Docker Webserver - Security Issues - Discussion


bigjme

Recommended Posts

Hi Everyone,

 

I have been reading around with regards to running webservers on unraid and wanted to open a discussion to find issues people see with running webservers in unraid, and recommendations to help security

 

I am one of those people that runs a number of web servers from home due to my job (web developer) - while they are not holding anything important it is important to me that i don't compromise security of other devices. A docker in itself is supposed to be an isolated environment yet i am still seeing posts about them not being secure enough for this and also reports that unraid itself is not secure enough for this

 

I am sure there are many others with web servers in dockers that are unaware of security flaws that may come with it - so can anyone help enlighten me and others as to the security issues with doing this?

 

Below is one of my test environments that is kept to internal access - for now i can use this as a theoretical server for comments - please point out any flaws you see in this as it may give others a ground to start from:


 

My router is set to forward port 80 traffic to a docker within unraid on a random port

The docker is set up using host mode so it has a network accessible ip

This docker has a custom web system which checks all requests going through it, validates them and passes the requests on to other dockers that are running in bridge mode with no ports mapped - accessible only via unraid - apache, nginx etc.

The receiving servers run a custom handler file which alters php properties, sanitize any requests, then loads up the needed files requested

 

Jamie

 

p.s. Sorry if this has been gone over before or this seems like a slight deviation as to this topics use but i think this is an important thing to cover

Link to comment

General rule of security thumb "Dont put anything on the internet you cannot patch".

 

To add some context the current stable unRAID used docker 1.7.1, have a look at this changelog https://github.com/docker/docker/blob/master/CHANGELOG.md and see the highlights of what has been released in the last 11 months of missed patches.

 

unRAID is simply not designed to be internet facing.

 

Can you do it sure. Will you be safe, maybe.

 

I recommend a VPS for web development.

Link to comment

General rule of security thumb "Dont put anything on the internet you cannot patch".

 

To add some context the current stable unRAID used docker 1.7.1, have a look at this changelog https://github.com/docker/docker/blob/master/CHANGELOG.md and see the highlights of what has been released in the last 11 months of missed patches.

 

unRAID is simply not designed to be internet facing.

 

Can you do it sure. Will you be safe, maybe.

 

I recommend a VPS for web development.

 

Question: I am trying to improve my wife's web development processes and am wondering if you have the same issues if say your plan was to use virtual machines (using a OS that is easy to update and was designed to be forward facing) instead of Dockers? 

Link to comment

There is a bridge here between reality and probability.

 

The concept is that because you are not auditing the code you are using you are trusting 100% other people to find, disclose and fix the issues. In general that works really quite well (thank god) IF IF IF you can apply patches.

 

The extra kicker is the more systems you add the more risk you are taking on and on an unRAID system you are betting the house that your VM or docker container contains no exploits that can be abused and if they do that the underlying architecture can keep them contained. Imagine what happens if someone breaks out of your VM.

 

unRAID pays no special attention to keeping exploits contained. It inherits some security from upstream projects like docker etc but as a general rule it is uses a less secure model than pretty much any modern linux distro. This is not a negative point it is by design for convenience and its history of being a LAN only device.

 

Now in this context think of all the security patches that are released that you cannot apply because the appliance model does not let you. Last year a means of getting root was discovered and not made public. I am not even sure it is mentioned in the changelogs.

 

unRAID is just the wrong device for this if you are concerned about security.

 

Saying all that, as with all things, its just a game of risk.

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.