sites I wanted internally accessed. To secure those sites I added the following to the location blocks of internal site confs: allow [internal IP]/24; deny all; Now I have https with a valid cert, that can only be accessed on my internal network. External sites are still accessible as well. This is a massive improvement over what I had before. While I do control my network, it always sat wrong with me that exposed unsecured traffic could be caught before. Like I hated it, especially considering the changes I'd have to make to some dockers to secure traffic that should be secured by default. Looking at you LDAP, postgres and maridb. I feel so much more comfortable now. The only two containers still outside the bridge are pihole and openvpn-as. I'd like to secure the web interface for pihole better that it's default later. openvpn-as is a selfsigned cert, but I'm okay with it atm. Edited June 17, 2019 by Ryonez 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.