How to secure your website ? Docker !

Hello,

I worked these few days how to secure my website and limit the impact in case of attack. Linux is secure but there are always bugs and breaks….generally into the plugins, templates, etc…

I have explored all the possibility under Linux and I choose Docker to secure my website : It takes more memory because you create several instances but you isolates and limits  the impact in case of attach.

To install Docker under Linux (Ubuntu), follow these steps:

apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

Enable the repository corresponding to your Ubuntu version:

## Debian Wheezy
#deb https://apt.dockerproject.org/repo debian-wheezy main

#
## Debian Jessie
#deb https://apt.dockerproject.org/repo debian-jessie main

#
## Debian Stretch/Sid
#deb https://apt.dockerproject.org/repo debian-stretch main

#
## Ubuntu Precise
#deb https://apt.dockerproject.org/repo ubuntu-precise main

#
## Ubuntu Trusty
#deb https://apt.dockerproject.org/repo ubuntu-trusty main

#
## Ubuntu Utopic
#deb https://apt.dockerproject.org/repo ubuntu-utopic main

#
## Ubuntu Vivid
#deb https://apt.dockerproject.org/repo ubuntu-vivid main

#
## Ubuntu Wily
#deb https://apt.dockerproject.org/repo ubuntu-wily main

Then install docker:

# apt-get install docker-engine

You will find below my Dockerfile to run php5-fpm and mysql:

FROM ubuntu
MAINTAINER Nicolas Portais <...>
RUN apt-get update && apt-get install -y mariadb-server-5.5 mariadb-client-5.5 php5-fpm php5-imap php5-mysql php5-cli php5-imap php5-curl libcurl3 libcurl3-gnutls php5-cli php5-gd php5-imagick php5-mcrypt php5-readline openssh-client telnet supervisor && apt-get clean
RUN touch /var/log/php5-fpm.log
RUN chown  www-data /var/log/php5-fpm.log
RUN touch /var/run/php5-fpm.pid
RUN chown www-data /var/run/php5-fpm.pid
RUN rm /etc/php5/fpm/pool.d/www.conf
COPY www.conf /etc/php5/fpm/pool.d/
COPY s_mysqld.conf /etc/supervisor/conf.d/
COPY s_php5-fpm.conf /etc/supervisor/conf.d/
COPY docker_service.sh /
RUN chmod 755 /docker_service.sh
ENV PHP_FPM_USER=www-data
EXPOSE 9000
ADD ./my.cnf /etc/mysql/

Then build the container :

docker build -t ubuntu/wordpress .

I am running my container for wordpress:

#/bin/sh
docker run -d -it  \
	       -v /data/mysql:/data/mysql \
               -v /www:/www \
	       -p 127.0.0.1:9001:9000 \
	--name mycontainer \
	--restart=always \
	--hostname container1 \
	ubuntu/wordpress /docker_service.sh

Below the script I am using to run the container :

#!/bin/sh
supervisord &
exec /bin/bash

The tip here is to use ‘exec’ for a bash shell 😉

Then modify your apache or nginx configuration to use the above forwarded port:

127.0.0.1:9001

You will find below the supervisord configuration files I am using into my Dockerfile:

# cat s_mysqld.conf
[program:mysqld]
command=usr/bin/pidproxy /var/run/mysqld/mysqld.pid /usr/bin/mysqld_safe

# cat s_php5-fpm.conf
[program:php5-fpm]
command = /usr/bin/pidproxy /var/run/php5-fpm.pid /usr/sbin/php5-fpm --nodaemonize --fpm-config /etc/php5/fpm/php-fpm.conf
username=www-data
autostart=true
autorestart=unexpected
redirect_stderr=true
exitcodes=0

You have now a more secured environment and at least, isolated !

If needed, you can check the Docker’s documentation.

I have not yet tested with magento but I will update this article when I will have test !

Et voila !

Nicolas Portais
Author Photographer
http://www.mystockphoto.fr/
http://photos-art.pro/

Ce contenu a été publié dans Anglais, Computer / Technic / Technology, avec comme mot(s)-clé(s) , , , , , , , , , , , . Vous pouvez le mettre en favoris avec ce permalien.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Captcha (solve the arithmetic equation) * Time limit is exhausted. Please reload CAPTCHA.