Hello,
I worked these few days how to secure my website and limit the impact in case of attack. Linux is secure but there are always bugs and breaks….generally into the plugins, templates, etc…
I have explored all the possibility under Linux and I choose Docker to secure my website : It takes more memory because you create several instances but you isolates and limits the impact in case of attach.
To install Docker under Linux (Ubuntu), follow these steps:
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
Enable the repository corresponding to your Ubuntu version:
## Debian Wheezy #deb https://apt.dockerproject.org/repo debian-wheezy main # ## Debian Jessie #deb https://apt.dockerproject.org/repo debian-jessie main # ## Debian Stretch/Sid #deb https://apt.dockerproject.org/repo debian-stretch main # ## Ubuntu Precise #deb https://apt.dockerproject.org/repo ubuntu-precise main # ## Ubuntu Trusty #deb https://apt.dockerproject.org/repo ubuntu-trusty main # ## Ubuntu Utopic #deb https://apt.dockerproject.org/repo ubuntu-utopic main # ## Ubuntu Vivid #deb https://apt.dockerproject.org/repo ubuntu-vivid main # ## Ubuntu Wily #deb https://apt.dockerproject.org/repo ubuntu-wily main
Then install docker:
# apt-get install docker-engine
You will find below my Dockerfile to run php5-fpm and mysql:
FROM ubuntu MAINTAINER Nicolas Portais <...> RUN apt-get update && apt-get install -y mariadb-server-5.5 mariadb-client-5.5 php5-fpm php5-imap php5-mysql php5-cli php5-imap php5-curl libcurl3 libcurl3-gnutls php5-cli php5-gd php5-imagick php5-mcrypt php5-readline openssh-client telnet supervisor && apt-get clean RUN touch /var/log/php5-fpm.log RUN chown www-data /var/log/php5-fpm.log RUN touch /var/run/php5-fpm.pid RUN chown www-data /var/run/php5-fpm.pid RUN rm /etc/php5/fpm/pool.d/www.conf COPY www.conf /etc/php5/fpm/pool.d/ COPY s_mysqld.conf /etc/supervisor/conf.d/ COPY s_php5-fpm.conf /etc/supervisor/conf.d/ COPY docker_service.sh / RUN chmod 755 /docker_service.sh ENV PHP_FPM_USER=www-data EXPOSE 9000 ADD ./my.cnf /etc/mysql/
Then build the container :
docker build -t ubuntu/wordpress .
I am running my container for wordpress:
#/bin/sh docker run -d -it \ -v /data/mysql:/data/mysql \ -v /www:/www \ -p 127.0.0.1:9001:9000 \ --name mycontainer \ --restart=always \ --hostname container1 \ ubuntu/wordpress /docker_service.sh
Below the script I am using to run the container :
#!/bin/sh supervisord & exec /bin/bash
The tip here is to use ‘exec’ for a bash shell 😉
Then modify your apache or nginx configuration to use the above forwarded port:
127.0.0.1:9001
You will find below the supervisord configuration files I am using into my Dockerfile:
# cat s_mysqld.conf [program:mysqld] command=usr/bin/pidproxy /var/run/mysqld/mysqld.pid /usr/bin/mysqld_safe # cat s_php5-fpm.conf [program:php5-fpm] command = /usr/bin/pidproxy /var/run/php5-fpm.pid /usr/sbin/php5-fpm --nodaemonize --fpm-config /etc/php5/fpm/php-fpm.conf username=www-data autostart=true autorestart=unexpected redirect_stderr=true exitcodes=0
You have now a more secured environment and at least, isolated !
If needed, you can check the Docker’s documentation.
I have not yet tested with magento but I will update this article when I will have test !
Et voila !
Nicolas Portais
Author Photographer
http://www.mystockphoto.fr/
http://photos-art.pro/