New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security #66
Comments
Well, even if you're running this locally on a computer connected directly to the internet (e.g. ipv6) and using the mapping suggested in readme: 8080:8080 you're under threat. |
If you're running locally wouldn't a remote client need to traverse NAT to reach your local machine? If you're running local and don't have your "public facing" router forwarding traffic internally I think you'd be ok... Though I may be misunderstanding something. If you're running it remotely you could bind the visualizers port 8080 to the IP of a tun adapter and VPN to the remote machine to ensure the visualizer access is restricted to clients connected via the VPN network. |
Some internet providers don't use NAT and provide a real IP address. So TL;DR: never run this on a computer exposed to the internet. Is that correct? |
Well, even when you're in company's VPN network, coworker can own your computer which might be a bad joke. |
what If we just expose the endpoint that trigger all Docker Remote API queries on server-side instead of directly expose the Docker Remote API endpoint? |
yep running this on production isn't good since by default docker will expose the port bypassing any firewall rules |
How can this be run safely in production? What should be changed? |
Let's keep in mind this is meant to be a sample app, not an app you would run in production. It initially was devised for visualization demos at DockerCon EU in 2015, and used again at DockerCon Seattle in 2016. So yes, it is not meant to be run in production. If you wanted to run it in production you can Protect the Docker daemon socket. It's much more cumbersome to do so. |
Warning added in #67 |
Protecting the socket guide doesn't help. Thats already protected. This app
bypasses that and expose a the docker socket to all.
…On 15 Aug 2017 22:45, "Mano Marks" ***@***.***> wrote:
Warning added in #67
<#67>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#66 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAC91N1kwOM5G6HJUnO-sk97oFQAA07qks5sYhF7gaJpZM4NTFwR>
.
|
How secure is this for running in production?
It looks like it exposes the Docker Remote API to the world. Is it correct?
The text was updated successfully, but these errors were encountered: