Docker Community Forums

Share and learn in the Docker community.

Spoofing licensing container


(Blueridge1) #1

I am new to Docker and have questions regarding the security of the communication between the containers in Docker.
Our application has 3 components. One does the background(Background), second the web interface(Web) and a third one is for the licensing (L) and we are planning to move to Docker with https communication between them.
• If all these components are separate docker containers, how secure is the communication between them? I mean in terms of spoofing. For example, if someone removes the licensing component(L) with another one (L False) then anyone can have unlimited number of licenses.
• Is there any security configuration / API for that?
• I was considering creating 3 pairs of private/public keys for 3 components. Each component holds its own private key and 2 public keys for the other 2 components. Then to use private key to generate JSON Web Token (JWT) and this token will be attached to each JSON request. For example, this request will be send from (Background) to (L). On the other side, the component receiving the request, (L) will use the public key to verify the request and if it is ok, it would create a response, signed with its own private key. The response will be send back from (L) to (Background) and the component (Background) will be verify it the public key belonging to (L). I hope my explanation is clear. Is this overcomplicated? Is it right?
Thank you.