Securing N-Solid Console in a Docker environment
Any web proxy will work in front of nsolid-console, this document explains how you can achieve this with nginx.
nginx.Dockerfile
The public nginx docker images are great but don't go far enough for production level security. The following file creates a docker image that locks down file permissions within the image.
FROM nginx:stable
RUN touch /var/run/nginx.pid \
&& chown -R www-data:root /var/run/nginx.pid \
&& chmod -R 0770 /var/run/nginx.pid \
&& chown -R www-data:root /var/cache/nginx \
&& chmod -R 0770 /var/cache/nginx;
USER www-data
CMD ["nginx", "-g", "daemon off;"]
Docker Compose
This is a example addition to docker-compose file. THe key aspect is the dependency on the host folder nginx that will mount resources into the container. More details on the content of this folder will be explained later.
nginx:
container_name: nginx
image: custom/nginx:build
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/nsolid-nginx.conf:/etc/nginx/nsolid.conf:ro
- ./nginx/htpasswd:/etc/nginx/htpasswd:ro
- ./nginx/certs:/etc/nginx/ssl:ro
Creating certificates / basic auth
Create nginx SSL certificates
This will be a self signed certificate. If you want to avoid cert warning consider getting a certificate for a domain at letsencrypt.com or other online providers.
openssl req -x509 -nodes -newkey rsa:2048 -keyout ./nginx/certs/nsolid-nginx.key -out ./nginx/certs/nsolid-nginx.crt
Basic Auth file
htpasswd -cb ./nginx/htpasswd {username} {password}
nginx.conf
pid /run/nginx.pid;
error_log /dev/stdout;
worker_processes 1;
events {
worker_connections 1024;
}
http {
##
# Basic Settings
##
sendfile on;
keepalive_timeout 65;
log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to:$upstream_addr request:$request upstream_response_time:$upstream_response_time msec:$msec request_time:$request_time upsteam_status:$upstream_status upstream_cache_status:$upstream_cache_status';
add_header X-Backend-Loadbalancer $hostname;
add_header X-Upstream-Backend $upstream_addr;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /dev/stdout upstreamlog;
error_log /dev/stdout;
# Redirect all traffic to SSL
server {
listen 80;
return 301 https://$host$request_uri;
}
# Expose NGINX status endpoint
server {
listen 8080;
server_name health;
location / {
stub_status on;
access_log off;
}
}
include nsolid-nginx.conf;
}
Note: the include line at the end. This allows nsolid to be configured in a seperate file.
nsolid-nginx.conf
upstream console {
# assumes `nsolid-console` is named `console in your docker-compose file.
server console:6753; # Port is important to sanity check
}
# Port 80 server to redirect to a secure connection
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name nsolid;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name nsolid
ssl on;
ssl_certificate /etc/nginx/ssl/nsolid-nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nsolid-nginx.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
add_header X-Cache-Status $upstream_cache_status;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://console;
}
}