Detailed explanation available at: http://developers.mobileapptracking.com/dockersecurity/
This small web application faciliates on the fly injection/removal of basic authentication user crednetials to faciliate dynamic protection of another server, site, or virtual host.
- add: creates a new user.
- user: username to create (use epoch time. if 1 user/second isn't enough add ms)
- passwd: password to assign the user
- remove: removes a specifc user.
- user: username to remove
- delete: alias for remove (see remove)
- cleanup: removes any users older than the threshold set in config.py. **NOTE: requires epoch time for usernames
All responses will be in json with:
- action: action that was performed
- msg: response message.
- response: "OKAY" or "ERROR" depending on success
- status_code: HTTP response code generated by request
[chenry@dh-chenry01-dev ~]$ curl -k -H "Host: registry_rubber" "https://127.0.0.1/add?user=$(date +"%s")&passwd=super_secret"
{
"action": "add",
"msg": "Added user 1423382819",
"response": "OKAY",
"status_code": 200
}
[chenry@dh-chenry01-dev ~]$ sqlite3 /tmp/registry_rubber.sqlite "select * from users"
1423382819|{SHA}Gt/On6S8axy9+VrC3GGAF12nVYs=
The target use case for this is to protect a private Docker Registry. Docker currently only supports basic authentication and stores any entered credentials base64 encoded in a config file. This leaves crednetials vulnerable to anyone who can read the configuration file. Registry Rubber allows your build/deploy frameworks to use something more secure than basic auth (x509, digest, kerberos, etc.) to generate and revoke temporary credentials for the Docker Daemon API to consume so real credentials are not left in a vulernable state within docker configs.
Apache (or a web server that can offload basic auth user lookups to SQLite or MySQL) Flask - micro web framework Sqlite Or MySQL - Sqlite for single deployments, MySQL for active/active registry setups
- sqlite_db - SQLite File location (Sqlite setup)
- user|password|db|port|host - MySQL Database Info (MySQL setup)
- "storage_eng": (sqlite3|mysql) - determines backend storage engine to use
- "hash_type": (SHA1|md5) - determines basic authentication hash type. see: http://httpd.apache.org/docs/2.4/misc/password_encryptions.html
- Redirects all http -> https
- "private_registry" virtualhost setup to proxy requests to a private docker registry
- Sqlite3 database lookups for basic authentication users
- Proxies requests to "localhost:5000". Point elsewhere if your registry is not run on the same host
- "/v1/_ping" must be available (without auth) to all hosts
- "registry_rubber" virtualhost setup to manager Sqlite credentials
- Uses WSGI to run code. Can optionally run via flask and proxy requests with a similar vhost setup to the private_registry
- Assumes the Registry-Rubber is checked out to '/tmp/Registry-Rubber'. You should clone this elsewhere and change the config accordingly
- Restricts access to 192.168.0.0/16 and local subnets by default.
- Commented stubs left in place to perform X509 client authentication