Fix jwt-token
This commit is contained in:
173
DOCKER_SECURITY.md
Normal file
173
DOCKER_SECURITY.md
Normal file
@@ -0,0 +1,173 @@
|
||||
# Docker Security Configuration
|
||||
|
||||
## Overview
|
||||
|
||||
The drone detection system uses a multi-layered security approach with different configurations for development and production environments.
|
||||
|
||||
## Security Layers
|
||||
|
||||
### 🔒 **Internal-Only Services (No External Access)**
|
||||
|
||||
#### 1. PostgreSQL Database
|
||||
- **Risk**: Direct database access from internet
|
||||
- **Security**: Only accessible via Docker internal network
|
||||
- **Development**: Port 5433 exposed via override file
|
||||
- **Production**: No external ports
|
||||
|
||||
#### 2. Redis Cache/Sessions
|
||||
- **Risk**: Session data and cache accessible from internet
|
||||
- **Security**: Only accessible via Docker internal network
|
||||
- **Development**: Port 6380 exposed via override file
|
||||
- **Production**: No external ports, password protected
|
||||
|
||||
#### 3. Data Retention Service
|
||||
- **Risk**: System metrics and cleanup data exposure
|
||||
- **Security**: Only accessible via management portal with authentication
|
||||
- **Development**: Port 3004 can be exposed for testing
|
||||
- **Production**: No external ports
|
||||
|
||||
#### 4. Backend API (Production)
|
||||
- **Risk**: Direct API access bypassing reverse proxy
|
||||
- **Security**: Only accessible via nginx reverse proxy in production
|
||||
- **Development**: Port 3002 exposed for direct access
|
||||
- **Production**: No external ports
|
||||
|
||||
### 🌐 **Public-Facing Services (External Access)**
|
||||
|
||||
#### 1. Frontend Application
|
||||
- **Port**: 3001 (development) / 80 via nginx (production)
|
||||
- **Purpose**: User interface for tenant users
|
||||
- **Security**: Static files only, no sensitive data
|
||||
|
||||
#### 2. Management Portal
|
||||
- **Port**: 3003 (development) / 80 via nginx (production)
|
||||
- **Purpose**: Administrative interface
|
||||
- **Security**: Authentication required, role-based access
|
||||
|
||||
#### 3. Nginx Reverse Proxy (Production)
|
||||
- **Ports**: 8080 (HTTP), 8443 (HTTPS)
|
||||
- **Purpose**: Single entry point for all services
|
||||
- **Security**: SSL termination, request filtering
|
||||
|
||||
## Configuration Files
|
||||
|
||||
### Base Configuration: `docker-compose.yml`
|
||||
- **Purpose**: Secure baseline configuration
|
||||
- **Security**: All internal services locked down
|
||||
- **Database**: No external ports
|
||||
- **Redis**: No external ports
|
||||
- **Data Retention**: No external ports
|
||||
|
||||
### Development Override: `docker-compose.override.yml`
|
||||
- **Purpose**: Development convenience
|
||||
- **Security**: Exposes internal services for debugging
|
||||
- **Usage**: `docker-compose up` (automatically uses override)
|
||||
- **Warning**: ⚠️ Never deploy to production with override file
|
||||
|
||||
### Production Configuration: `docker-compose.prod.yml`
|
||||
- **Purpose**: Maximum security for production
|
||||
- **Security**: All services internal-only except nginx
|
||||
- **Usage**: `docker-compose -f docker-compose.yml -f docker-compose.prod.yml up`
|
||||
- **Features**: Password protection, SSL, enhanced logging
|
||||
|
||||
## Deployment Commands
|
||||
|
||||
### Development (Less Secure, More Convenient)
|
||||
```bash
|
||||
# Uses docker-compose.yml + docker-compose.override.yml
|
||||
docker-compose up -d
|
||||
|
||||
# Direct database access available on localhost:5433
|
||||
# Direct Redis access available on localhost:6380
|
||||
# Direct backend access available on localhost:3002
|
||||
```
|
||||
|
||||
### Production (Maximum Security)
|
||||
```bash
|
||||
# Uses docker-compose.yml + docker-compose.prod.yml
|
||||
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
|
||||
|
||||
# No direct database access
|
||||
# No direct Redis access
|
||||
# No direct backend access
|
||||
# All access via nginx reverse proxy only
|
||||
```
|
||||
|
||||
### Staging/Testing (Secure but with Monitoring)
|
||||
```bash
|
||||
# Uses base configuration only
|
||||
docker-compose -f docker-compose.yml up -d
|
||||
|
||||
# Secure but allows manual inspection if needed
|
||||
```
|
||||
|
||||
## Security Checklist
|
||||
|
||||
### ✅ **Applied Security Measures**
|
||||
|
||||
- **Database Isolation**: PostgreSQL not externally accessible
|
||||
- **Cache Security**: Redis internal-only with authentication
|
||||
- **API Protection**: Backend only accessible via reverse proxy in production
|
||||
- **Metrics Security**: Data retention metrics require management authentication
|
||||
- **Network Segmentation**: All services on isolated Docker network
|
||||
- **Access Control**: Role-based permissions for sensitive endpoints
|
||||
- **Audit Logging**: All data retention access logged
|
||||
- **Security Headers**: Applied to all management endpoints
|
||||
|
||||
### 🔍 **Additional Security Recommendations**
|
||||
|
||||
#### Network Security
|
||||
- **Firewall**: Configure host firewall to only allow necessary ports
|
||||
- **VPN**: Consider VPN access for management interfaces
|
||||
- **IP Allowlisting**: Restrict management portal access by IP
|
||||
|
||||
#### Database Security
|
||||
- **Encryption**: Enable TLS for database connections
|
||||
- **Backup Encryption**: Encrypt database backups
|
||||
- **User Permissions**: Use least-privilege database users
|
||||
|
||||
#### Application Security
|
||||
- **JWT Secrets**: Use strong, unique JWT secrets
|
||||
- **Session Security**: Configure secure session settings
|
||||
- **Rate Limiting**: Enable rate limiting on all endpoints
|
||||
|
||||
#### Container Security
|
||||
- **Image Scanning**: Scan container images for vulnerabilities
|
||||
- **User Permissions**: Run containers as non-root users
|
||||
- **Resource Limits**: Set memory and CPU limits
|
||||
|
||||
## Emergency Access
|
||||
|
||||
### Development Database Access
|
||||
```bash
|
||||
# Connect to development database (when override is active)
|
||||
psql -h localhost -p 5433 -U postgres -d drone_detection
|
||||
```
|
||||
|
||||
### Production Database Access (Emergency Only)
|
||||
```bash
|
||||
# Temporarily expose database for emergency access
|
||||
docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d postgres
|
||||
|
||||
# Connect and then immediately remove override
|
||||
psql -h localhost -p 5433 -U postgres -d drone_detection
|
||||
|
||||
# Restore production security
|
||||
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
|
||||
```
|
||||
|
||||
## Monitoring & Alerting
|
||||
|
||||
### Security Events to Monitor
|
||||
- **Unauthorized Access**: Failed authentication attempts on management portal
|
||||
- **Data Retention Access**: All access to system metrics endpoints
|
||||
- **Database Connections**: Unusual database connection patterns
|
||||
- **Network Traffic**: Unexpected traffic to internal services
|
||||
|
||||
### Log Locations
|
||||
- **Security Logs**: `/app/logs/data_retention_access.log`
|
||||
- **Application Logs**: Container logs via `docker-compose logs`
|
||||
- **Database Logs**: PostgreSQL container logs
|
||||
- **Nginx Logs**: Reverse proxy access logs
|
||||
|
||||
This security configuration ensures that sensitive infrastructure components are isolated while maintaining operational flexibility for different environments.
|
||||
Reference in New Issue
Block a user