Securing Docker Container using BunkerWeb with Autoconf and Let’s Encrypt

Mengamankan Docker Container menggunakan BunkerWeb dengan Autoconf and Let’s Encrypt


Integrasi dengan Docker single site dengan Autoconf dan Let’s Encrypt

  • Buat file docker-compose.yml
  • Domain yang digunakan: web.marikita.online yangs udah di pointing ke server docker
  • Menggunakan image bunkerweb versi 1.5.0
  • Network: bw-services (digunakan untuk menghubungkan BunkerWeb dan aplikasi web service)
  • Network: bw-universe (digunakan untuk menghubungkan BunkerWeb dan scheduler)
  • Network: bw-docker (digunakan untuk menghubungkan BunkerWeb dan docker proxy)
  • Service bunkerweb harus expose port 80 dan 443
  • server_name: web.marikita.online dengan reverse_proxy_host: http://myapp
  • Service aplikasi bernama: myapp dengan image: sysopsid/web-test
  • Ganti user dan password service mariadb, autoconf dan scheduler
version: "3.5"

services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.5.0
    restart: always
    ports:
      - 80:8080
      - 443:8443
    labels:
      - "bunkerweb.INSTANCE"
    environment:
# Web Service config myapp
      - SERVER_NAME=web.marikita.online
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myapp
# SSL let's encrypt 
      - AUTO_REDIRECT_HTTP_TO_HTTPS=yes
      - HTTPS_PROTOCOLS=TLSv1.2
      - HTTP2=yes
      - LISTEN_HTTP=yes
      - AUTO_LETS_ENCRYPT=yes
      - [email protected]
      - USE_LETS_ENCRYPT_STAGING=no
# AutoConf config
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
      - AUTOCONF_MODE=yes
      - MULTISITE=yes
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
      - LIMIT_REQ_RATE=150r/s
    networks:
      - bw-universe
      - bw-services

  bw-autoconf:
    image: bunkerity/bunkerweb-autoconf:1.5.0
    restart: always
    depends_on:
      - bunkerweb
      - bw-docker
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
      - AUTOCONF_MODE=yes
      - DOCKER_HOST=tcp://bw-docker:2375
    networks:
      - bw-universe
      - bw-docker

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.0
    restart: always
    depends_on:
      - bunkerweb
      - bw-docker
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
      - DOCKER_HOST=tcp://bw-docker:2375
      - AUTOCONF_MODE=yes
    networks:
      - bw-universe
      - bw-docker

  bw-docker:
    image: tecnativa/docker-socket-proxy
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
    networks:
      - bw-docker

  bw-db:
    image: mariadb:10.10
    restart: always
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_DATABASE=db
      - MYSQL_USER=bunkerweb
      - MYSQL_PASSWORD=changeme
    volumes:
      - bw-data:/var/lib/mysql
    networks:
      - bw-docker

# Define container web service
  myapp:
    container_name: myapp
    restart: always
    image: sysopsid/web-test
    networks:
      - bw-services

volumes:
  bw-data:

networks:
  bw-universe:
    name: bw-universe
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services
  bw-docker:
    name: bw-docker
  • Jalankan docker compose
docker-compose -f docker-compose.yml up -d
---<output>---
[+] Running 10/10
 ✔ Network bw-docker                    Created               0.1s 
 ✔ Network bw-services                  Created               0.1s 
 ✔ Network bw-universe                  Created               0.1s 
 ✔ Volume "bunkerconf_bw-data"          Created               0.0s 
 ✔ Container myapp                      Started               1.3s 
 ✔ Container bunkerconf-bunkerweb-1     Started               1.7s 
 ✔ Container bunkerconf-bw-docker-1     Started               1.5s 
 ✔ Container bunkerconf-bw-db-1         Started               1.3s 
 ✔ Container bunkerconf-bw-scheduler-1  Started               2.5s 
 ✔ Container bunkerconf-bw-autoconf-1   Started               2.6s
  • Cek status docker compose, pastikan semua container sudah Up
docker ps -a
---<output>---
CONTAINER ID   IMAGE                                 COMMAND                  CREATED              STATUS                        PORTS                                                                                    NAMES
ea3dea6794e4   bunkerity/bunkerweb-autoconf:1.5.0    "python3 /usr/share/…"   About a minute ago   Up About a minute (healthy)                                                                                            bunkerconf-bw-autoconf-1
1c5d00970fca   bunkerity/bunkerweb-scheduler:1.5.0   "/usr/share/bunkerwe…"   About a minute ago   Up About a minute (healthy)                                                                                            bunkerconf-bw-scheduler-1
0a74dd8c8e96   mariadb:10.10                         "docker-entrypoint.s…"   About a minute ago   Up About a minute             3306/tcp                                                                                 bunkerconf-bw-db-1
601719515a0c   tecnativa/docker-socket-proxy         "/docker-entrypoint.…"   About a minute ago   Up About a minute             2375/tcp                                                                                 bunkerconf-bw-docker-1
b8162dd41e60   sysopsid/web-test                     "docker-php-entrypoi…"   About a minute ago   Up About a minute             80/tcp                                                                                   myapp
ab5c29384e87   bunkerity/bunkerweb:1.5.0             "/usr/share/bunkerwe…"   About a minute ago   Up About a minute (healthy)   80/tcp, 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp   bunkerconf-bunkerweb-1
  • Akses domain: web.marikita.online untuk cek aplikasi web service. SSL let’s encrypt sudah berhasil di install pada BunkerWeb.

  • Alternatif konfigurasi file docker compose di buat menjadi 2 bagian, konfigurasi untuk BunkerWeb dan konfigurasi untuk web service.
  • File untuk BunkerWeb: docker-compose.yml
version: "3.5"

services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.5.0
    restart: always
    ports:
      - 80:8080
      - 443:8443
    labels:
      - "bunkerweb.INSTANCE"
    environment:
# AutoConf config
      - SERVER_NAME=web.marikita.online
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
      - AUTOCONF_MODE=yes
      - MULTISITE=yes
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
      - LIMIT_REQ_RATE=150r/s
    networks:
      - bw-universe
      - bw-services

  bw-autoconf:
    image: bunkerity/bunkerweb-autoconf:1.5.0
    restart: always
    depends_on:
      - bunkerweb
      - bw-docker
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
      - AUTOCONF_MODE=yes
      - DOCKER_HOST=tcp://bw-docker:2375
    networks:
      - bw-universe
      - bw-docker

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.0
    restart: always
    depends_on:
      - bunkerweb
      - bw-docker
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
      - DOCKER_HOST=tcp://bw-docker:2375
      - AUTOCONF_MODE=yes
    networks:
      - bw-universe
      - bw-docker

  bw-docker:
    image: tecnativa/docker-socket-proxy
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
    networks:
      - bw-docker

  bw-db:
    image: mariadb:10.10
    restart: always
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_DATABASE=db
      - MYSQL_USER=bunkerweb
      - MYSQL_PASSWORD=changeme
    volumes:
      - bw-data:/var/lib/mysql
    networks:
      - bw-docker

volumes:
  bw-data:

networks:
  bw-universe:
    name: bw-universe
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services
  bw-docker:
    name: bw-docker
  • File untuk web service: docker-compose-app.yml
version: '3.5'

services:
  myapp:
    container_name: myapp
    restart: always
    image: sysopsid/web-test
    networks:
      bw-services:
          aliases:
            - myapp
    labels:
      - "bunkerweb.SERVER_NAME=web.marikita.online"
      - "bunkerweb.USE_REVERSE_PROXY=yes"
      - "bunkerweb.REVERSE_PROXY_URL=/"
      - "bunkerweb.REVERSE_PROXY_HOST=http://myapp"

networks:
  bw-services:
    external: true
    name: bw-services
  • Jalankan docker compose
docker-compose -f docker-compose.yml up -d
docker-compose -f docker-compose-app.yml up -d
  • Hapus docker compose
docker-compose -f docker-compose-app.yml down -v
docker-compose -f docker-compose.yml down -v

herdiana3389

A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.