Consider using "expose:" vs. "ports" in the docker compose yaml.

[sudoshi]

Consider using the expose parameter for all ports that do not need to be bound to the docker host external environment. This will reduce conflicts between application stacks running on the same docker host (ie Perseus and Broadsea). It also increases security by ensuring that key services are only available within the docker network.

In the case of Traefik, this will allow one instance of the container to serve as reverse proxy across multiple networks and manage SSL for all stacks. Explained here: (https://ioflood.com/blog/docker-compose-ports-vs-expose-explained/#:~:text='Expose'%20is%20used%20for%20inter,the%20host%20machine%20and%20beyond.)

[alondhe]

Which ports do you think we shouldn't have open to the external environment?

[sudoshi]

Any/all ports that belong to a db or API. I had a hell of a time with cryptominers and other malware invading my docker environment on GCP. Specifically kdevtmpfsi (kinsing) and a hotfuzz variant.

[alondhe]

Understood. I think we can shift to expose for all services but these:

1. traefik - needed
2. atlasdb - it is helpful to have remote access for DBA activities. However, we need to address the password secret issue in the docker image, this is likely where you had the malware issue. For now, I think we need to advise changing the PG password after building.
3. openldap - if we position this as for debugging only, then sure, we could keep this internal only. The challenge is that there's not a lot of good ldap user management we can do via Docker, just user names and passwords.

Others exist in the experimental Perseus services and have just been adopted from that repo. But we could try limiting those.

[sudoshi]

Agreed. I think we should either enforce or strongly urge users to use strong passwords and non-standard ports if the ports are bound vs. exposed. For example, instead of postgres/mypass on port 5432 as the default, perhaps we should change those default parameters?

[alondhe]

I just pushed some changes to develop to really scale back the number of external ports:

1. traefik
2. atlasdb
3. openldap

Let's examine the last 2, but thanks @sudoshi for the push towards fewer external ports!

[sudoshi]

@alondhe - this is the part of docker-compose.yml that I modified from the original Broadsea docker compose yaml:

  traefik:
    image: docker.io/library/traefik:v2.10.5
    container_name: traefik
    restart: unless-stopped
    ipc: none
    read_only: true
    environment:
      BROADSEA_HOST: ${BROADSEA_HOST}
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./traefik/traefik-${HTTP_TYPE}.yml:/etc/traefik/traefik.yml:ro
      - ./traefik/config.yml:/etc/traefik/config.yml:ro
      - ${BROADSEA_CERTS_FOLDER}:/etc/certs:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    command:
      - "--api.dashboard=true"
      - "--api.insecure=false"
      - "--log.level=INFO"
      - "--providers.docker=true"
      - "--providers.docker.network=traefik-proxy"
      - "--providers.docker.exposedByDefault=false"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mydashboard.rule=Host(`sandbox.acumenus.net`) && PathPrefix(`/api`, `/dashboard`)"
      - "traefik.http.routers.mydashboard.service=api@internal"
      - "traefik.http.routers.mydashboard.middlewares=myauth"
      - "traefik.http.middlewares.myauth.basicauth.users=acumenus:$$apr1$$aw2RYnxA$$RXTcLZ8KipPUcyeoLGziu0". # <-- change me using htpasswd to create an encrypted user/password combo
    networks:
      - traefik-proxy

This enables the traefik dashboard where you can see ALL the ports being managed by the reverse proxy and the routes and middleware specified in the traefik.yml configuration file. It took me a few days to get it to work, and I don't know how to create a pull request (I'll learn this weekend - now that I have a reason to!), so if you want to incorporate it, please do.

https://sandbox.acumenus.net/dashboard/

results in:

https://www.web2generators.com/apache-tools/htpasswd-generator