zlacker

[return to "A story on home server security"]
1. rpadov+Q2[view] [source] 2025-01-05 13:19:23
>>todsac+(OP)
> "None of the database guides I followed had warned me about the dangers of exposing a docker containerized database to the internet."

This prompts a reflection about, as an industry, we should make a better job in providing solid foundations.

When I check tutorials on how to drill in the wall, there is (almost) no warning about how I could lose a finger doing so. It is expected that I know I should be careful around power tools.

How do we make some information part of the common sense? "Minimize the surface of exposure on the Internet" should be drilled in everyone, but we are clearly not there yet

◧◩
2. V__+k5[view] [source] 2025-01-05 13:44:47
>>rpadov+Q2
I don't think it's that unreasonable for a database guide not to mention it. This is more of a general server/docker security thing. Just as I wouldn't expect an application guide to tell me not to use windows xp because it's insecure.

Most general guides on the other hand regarding docker mention not to expose containers directly to the internet and if a container has to be exposed to do so behind a reverse proxy.

◧◩◪
3. diggan+Hg[view] [source] 2025-01-05 15:30:24
>>V__+k5
> if a container has to be exposed to do so behind a reverse proxy.

I see this mentioned everywhere in the comments here but they seem to miss that the author explicitly wanted it to be exposed, and the compromise would have happened regardless if the traffic went directly to the container or via a reverse proxy.

The proper fix for OP is to learn about private networks, not put a reverse proxy in front and still leave it running on the public internet...

[go to top]