Our great sponsors
-
To help prevent any access into my host from the containers if you manage to get past all of that, any container that needs to access the docker socket (Watchtower, Traefik, Portainer, Dozzle, Docker-gc-cron, traefik-cloudflare-companion) get their access through a socket proxy and are all on their own docker network to help prevent access to the socket directly. Socket Proxy
-
docker-traefik-cloudflare-companion
Automatically Create CNAME records for containers served by Traefik
For my reverse proxy I am using Traefik 2 with Authelia as my 2 factor authentication. It works with TOTP and my YubiKey. to compliment this when I add the correct labels to my compose snippet for the respective service, tiredofit's cloudflare traefik companion container will use my cloudflare API key to update my cname records to reflect the subdomain based off my traefik labels. All of my docker containers use docker secrets for important environment variables.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
docker-gc-cron
A Docker image that allows scheduled cleanup of unused Docker images, containers, and volumes.
To help prevent any access into my host from the containers if you manage to get past all of that, any container that needs to access the docker socket (Watchtower, Traefik, Portainer, Dozzle, Docker-gc-cron, traefik-cloudflare-companion) get their access through a socket proxy and are all on their own docker network to help prevent access to the socket directly. Socket Proxy
-
To help prevent any access into my host from the containers if you manage to get past all of that, any container that needs to access the docker socket (Watchtower, Traefik, Portainer, Dozzle, Docker-gc-cron, traefik-cloudflare-companion) get their access through a socket proxy and are all on their own docker network to help prevent access to the socket directly. Socket Proxy
-
all of my cname records are proxied through cloudflare. On the local side of things, I've got a server running PFsense that blocks access to my https/http ports to only allow access to them from cloudflare's IP address'. This limits attacks as you must use my domain to access my WAN which is hidden behind Cloudflare's proxy to even be allowed into those ports - which again is limited to my continent on the cloudflare side of things. I've also got dynamic DNS setup on cloudflare so that if my dynamic WAN changes, cloudflare will update to reflect this change. my https/http traffic gets forwarded to my docker box to go through my reverse proxy which has very specific firewall rules that deny all outgoing traffic from that box unless specified for a specific service, and limit incoming traffic as well. This is backed up by fail2ban and rate limiting is set using traefik rules. the linux server hosting my docker containers itself is also locked down with the root account disabled, and ssh keys required for access. All of my servers are on a seperate network from my home devices to further mitigate any attacks.
-
For my reverse proxy I am using Traefik 2 with Authelia as my 2 factor authentication. It works with TOTP and my YubiKey. to compliment this when I add the correct labels to my compose snippet for the respective service, tiredofit's cloudflare traefik companion container will use my cloudflare API key to update my cname records to reflect the subdomain based off my traefik labels. All of my docker containers use docker secrets for important environment variables.
-
To help prevent any access into my host from the containers if you manage to get past all of that, any container that needs to access the docker socket (Watchtower, Traefik, Portainer, Dozzle, Docker-gc-cron, traefik-cloudflare-companion) get their access through a socket proxy and are all on their own docker network to help prevent access to the socket directly. Socket Proxy
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Related posts
- Are there tools that tell you if you can optimize your dockerfiles?
- Suas imagens de container não estão seguras!
- Here is VEDV, A tool for developing applications with virtual machines using a Docker-like workflow.
- Here is VEDV for kubernetes community, A tool for developing applications with virtual machines using a Docker-like workflow.
- Here is VEDV for Node.js developers, A tool for developing applications with virtual machines using a Docker-like workflow.