Securing Docker Container using BunkerWeb on Docker Swarm Cluster

Mengamankan Docker Container menggunakan BunkerWeb pada Docker Swarm Cluster


Integrasi dengan Docker Swarm Cluster dan Autoconf

  • Buat file docker-compose.yml
  • Domain yang digunakan: web.marikita.online yangs udah di pointing ke server docker
  • Menggunakan image bunkerweb versi 1.5.0
  • Network: bw-services (digunakan untuk menghubungkan BunkerWeb dan aplikasi web service)
  • Network: bw-universe (digunakan untuk menghubungkan BunkerWeb dan scheduler)
  • Network: bw-docker (digunakan untuk menghubungkan BunkerWeb dan docker proxy)
  • Service bunkerweb harus expose port 80 dan 443
  • server_name: web.marikita.online dengan reverse_proxy_host: http://myapp
  • Service aplikasi bernama: myapp dengan image: sysopsid/web-test dengan replikasi 4 container
  • Ganti user dan password service mariadb, autoconf dan scheduler
version: "3.5"

services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.5.0
    ports:
      - published: 80
        target: 8080
        mode: host
        protocol: tcp
      - published: 443
        target: 8443
        mode: host
        protocol: tcp
    environment:
# Web Service config myapp
      - SERVER_NAME=web.marikita.online
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myapp
# AutoConf config
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
      - SWARM_MODE=yes
      - MULTISITE=yes
      - USE_REDIS=yes
      - REDIS_HOST=bw-redis
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
      - LIMIT_REQ_RATE=150r/s
    networks:
      - bw-universe
      - bw-services
    deploy:
      mode: global
      labels:
        - "bunkerweb.INSTANCE"

  bw-autoconf:
    image: bunkerity/bunkerweb-autoconf:1.5.0
    environment:
      - SWARM_MODE=yes
      - DOCKER_HOST=tcp://bw-docker:2375
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
    networks:
      - bw-universe
      - bw-docker
    deploy:
      placement:
        constraints:
          - "node.role == manager"

  bw-docker:
    image: tecnativa/docker-socket-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONFIGS=1
      - CONTAINERS=1
      - SERVICES=1
      - SWARM=1
      - TASKS=1
    networks:
      - bw-docker
    deploy:
      placement:
        constraints:
          - "node.role == manager"

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.0
    environment:
      - SWARM_MODE=yes
      - DOCKER_HOST=tcp://bw-docker:2375
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
    networks:
      - bw-universe
      - bw-docker
    deploy:
      placement:
        constraints:
          - "node.role == manager"

  bw-db:
    image: mariadb:10.10
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_DATABASE=db
      - MYSQL_USER=bunkerweb
      - MYSQL_PASSWORD=changeme
    volumes:
      - bw-data:/var/lib/mysql
    networks:
      - bw-docker
    deploy:
      placement:
        constraints:
          - "node.role == manager"

  bw-redis:
    image: redis:7-alpine
    networks:
      - bw-universe
    deploy:
      mode: global

# Define container web service
  myapp:
    image: sysopsid/web-test
    networks:
      - bw-services
    deploy:
      mode: replicated
      replicas: 4

volumes:
  bw-data:

networks:
  bw-universe:
    name: bw-universe
    driver: overlay
    attachable: true
    ipam:
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services
    driver: overlay
    attachable: true
  bw-docker:
    name: bw-docker
    driver: overlay
    attachable: true
  • Jalankan docker stack
docker stack deploy -c docker-compose.yml bunker-web
---<output>---
Creating network bw-services
Creating network bw-universe
Creating network bw-docker
Creating service bunker-web_bunkerweb
Creating service bunker-web_bw-autoconf
Creating service bunker-web_bw-docker
Creating service bunker-web_bw-scheduler
Creating service bunker-web_bw-db
Creating service bunker-web_bw-redis
Creating service bunker-web_myapp
  • Cek status docker stack, pastikan semua container sudah Up
docker stack ps bunker-web
---<output>---
ID             NAME                                             IMAGE                                  NODE           DESIRED STATE   CURRENT STATE           ERROR     PORTS
nk5pwghb35pl   bunker-web_bunkerweb.k2phgs6wbjb4jpqjnoobbmgtk   bunkerity/bunkerweb:1.5.0              ubuntu-test1   Running         Running 4 minutes ago             *:443->8443/tcp,*:443->8443/tcp,*:80->8080/tcp,*:80->8080/tcp
oj6cpjxbeft2   bunker-web_bunkerweb.n9e5zy70fyeolh5joctjf4388   bunkerity/bunkerweb:1.5.0              ubuntu-test2   Running         Running 4 minutes ago             *:443->8443/tcp,*:443->8443/tcp,*:80->8080/tcp,*:80->8080/tcp
nhfhj7px9n3y   bunker-web_bw-autoconf.1                         bunkerity/bunkerweb-autoconf:1.5.0     ubuntu-test1   Running         Running 3 minutes ago             
d0c36w19ftym   bunker-web_bw-db.1                               mariadb:10.10                          ubuntu-test1   Running         Running 3 minutes ago             
mb8dmhzzi6x1   bunker-web_bw-docker.1                           tecnativa/docker-socket-proxy:latest   ubuntu-test1   Running         Running 4 minutes ago             
u8mjo6er3kmn   bunker-web_bw-redis.k2phgs6wbjb4jpqjnoobbmgtk    redis:7-alpine                         ubuntu-test1   Running         Running 3 minutes ago             
s7cs0azpfrgm   bunker-web_bw-redis.n9e5zy70fyeolh5joctjf4388    redis:7-alpine                         ubuntu-test2   Running         Running 3 minutes ago             
oca7rdux3s4f   bunker-web_bw-scheduler.1                        bunkerity/bunkerweb-scheduler:1.5.0    ubuntu-test1   Running         Running 3 minutes ago             
i3v81e68h66t   bunker-web_myapp.1                               sysopsid/web-test:latest               ubuntu-test2   Running         Running 4 minutes ago             
66qh3disdhav   bunker-web_myapp.2                               sysopsid/web-test:latest               ubuntu-test1   Running         Running 4 minutes ago             
ovl9eh46czrs   bunker-web_myapp.3                               sysopsid/web-test:latest               ubuntu-test2   Running         Running 4 minutes ago             
rdxc9naff4m2   bunker-web_myapp.4                               sysopsid/web-test:latest               ubuntu-test1   Running         Running 4 minutes ago      
  • Akses domain: web.marikita.online untuk cek aplikasi web service.
  • Hapus docker stack
docker stack rm bunker-web

  • Alternatif konfigurasi file docker compose di buat menjadi 2 bagian, konfigurasi untuk BunkerWeb dan konfigurasi untuk web service.
  • File untuk BunkerWeb: docker-compose-swarm-bunkerweb.yml
version: "3.5"

services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.5.0
    ports:
      - published: 80
        target: 8080
        mode: host
        protocol: tcp
      - published: 443
        target: 8443
        mode: host
        protocol: tcp
    environment:
# AutoConf config
      - SERVER_NAME=sys-ops.marikita.online
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
      - SWARM_MODE=yes
      - MULTISITE=yes
      - USE_REDIS=yes
      - REDIS_HOST=bw-redis
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
      - LIMIT_REQ_RATE=150r/s
# SSL let's encrypt
      - AUTO_REDIRECT_HTTP_TO_HTTPS=yes
      - HTTPS_PROTOCOLS=TLSv1.2
      - HTTP2=yes
      - LISTEN_HTTP=yes
      - AUTO_LETS_ENCRYPT=yes
      - [email protected]
      - USE_LETS_ENCRYPT_STAGING=no
    networks:
      - bw-universe
      - bw-services
    deploy:
      mode: global
      labels:
        - "bunkerweb.INSTANCE"

  bw-autoconf:
    image: bunkerity/bunkerweb-autoconf:1.5.0
    environment:
      - SWARM_MODE=yes
      - DOCKER_HOST=tcp://bw-docker:2375
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
    networks:
      - bw-universe
      - bw-docker
    deploy:
      placement:
        constraints:
          - "node.role == manager"

  bw-docker:
    image: tecnativa/docker-socket-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONFIGS=1
      - CONTAINERS=1
      - SERVICES=1
      - SWARM=1
      - TASKS=1
    networks:
      - bw-docker
    deploy:
      placement:
        constraints:
          - "node.role == manager"

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.0
    environment:
      - SWARM_MODE=yes
      - DOCKER_HOST=tcp://bw-docker:2375
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
    networks:
      - bw-universe
      - bw-docker
    deploy:
      placement:
        constraints:
          - "node.role == manager"

  bw-db:
    image: mariadb:10.10
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_DATABASE=db
      - MYSQL_USER=bunkerweb
      - MYSQL_PASSWORD=changeme
    volumes:
      - bw-data:/var/lib/mysql
    networks:
      - bw-docker
    deploy:
      placement:
        constraints:
          - "node.role == manager"

  bw-redis:
    image: redis:7-alpine
    networks:
      - bw-universe
    deploy:
      mode: global

volumes:
  bw-data:

networks:
  bw-universe:
    name: bw-universe
    driver: overlay
    attachable: true
    ipam:
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services
    driver: overlay
    attachable: true
  bw-docker:
    name: bw-docker
    driver: overlay
    attachable: true
  • File untuk web service: docker-compose-swarm-app.yml
version: "3.5"

services:
  myapp:
    image: sysopsid/web-test
    networks:
      bw-services:
          aliases:
            - myapp
    deploy:
      mode: replicated
      replicas: 4
#      placement:
#        constraints:
#          - "node.role==worker"
      labels:
# Web Service config myapp
      - "bunkerweb.SERVER_NAME=sys-ops.marikita.online"
      - "bunkerweb.USE_REVERSE_PROXY=yes"
      - "bunkerweb.REVERSE_PROXY_URL=/"
      - "bunkerweb.REVERSE_PROXY_HOST=http://myapp"

networks:
  bw-services:
    external: true
    name: bw-services
  • Jalankan docker stack
docker stack deploy -c docker-compose-swarm-bunkerweb.yml bunker-web
docker stack deploy -c docker-compose-swarm-app.yml bunker-app
  • Hapus docker stack
docker stack rm bunker-app
docker stack rm bunker-web

herdiana3389

A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.