# Docker Security Configuration ## Overview The drone detection system uses a multi-layered security approach with different configurations for development and production environments. ## Security Layers ### 🔒 **Internal-Only Services (No External Access)** #### 1. PostgreSQL Database - **Risk**: Direct database access from internet - **Security**: Only accessible via Docker internal network - **Development**: Port 5433 exposed via override file - **Production**: No external ports #### 2. Redis Cache/Sessions - **Risk**: Session data and cache accessible from internet - **Security**: Only accessible via Docker internal network - **Development**: Port 6380 exposed via override file - **Production**: No external ports, password protected #### 3. Data Retention Service - **Risk**: System metrics and cleanup data exposure - **Security**: Only accessible via management portal with authentication - **Development**: Port 3004 can be exposed for testing - **Production**: No external ports #### 4. Backend API (Production) - **Risk**: Direct API access bypassing reverse proxy - **Security**: Only accessible via nginx reverse proxy in production - **Development**: Port 3002 exposed for direct access - **Production**: No external ports ### 🌐 **Public-Facing Services (External Access)** #### 1. Frontend Application - **Port**: 3001 (development) / 80 via nginx (production) - **Purpose**: User interface for tenant users - **Security**: Static files only, no sensitive data #### 2. Management Portal - **Port**: 3003 (development) / 80 via nginx (production) - **Purpose**: Administrative interface - **Security**: Authentication required, role-based access #### 3. Nginx Reverse Proxy (Production) - **Ports**: 8080 (HTTP), 8443 (HTTPS) - **Purpose**: Single entry point for all services - **Security**: SSL termination, request filtering ## Configuration Files ### Base Configuration: `docker-compose.yml` - **Purpose**: Secure baseline configuration - **Security**: All internal services locked down - **Database**: No external ports - **Redis**: No external ports - **Data Retention**: No external ports ### Development Override: `docker-compose.override.yml` - **Purpose**: Development convenience - **Security**: Exposes internal services for debugging - **Usage**: `docker-compose up` (automatically uses override) - **Warning**: ⚠️ Never deploy to production with override file ### Production Configuration: `docker-compose.prod.yml` - **Purpose**: Maximum security for production - **Security**: All services internal-only except nginx - **Usage**: `docker-compose -f docker-compose.yml -f docker-compose.prod.yml up` - **Features**: Password protection, SSL, enhanced logging ## Deployment Commands ### Development (Less Secure, More Convenient) ```bash # Uses docker-compose.yml + docker-compose.override.yml docker-compose up -d # Direct database access available on localhost:5433 # Direct Redis access available on localhost:6380 # Direct backend access available on localhost:3002 ``` ### Production (Maximum Security) ```bash # Uses docker-compose.yml + docker-compose.prod.yml docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d # No direct database access # No direct Redis access # No direct backend access # All access via nginx reverse proxy only ``` ### Staging/Testing (Secure but with Monitoring) ```bash # Uses base configuration only docker-compose -f docker-compose.yml up -d # Secure but allows manual inspection if needed ``` ## Security Checklist ### ✅ **Applied Security Measures** - **Database Isolation**: PostgreSQL not externally accessible - **Cache Security**: Redis internal-only with authentication - **API Protection**: Backend only accessible via reverse proxy in production - **Metrics Security**: Data retention metrics require management authentication - **Network Segmentation**: All services on isolated Docker network - **Access Control**: Role-based permissions for sensitive endpoints - **Audit Logging**: All data retention access logged - **Security Headers**: Applied to all management endpoints ### 🔍 **Additional Security Recommendations** #### Network Security - **Firewall**: Configure host firewall to only allow necessary ports - **VPN**: Consider VPN access for management interfaces - **IP Allowlisting**: Restrict management portal access by IP #### Database Security - **Encryption**: Enable TLS for database connections - **Backup Encryption**: Encrypt database backups - **User Permissions**: Use least-privilege database users #### Application Security - **JWT Secrets**: Use strong, unique JWT secrets - **Session Security**: Configure secure session settings - **Rate Limiting**: Enable rate limiting on all endpoints #### Container Security - **Image Scanning**: Scan container images for vulnerabilities - **User Permissions**: Run containers as non-root users - **Resource Limits**: Set memory and CPU limits ## Emergency Access ### Development Database Access ```bash # Connect to development database (when override is active) psql -h localhost -p 5433 -U postgres -d drone_detection ``` ### Production Database Access (Emergency Only) ```bash # Temporarily expose database for emergency access docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d postgres # Connect and then immediately remove override psql -h localhost -p 5433 -U postgres -d drone_detection # Restore production security docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d ``` ## Monitoring & Alerting ### Security Events to Monitor - **Unauthorized Access**: Failed authentication attempts on management portal - **Data Retention Access**: All access to system metrics endpoints - **Database Connections**: Unusual database connection patterns - **Network Traffic**: Unexpected traffic to internal services ### Log Locations - **Security Logs**: `/app/logs/data_retention_access.log` - **Application Logs**: Container logs via `docker-compose logs` - **Database Logs**: PostgreSQL container logs - **Nginx Logs**: Reverse proxy access logs This security configuration ensures that sensitive infrastructure components are isolated while maintaining operational flexibility for different environments.