Share and learn in the Docker community.
Hi Guys, I am quite new to Docker and was wondering if there is any possible way I can find out how a Docker would be used to secure a Web Server and a Database Server. I have Apache Web Server and MySQL Database Server up and running and perfectly functioning (I am using XAMPP).
I just want to know if there is any way I can use Docker to secure the data saved in the Database Server (data = Username and password of users who log in to my website).
Regards.
Docker doesn’t, as far as I know, secure data in any direct sense. That is the job of the database and the app design. For example, if you’re storing passwords in plain text then Docker is not going to help you fix that.
The one area it can help is by layered networks. You can do this without Docker of course, but you’d need separate physical servers and networks. Docker lets you do it all on one machine.
The way I have mine configured is to have an SSL proxy container which is linked to the hosts http (80)and https (443) ports. These are the only access points from the host network.
I then create a pair of docker networks using the “docker network create” command, one called “web” and one called “db”.
All of my webserver containers have no ports exposed on the host network but are connected to the “web” docker network (either using --net on the run command or the network option in a docker-compose file).
The mariadb (same mysql) container runs on the db network.
If a web app needs database access then I simply connect that specific web server container to the db network.
The principle is simply defense in depth. An attacker would need to penetrate the proxy server to get to the web network and then penetrate one of the web servers before even getting the opportunity to look at penetrating the db.
Of course, none of this does anything to protect you from other db threats like sql injection attacks. These are simply the result of bad software design and there’s nothing that Docker can do to help you there.
Thank you for your reply. I really appreciate it.
I understood everything but could you please clarify on the part where you said “If a web app needs database access then I simply connect that specific web server container to the db network.”
Thank you.
I’m using docker-compose, so I’d do:
version: '2'
services:
myservice:
image: image-name
networks:
- web
networks:
web:
external:
name: web
Becomes this:
version: '2'
services:
myservice:
image: image-name
networks:
- web
- db
networks:
web:
external:
name: web
db:
external:
name: db
My DB container is only attached to the db network. My app is configured to use the name of the DB container as the db’s host. Because both the web app and the db are on the db network docker automagically routes data correctly.