How do I Secure Docker Networks?


Recommended Posts

Hi there!

I'd like some assistance figuring out how to secure my docker network and some of the various services.

So, there some services I'd like to secure away from my home network, and possibly between other docker images. This includes things like services that only provide non secure connections (Such as http, which instead get run through a reverse proxy to secure them), or services that are just to hard to get secured (such as ssl on postgress, or LDAP, omg LDAP just fights so much).

For example, I'd like to make something like this:

 

Network: bro

Image             |       Access
pihole             |      IP: Lan IP


Network: Docker Bridge (Default Network)
I probably won't even use this If I can get the other stuff going.

Network: Docker Secure
Image             |       Access
Postgres         |      Internal only
Maridb            |      Internal only

Keycloak        |      Internal only

LDAP             |      Internal only
searx              |      Internal only
letsencrypt     |      Port 80 and 443 Exposed
 

Network: Docker Test
Image             |       Access
Postgres         |      Port 5432
searx              |      Internal only
letsencrypt     |      Port 80 and 443 Exposed

Network: host
Image             |       Access
Plex                |      Host


Sadly I can't really look into vlans atm. In terms of HW, I have:
FritzBox 7490 (Seems to not support vlan or work as a managed switch)
My server as listed in my Sig.

I don't have a spare network card, and I can't really earn money, so saving for hardware takes a really long time. Not complaining mind, but it limits what I can do sorry.
During tests, I found some weird things I can't explain, like giving the letsencrypt docker it's own ip stopped it from serving any site from the server, citing the gateway was bad. Also I notice linuxserver's images use names to talk to other images lot, however that doesn't work for me and I have to often replace the names with the server's lan ip.

Any help would be greatly appreciated!

Link to comment
  • 2 weeks later...

Got it, learned about docker networks a bit better, and learned that this

On 6/9/2019 at 11:45 AM, Ryonez said:

Also I notice linuxserver's images use names to talk to other images lot, however that doesn't work for me and I have to often replace the names with the server's lan ip.


was just because the default network unRaid makes doesn't have DNS resolution on it.

Link to comment

I found this: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/#simplehtmlwebpagehosting
And then I noticed the readme file in /ngnix/proxy-confs. Both of these were created long after I first started using the container >.<

As for creating the network I used this:

`docker network create [networkname]`


That paired with using lowercase characters in the container names and switching the containers into using that network, brought the container name dns resolution up.

Then changed unRAID's web ports and switch letsencypt's ones to be exposed in their place. With pihole managing dns for my network, I set up internal domain names to point at the unRAID's ip. This gave me internal site resolution for sites I wanted internally accessed. To secure those sites I added the following to the location blocks of internal site confs:

allow [internal IP]/24;
deny all;

Now I have https with a valid cert, that can only be accessed on my internal network.

External sites are still accessible as well.

This is a massive improvement over what I had before. While I do control my network, it always sat wrong with me that exposed unsecured traffic could be caught before. Like I hated it, especially considering the changes I'd have to make to some dockers to secure traffic that should be secured by default. Looking at you LDAP, postgres and maridb. I feel so much more comfortable now.

The only two containers still outside the bridge are pihole and openvpn-as. I'd like to secure the web interface for pihole better that it's default later. openvpn-as is a selfsigned cert, but I'm okay with it atm.

Edited by Ryonez
  • Upvote 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.