Docker and Running your self-hosted applications in a more secure way behind a reverse proxy.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] it's your open source advocate and i'm back with another video and today i wanted to kind of do a follow-up on docker and security so my last video about docker and firewalls really stirred up a lot of great conversation and some people gave me some more great tips and some things just don't click with me until they click with me and i don't know if you know what i mean by that but as i was going through college and graduate school sometimes i just would not get a concept initially but once i got it i really got it and it's kind of the same thing with docker i've been doing this the whole time with my mindset that this is the way to do it and even though the whole time i know some of you are out there have been telling me this is a different way you could do this a different way you could do this a more secure way it just was not clicking with me what you were saying until now and i don't know why so one i want to say thank you so much for sticking with me and for for just consistently telling me hey there's a better way and for sticking with me while i did it the other way for so long and i'm not saying the way that i've been doing it is wrong i'm just saying that there's another way to do this and i want to go through it with you guys today and i think this way especially on a vps is a more secure way and there's a couple of different aspects to what we're going to talk about when you're talking about docker and reverse proxies and setting things up so i have i have several different docker setups okay so you can see here i've got my local that's the machine that that is the actual docker for the retainer install i've got my ubuntu server vm that runs a bunch of my services here in my home i've got my imac that that we're going to actually be using today so that was the one that i was just showing you that only had a couple of containers and then i've got my one that's out there on the osia site the open source is awesome site that runs a bunch of stuff as well so these all run pertainer agent but it gives me one interface where i can go and jump into any of them and do something really great so pertainer isn't is a super amazing tool if you guys haven't checked out my pertainer videos i highly recommend you go check them out pertainers are really great company they make this open source they make it where you can run it yourself but they also have some really great stuff that you can pay for and get and it supports the open source development which is amazing that's the one thing i love about companies that open source their software sure they have a model to make money that that totally makes sense they're a business and they're a company but they use that money to give back and they try to provide something like this which is an amazing tool that we can use for free and open source and self-hosted which is awesome so i can't say enough good things about portainer and what it can offer you and what it can do and i haven't even scratched the surface of what you can really do with pertainer so just understand that it can do so much more than what i do with it even and it's really a great tool for the little bit that i do with it as well i want to say thank you to all my patrons over at patreon and my subscribers on youtube thank you so much for all of your support i love doing this channel i love making this media and this content for you i hope you enjoy it as well i do post all of the videos now over at patreon after one of my patrons made the suggestion and i don't know why it didn't dawn on me before that but if you're interested in seeing them through patreon and getting a notification through patreon instead of through youtube or hoping that youtube's algorithms happens to show it to you jump over and become a supporter on patreon patreon.com i've got the links in the description and the show notes i appreciate your support thank you so much so i have pertainer set up so we're going to jump over to imac here on my imac machine and you can see here that i've only got a couple of containers running and one is the pertainer agent and the other one here is heimdall that i'm just kind of doing some testing so i'll be doing a video on heimdall here in the future as well it's another nice dashboard kind of like like i use homer for heimdall is a very similar type thing but it has user accounts so the different users can kind of have their own setup which is pretty nice that's one thing i feel like homer's missing a little bit this is a super nice shortcut dashboard but i definitely think that it could use some user account settings as well okay beyond that so we're looking here at my setup for my imac and i've got a couple of terminals open and what i'm going to do is going to sound a little crazy but i've got pertainer open twice for a good reason so here you can see i've got my engine x proxy manager app running and i'm going to go shut this one off because i want to set up engine x proxy manager on this other machine now we're going to do this stuff through the cli you can definitely do this stuff through pertainer but i like to show you guys the cli in case you're not running portainer for some reason so i am going to go shut this off i'm just going to click this box and i'm going to click this box and it's just going to shut down my my nginx proxy manager for a little bit so i'm just going to hit the stop button i'm not going to kill it i'm just going to stop those containers from running and then i'll come back and start them back up when i'm ready for everything to be running again so you can see they're stopped down here i'm going to jump back over to my imac and you can see that there's nothing there so i've got the engine xprox manager site up i'm just going to grab this uh docker compose file and you can see that's really all that there is to it so we're just going to grab that text right off their quick setup here on nginxproxymanager.com i'm going to copy that and i'm going to open up a terminal and i'm going to just make this a little bit bigger and we'll just uh clear it here so i'm going to make this text a little bit larger for you guys and i'm going to basically create a folder so i'm just going to say mkdir engine xpm that's fine i'm gonna see the end of that folder i just created so this is just docker organization basically so i'm gonna take this folder and i'm gonna say i need to create a couple of things i'm going to create a docker compose file so i'm just going to say nano and this is just a text editor you can use vi you can use vim you can use whatever you want to use but i'm going to use nano docker compose.yml i'm going to paste in that that text i just copied from back here on the web page and you can use ctrl shift and v like victor or you can right click and do paste completely up to you how you paste it in it doesn't really matter how you do this you can see here we've got a data volume that we need to have created and inside of that is our my sequel stuff so that's for the mysql volume we also have a data volume here for for basically in for the nginx proxy manager itself so it's the same folder and then we have this let's encrypt folder that it creates for etsy let's encrypt so we're going to create those two folders real quick but before we do that so notice that there's several port mappings here for nginx proxy manager on the web interface so you've got 80 81 is your admin interface and 443 is your ssl interface out of these three you can feel free to change the left side of this one that's your web interface that's how you access the web interface you can change it to any port that your system is not using but i would highly recommend not changing 80 or 443. you should leave these because this is how let's encrypt communicates with your proxy host to give you certificates for any of the sites that you're using in the next proxy manager for so i would say don't change these just 81 if you want to you can you should never expose this one to the internet this is your this is your admin interface you can use a proxy to actually proxy yourself around to it um so you have a nice ssl encrypted way to get to it and everything and i've got videos on that out there the next things we need to check here real quick are the mysql user you should change these things so i'm going to change this to brian and the my sql password you should make this a long strong complex password and you're gonna you're gonna type it into this configuration file two times uh basically here at the top and then you're gonna type it in again down here where it says my sequel password you're gonna type in the same password and the same user down here these two you don't need to change you don't need to change this one or this one these are actually you can change this one make it something really long complex because you don't need to use it um so you can make it you know anything you want oh i got to put my cursor in the right place here so you can change this password to anything you want so if you do okay that's gonna be pretty hard for somebody to guess i imagine i don't need to know that password i just need that to be my root password because it's secure i can always come look at my config file to see what it is if i happen to need it for some reason the database name is just gonna say npm i'm going to change my user to brian so you need to create a nice long complex strong password for your my sequel password as well as and you're going to put it in twice here and you're going to put it up here so we'll kind of look at this real quick and we're just going to do this so i'm just going to make this i'm going to destroy this after the video is over so don't worry about if you get to see it okay once you make that password you can just do this and then you can do copy and then you can move your cursor up and just do ctrl shift v and you paste it in now they both match make sure your user matches make sure the database name matches everything like that and you're really pretty much set so we're just going to save this file with control o and enter we're going to exit with control x now i need to create those two folders so i'm going to do mkdir data mkdir let's encrypt spell it correctly and if we do cad docker compose.yaml we can just double check that i spelled them both the right way and you can see right here it's data and let's encrypt so that's good we're set so we can clear this out and now we can run our docker compose up so we're just gonna do docker hyphen compose up dash d we're going to go out and grab nginx proxy manager and the mariadb database and it's going to put those together and then we'll have nginx proxy manager ready to run on this system now one thing i have to change on my network is that currently my network is forwarding 80 and 443 to the other machine where that was running so i need to fix that real quick so from the outside it'll forward that stuff all right everything finished up here so we're just going to jump over and see if we can reach this by ip address and you see this takes me to my engine x proxy manager page just by going there now if i want to go to the actual admin part i do colon 81 and the first time out we need to put in admin at example.com and then c-h-a-n-g-e-m-e is the password initially i'm going to say don't save that and here it wants me to change this which i do want to do so let me just go say b-r-i-n fix it del rio.com and then the password we're going to change we're going to put in the current password and then we'll make a strong password and we'll save that and we're done there so you can see now that i've got the administrator account set up and over here if we go look at proxy hosts there are no proxy hosts yet but we don't really have anything we need a proxy to we have heimdall but heimdall is not set the way that i want it so we're gonna go redo the way that heimdall is set up so right here you can see heimdall is set up and you can see that i'm forwarding ports 8220 and 8443 8220 to 80 and 8443 to 443. so if i look here i've got heimdall running and i believe i installed heimdall through portainer using the app templates so i'm just going to stop this and i'm going to edit it here in just a second so if i go into here to edit we can go look at what our port forwardings are now like i said there's a couple of ways to do ports and port forwarding in here but you see here that it has internal ports of 80 and 443 so i don't really need those but what i do need is a special network so if you look at the networks here just through pertainer you can see that i've got the bridge network the host network and the none network these are just system networks that get set up automatically with docker here you can see i've got this nginx proxy manager network that got created through the compose file what i want to do actually though is create my own network and i want to attach this one to it and i want to attach anything else that i'm running to that network so there's docker compo there's docker commands to do this and i'll kind of go through these with you guys but we're going to do this in the command line here i'm just going to clear this out and i'll make this full screen again for you guys so we're going to do docker network create dash d and then i'm going to make this a bridge network this is the type of network that lets the docker containers reach out to the internet or be reached from the internet if we need to so you don't need this for every single container out there actually you could use different kinds of networks to do this but in this case i think this is a good starting place and then i'm going to call this osia which is open source is awesome and there we go we've got a network created so if we go back to pertainer now you can see now that we've got osia as our bridge network here and i want to attach this to it now again you can do all of these things through portainer which is really nice it's a nice clickable gui but we'll go do it through the cli so if we look real quick here at the docker documentation and we move down you'll see that there's overlay options that's if you have a lot of docker instances and you want to do some things you need to be running docker in certain modes for this to work but it's pretty nice that you could do this between different docker instances and containers but here we want to connect the container so the first way is to run the container and tell it right off the bat to connect to your network and that would be dash dash network equals whatever your network name is so here we have the docker network connect command this is for a running container so basically you say docker network connect you can have options but you say the network name and then the container name so that's what we're gonna do and we're gonna say docker network connect osia and we're going to put it as nginx app one and docker network connect osia nginx proxy manager oh if i type it correctly docker network connect osia the network first nginx pmdb1 if i clear that out now if we go check everything should be running on the docker network so we'll go back into pertainer here and we'll look at our containers and it's probably good to restart nginx proxy manager but let's just check and make sure that we can reach it still let's refresh it looks like everything's still functioning correctly so that's good if we go to our users here if i click to edit my user it's able to bring everything up so that makes me think everything's working correctly just the way we want to so that's good so we'll go back in here now i have heimdall set up so because i did heimdall through the portainer setup i'm going to change everything for heimdall through this so i'm going to click in i'm going to do edit and what i'm going to do is i'm going to get rid of these port mappings and then i'm going to attach it to this osi a network that we just set up now i'm going to redeploy this container there we go we have heimdall running now i won't be able to reach heimdall because one it runs on port 80 inside of its container but i didn't map any ports here but what i want to do is i want to set up nginx proxy manager to actually let me get to heimdall and i should be able to do that through the actual container name so we're going to go into nginx proxy manager we're going to add a new proxy host and i can use myroutmyhome.org i believe let's just double check and make sure it's forwarding correctly let's do route me home.org it's not www so i don't know why it's trying to take me to www there we go we got the congratulations page let's try port 81 my firewall should be blocking that it is good all right so we're going to go back through the ip address there are no proxy hosts so we're going to add one and we're going to call this heim dot routemehome.org [Music] and i'm going to set this as heimdall it's on port 80. and websockets block common exploits cache assets and save now in theory this should forward me to that container and there it is my container is up and running i don't have any ports open or exposed to the internet and i'm using the docker networking i know two years were going on with my videos and i just now got this so i hope you guys that knew about this are going oh my god finally i hope you appreciate it i appreciate it i think it's amazing that i can do this which is really awesome i just don't know why it didn't dawn on me before that i could do this but now i'm protecting this thing and i'm protecting my actual application and the only thing i've got really running is my nginx proxy manager and again my external firewall protects that admin interface that port 81 which is what i want but i'm keeping everything inside my network where i have to use this i cannot jump to it just through the ip address anymore i don't have to worry about that happening so if you're on an internal network like at a workplace or a university or somewhere like that and you're trying to run web applications for anything that you would normally do port mapping for i've just shown you a really great way to do this so let's just talk about it one more time what the process is one you need to have a reverse proxy it doesn't matter if you use nginx proxy manager or traffic or caddy or whatever as long as you know how to use that tool that's step one you need to have it set up inside of your docker network and it needs to be on a on a docker network so two is create your docker network so we used a couple of really simple commands here we did docker network create and then we called it a bridge network because it's just for inside of our of our docker containers on this machine and i want them to be reached by the internet or reach out to the internet if they need to and then we just gave it a name so whatever name you want if you want to call this my cool house you can do that that would be the docker network name that you're creating basically then you want to attach your containers to it so say docker network connect and you're going to just give it the network you want to connect it to so in my case it was osia or it might be my cool network and then the container name that you want to connect to it so in our case we want to definitely connect nginx proxy manager the app and the db so that's what we did because those two communicate with each other they're two different containers and they communicate with each other through the same kind of network and then you want to add anything else so we added heimdall and heimdall went on to it now i did it through pertainer but this would this would have done the exact same thing it would have connected it to my cool network or in my case we connected it to osi a heimdall right so we got those connected once we did that we were set for networking we didn't have to use any port mappings on heimdall we just let it be the ports that it already says hey these are ports that i have that you're going to use which is great you need to know those things but then we go in and we go into nginx proxy manager and we set up a proxy host so inside of the proxy host we'll just go edit this one so you can see it we give it a name now you need routemyhome.org is my domain i own this you need to own whatever domain you're trying to get through to but you need to point that domain to your home ip address or your work ip address or wherever you're running this that you want to access it from so in my case i own rotmyhome.org and i pointed heim.rommyhome.org and i pointed it to heimdall i used the container name which was great that's that's simple if if for some reason this network address set changes the container name does not it stays heimdall and then i know it runs on port 80 right here and i've got it set up now i'm accessing it with not ssl so let's go set up ssl we're going to click on the ssl tab we're going to say you know what request a new certificate for me for this i'm going to say force me to go to ssl and i do agree to the let's encrypt certificate uh terms of service now if you want to go set up hsts and all those things you can this is not something i'm going to do right now you can use a dns challenge if you're willing to go set up some text records on your dns records and things like that so if you don't want to have to have it where let's encrypt can reach through your network to get to the certificates you can do it through dns challenge it's not something i want to go into on this video but it is possible but we're just going to hit save and we're going to see if let's encrypt can reach this thing and then issue a let's encrypt certificate for us to get to our dashboard through https it looks like it worked because the little pop-up went away without any error messages now we click and we see we get https with a valid ca certificate to get to our heimdall dashboard so that's really all there is to it to getting your docker stuff set up and actually a little bit more secure than we even were before so now i've given you two sets of tools to do this you can say docker i only want you to let things through that i want to let through my external firewall you can set that up on your home and you should always have a firewall set up on your home network you can set that up on a vps like i did with digitalocean last week in that video and if you haven't seen that video you should go check it out i'll put a link to it in the description so that you guys can see what we're doing and i'll have show notes for this one since we did some some terminal stuff this time uh so there will be show notes on how i set this up and what steps i went through to set this up you guys can just apply that to any docker containers you want but we've got firewalls we've got things like cloudflare to help protect your data and help help set up kind of those uh in the internet firewalls i guess is the best way to put it it stops things from coming through it helps keep things protected so that you don't have ports open and things expose that you don't want and then we have the way that we did today where we create a special docker network and we set up something like engine x proxy manager and we expose the ports for that that we need to through our firewall only and then we use everything else that's built into docker to kind of keep those app containers very secure as far as networking goes i hope this video was useful to you guys i hope you enjoyed it if you did like subscribe tell your friends about it so then come along the journey with us and i'll talk to you next time [Music] you

Info

Channel: Awesome Open Source

Views: 4,483

Rating: undefined out of 5

Keywords: open, source, opensource, open-source, self, hosted, selfhosted, self-hosted, free, libre, software, server, web, internet, browser, linux, mac, macos, os x, windows, microsoft, unix, bsd, ios, android, pi, raspberry, desktop, digital, ocean, digitalocean, vps, tutorial, how to, setup, installation, instructions, cli, command line, terminal, interface, open source software, open source news, open source projects, docker, reverse proxy, nginx proxy manager, traefik, caddy, haproxy, ha proxy, network, port mapping, without

Id: 8T68pB_Fkm4

Channel Id: undefined

Length: 23min 57sec (1437 seconds)

Published: Tue Oct 12 2021