Tightening up security of full-stack Docker (#1614)

Docker/README.md

@@ -1,8 +1,10 @@
 # Building ASReview in Docker containers
 
-This folder contains two recipes to build different versions of the ASReview application in a Docker container. The root folder lists a single Dockerfile that builds a simple, non authenticated version of the ASReview app. If you choose to create this container, and multiple people would like to use it, the app will be globally shared amongst all of them. This version makes more sense as a standalone app on your own computer for individual use.
+> __Warning__: Deploying Docker containers in a public environment requires careful consideration of security implications. Exposing services without proper safeguards can lead to potential security vulnerabilities, unauthorized access, and data breaches.
 
-The `auth_verified` folder creates an authenticated version that allows multiple users to access the app and create their own private projects. It requires users to signup and signin in order to access the app.
+The _root_ folder lists a single Dockerfile that builds a simple, non authenticated version of the ASReview app. If you choose to create this container, and multiple people would like to use it, the app will be globally shared amongst all of them. This version makes more sense as a standalone app on your own computer for individual use.
+
+_This_ folder contains a recipe to build an authenticated version of the ASReview application in Docker containers. It allows multiple users to access the app and create their own private projects. It requires users to sign-up and sign-in in order to access the app.
 
 ## Building the simple version
 
@@ -42,11 +44,13 @@ If you would like to use or try out [SendGrid](https://sendgrid.com/), go to the
 
 ### Parameters in the .env file
 
-The .env file contains all necessary parameters to deploy all containers. All variables that end with the `_PORT` suffix refer to the internal and external network ports of the containers. The prefix of these variable explains for which container they are used. Note that the external port of the frontend container, the container that will be directly used by the end-user, is 8080, and not 80. Change this into 80 if you dont want to use port numbers in the URL of the ASReview web application.
+The .env file contains all necessary parameters to deploy all containers. All variables that end with the `_PORT` suffix refer to the internal and external network ports of the containers. The prefix of these variable explains for which container they are used. Note that the external port of the frontend container, the container that will be directly used by the end-user, is 8080, and not 80. Change this into 80 if you don't want to use port numbers in the URL of the ASReview web application.
+
+The `FLASK_MAIL_PASSWORD` refers to the password provided by the SendGrid Relay service, and the value of the `WORKERS` parameter determines how many instances of the ASReview app Gunicorn will start. Currently the app works best with a single worker.
 
-The `FLASK_MAIL_PASSWORD` refers to the password provided by the SendGrid Relay service, and the value of the `WORKERS` parameter determines how many instances of the ASReview app Gunicorn will start.
+Variables prefixed with `POSTGRES` are intended for use with the PostgreSQL database. The `_USER` and `_PASSWORD` variables are self-explanatory, representing the database user and password, respectively. The `_DB` variable specifies the database name.
 
-All variables that start with the `POSTGRES` postfix are meant for the PostgreSQL database. The `_USER`, `_PASSWORD` variables are self-explanatory. the `_DB` variable determines the name of the database.
+Please be aware that the provided password is quite weak. If deploying Docker containers in a public environment, it is advisable to modify the database user to something less predictable and strengthen the password for enhanced security.
 
 ### Creating and running the containers
 
@@ -62,7 +66,7 @@ Building the database container is straightforward, there is no Dockerfile invol
 
 The frontend container uses a multi-stage Dockerfile. The first phase builds the React frontend and copies it to the second phase which deploys a simple NGINX container. The `asreview.conf` file is used to configure NGINX to serve the frontend.
 
-The backend container is more complicated. It also uses a multi-stage Dockerfile. In the first stage all necessary Python/PostgreSQL related software is installed and the app is build. The app is copied into the second stage. Within the second stage the `flask_config.toml` file is copied into the container and all missing parameters (database-uri and email password) are adjusted according to the values in the `.env` file. The path of this Flask configuration file will be communicated to the Flask app by an environment variable.\
+The backend container is more complicated. It also uses a multi-stage Dockerfile. In the first stage all necessary Python/PostgreSQL related software is installed and the app is build. The app is copied into the second stage. During the second stage the `flask_config.toml` file is copied into the container and all missing parameters (database-uri and email password) are adjusted according to the values in the `.env` file. The path of this Flask configuration file will be communicated to the Flask app by an environment variable.\
 Then a Gunicorn config file (`gunicorn.conf.py`) is created on the fly which sets the server port and the preferred amount of workers. After that a second file is created: an executable shell script that instructs the ASReview app to create the necessary tables in the database and start the Gunicorn server using the configuration described in the previous file.
 
 Note that a user of this recipe only has to change the necessary values in the `.env` file and execute the `docker compose` command to spin up an ASReview service, without an encrypted HTTP protocol!

Docker/auth_verified/.env

@@ -20,9 +20,6 @@ BACKEND_INTERNAL_PORT=5005
 # =========================================================
 # WORKERS=1 
 
-POSTGRES_EXTERNAL_PORT=5433
-POSTGRES_INTERNAL_PORT=5432
-
 POSTGRES_PASSWORD="postgres"
 POSTGRES_USER="postgres"
 POSTGRES_DB="asreview_db"

Docker/auth_verified/docker-compose.yml

@@ -9,8 +9,6 @@ services:
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_USER=${POSTGRES_USER}
       - POSTGRES_DB=${POSTGRES_DB}
-    ports:
-      - "${POSTGRES_EXTERNAL_PORT}:${POSTGRES_INTERNAL_PORT}"
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -d ${POSTGRES_DB} -U ${POSTGRES_PASSWORD}"]
       interval: 10s