borg/drone-detector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6c28330af32b4e34005d48e37707dcc484a1686d
drone-detector/DOCKER_SECURITY.md
Alexander Borg 57e7353d4f Fix jwt-token
2025-09-23 15:13:06 +02:00

173 lines
6.1 KiB
Markdown
Raw Blame History

# Docker Security Configuration
## Overview
The drone detection system uses a multi-layered security approach with different configurations for development and production environments.
## Security Layers
### 🔒 **Internal-Only Services (No External Access)**
#### 1. PostgreSQL Database
- **Risk**: Direct database access from internet
- **Security**: Only accessible via Docker internal network
- **Development**: Port 5433 exposed via override file
- **Production**: No external ports
#### 2. Redis Cache/Sessions
- **Risk**: Session data and cache accessible from internet
- **Security**: Only accessible via Docker internal network
- **Development**: Port 6380 exposed via override file
- **Production**: No external ports, password protected
#### 3. Data Retention Service
- **Risk**: System metrics and cleanup data exposure
- **Security**: Only accessible via management portal with authentication
- **Development**: Port 3004 can be exposed for testing
- **Production**: No external ports
#### 4. Backend API (Production)
- **Risk**: Direct API access bypassing reverse proxy
- **Security**: Only accessible via nginx reverse proxy in production
- **Development**: Port 3002 exposed for direct access
- **Production**: No external ports
### 🌐 **Public-Facing Services (External Access)**
#### 1. Frontend Application
- **Port**: 3001 (development) / 80 via nginx (production)
- **Purpose**: User interface for tenant users
- **Security**: Static files only, no sensitive data
#### 2. Management Portal
- **Port**: 3003 (development) / 80 via nginx (production)
- **Purpose**: Administrative interface
- **Security**: Authentication required, role-based access
#### 3. Nginx Reverse Proxy (Production)
- **Ports**: 8080 (HTTP), 8443 (HTTPS)
- **Purpose**: Single entry point for all services
- **Security**: SSL termination, request filtering
## Configuration Files
### Base Configuration: `docker-compose.yml`
- **Purpose**: Secure baseline configuration
- **Security**: All internal services locked down
- **Database**: No external ports
- **Redis**: No external ports
- **Data Retention**: No external ports
### Development Override: `docker-compose.override.yml`
- **Purpose**: Development convenience
- **Security**: Exposes internal services for debugging
- **Usage**: `docker-compose up` (automatically uses override)
- **Warning**: ⚠️ Never deploy to production with override file
### Production Configuration: `docker-compose.prod.yml`
- **Purpose**: Maximum security for production
- **Security**: All services internal-only except nginx
- **Usage**: `docker-compose -f docker-compose.yml -f docker-compose.prod.yml up`
- **Features**: Password protection, SSL, enhanced logging
## Deployment Commands
### Development (Less Secure, More Convenient)
```bash
# Uses docker-compose.yml + docker-compose.override.yml
docker-compose up -d
# Direct database access available on localhost:5433
# Direct Redis access available on localhost:6380
# Direct backend access available on localhost:3002
```
### Production (Maximum Security)
```bash
# Uses docker-compose.yml + docker-compose.prod.yml
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
# No direct database access
# No direct Redis access
# No direct backend access
# All access via nginx reverse proxy only
```
### Staging/Testing (Secure but with Monitoring)
```bash
# Uses base configuration only
docker-compose -f docker-compose.yml up -d
# Secure but allows manual inspection if needed
```
## Security Checklist
### ✅ **Applied Security Measures**
- **Database Isolation**: PostgreSQL not externally accessible
- **Cache Security**: Redis internal-only with authentication
- **API Protection**: Backend only accessible via reverse proxy in production
- **Metrics Security**: Data retention metrics require management authentication
- **Network Segmentation**: All services on isolated Docker network
- **Access Control**: Role-based permissions for sensitive endpoints
- **Audit Logging**: All data retention access logged
- **Security Headers**: Applied to all management endpoints
### 🔍 **Additional Security Recommendations**
#### Network Security
- **Firewall**: Configure host firewall to only allow necessary ports
- **VPN**: Consider VPN access for management interfaces
- **IP Allowlisting**: Restrict management portal access by IP
#### Database Security
- **Encryption**: Enable TLS for database connections
- **Backup Encryption**: Encrypt database backups
- **User Permissions**: Use least-privilege database users
#### Application Security
- **JWT Secrets**: Use strong, unique JWT secrets
- **Session Security**: Configure secure session settings
- **Rate Limiting**: Enable rate limiting on all endpoints
#### Container Security
- **Image Scanning**: Scan container images for vulnerabilities
- **User Permissions**: Run containers as non-root users
- **Resource Limits**: Set memory and CPU limits
## Emergency Access
### Development Database Access
```bash
# Connect to development database (when override is active)
psql -h localhost -p 5433 -U postgres -d drone_detection
```
### Production Database Access (Emergency Only)
```bash
# Temporarily expose database for emergency access
docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d postgres
# Connect and then immediately remove override
psql -h localhost -p 5433 -U postgres -d drone_detection
# Restore production security
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
```
## Monitoring & Alerting
### Security Events to Monitor
- **Unauthorized Access**: Failed authentication attempts on management portal
- **Data Retention Access**: All access to system metrics endpoints
- **Database Connections**: Unusual database connection patterns
- **Network Traffic**: Unexpected traffic to internal services
### Log Locations
- **Security Logs**: `/app/logs/data_retention_access.log`
- **Application Logs**: Container logs via `docker-compose logs`
- **Database Logs**: PostgreSQL container logs
- **Nginx Logs**: Reverse proxy access logs
This security configuration ensures that sensitive infrastructure components are isolated while maintaining operational flexibility for different environments.
Reference in New Issue View Git Blame Copy Permalink