drone-detector/DOCKER_SECURITY.md

Docker Security Configuration

Overview

The drone detection system uses a multi-layered security approach with different configurations for development and production environments.

Security Layers

🔒 Internal-Only Services (No External Access)

1. PostgreSQL Database

• Risk: Direct database access from internet
• Security: Only accessible via Docker internal network
• Development: Port 5433 exposed via override file
• Production: No external ports

2. Redis Cache/Sessions

• Risk: Session data and cache accessible from internet
• Security: Only accessible via Docker internal network
• Development: Port 6380 exposed via override file
• Production: No external ports, password protected

3. Data Retention Service

• Risk: System metrics and cleanup data exposure
• Security: Only accessible via management portal with authentication
• Development: Port 3004 can be exposed for testing
• Production: No external ports

4. Backend API (Production)

• Risk: Direct API access bypassing reverse proxy
• Security: Only accessible via nginx reverse proxy in production
• Development: Port 3002 exposed for direct access
• Production: No external ports

🌐 Public-Facing Services (External Access)

1. Frontend Application

• Port: 3001 (development) / 80 via nginx (production)
• Purpose: User interface for tenant users
• Security: Static files only, no sensitive data

2. Management Portal

• Port: 3003 (development) / 80 via nginx (production)
• Purpose: Administrative interface
• Security: Authentication required, role-based access

3. Nginx Reverse Proxy (Production)

• Ports: 8080 (HTTP), 8443 (HTTPS)
• Purpose: Single entry point for all services
• Security: SSL termination, request filtering

Configuration Files

Base Configuration: docker-compose.yml

• Purpose: Secure baseline configuration
• Security: All internal services locked down
• Database: No external ports
• Redis: No external ports
• Data Retention: No external ports

Development Override: docker-compose.override.yml

• Purpose: Development convenience
• Security: Exposes internal services for debugging
• Usage: docker-compose up (automatically uses override)
• Warning: ⚠️ Never deploy to production with override file

Production Configuration: docker-compose.prod.yml

• Purpose: Maximum security for production
• Security: All services internal-only except nginx
• Usage: docker-compose -f docker-compose.yml -f docker-compose.prod.yml up
• Features: Password protection, SSL, enhanced logging

Deployment Commands

Development (Less Secure, More Convenient)

# Uses docker-compose.yml + docker-compose.override.yml
docker-compose up -d

# Direct database access available on localhost:5433
# Direct Redis access available on localhost:6380
# Direct backend access available on localhost:3002

Production (Maximum Security)

# Uses docker-compose.yml + docker-compose.prod.yml  
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d

# No direct database access
# No direct Redis access  
# No direct backend access
# All access via nginx reverse proxy only

Staging/Testing (Secure but with Monitoring)

# Uses base configuration only
docker-compose -f docker-compose.yml up -d

# Secure but allows manual inspection if needed

Security Checklist

✅ Applied Security Measures

• Database Isolation: PostgreSQL not externally accessible
• Cache Security: Redis internal-only with authentication
• API Protection: Backend only accessible via reverse proxy in production
• Metrics Security: Data retention metrics require management authentication
• Network Segmentation: All services on isolated Docker network
• Access Control: Role-based permissions for sensitive endpoints
• Audit Logging: All data retention access logged
• Security Headers: Applied to all management endpoints

🔍 Additional Security Recommendations

Network Security

• Firewall: Configure host firewall to only allow necessary ports
• VPN: Consider VPN access for management interfaces
• IP Allowlisting: Restrict management portal access by IP

Database Security

• Encryption: Enable TLS for database connections
• Backup Encryption: Encrypt database backups
• User Permissions: Use least-privilege database users

Application Security

• JWT Secrets: Use strong, unique JWT secrets
• Session Security: Configure secure session settings
• Rate Limiting: Enable rate limiting on all endpoints

Container Security

• Image Scanning: Scan container images for vulnerabilities
• User Permissions: Run containers as non-root users
• Resource Limits: Set memory and CPU limits

Emergency Access

Development Database Access

# Connect to development database (when override is active)
psql -h localhost -p 5433 -U postgres -d drone_detection

Production Database Access (Emergency Only)

# Temporarily expose database for emergency access
docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d postgres

# Connect and then immediately remove override
psql -h localhost -p 5433 -U postgres -d drone_detection

# Restore production security
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d

Monitoring & Alerting

Security Events to Monitor

• Unauthorized Access: Failed authentication attempts on management portal
• Data Retention Access: All access to system metrics endpoints
• Database Connections: Unusual database connection patterns
• Network Traffic: Unexpected traffic to internal services

Log Locations

• Security Logs: /app/logs/data_retention_access.log
• Application Logs: Container logs via docker-compose logs
• Database Logs: PostgreSQL container logs
• Nginx Logs: Reverse proxy access logs

This security configuration ensures that sensitive infrastructure components are isolated while maintaining operational flexibility for different environments.