05-23-2021, 11:58 AM
I didn't plan to post this guide because it wasn't intend to. But since @deanhills splitted the post... here we go
So, on @Mashiro topic about setting up a WP from scratch I wrote a simple command-list to create a container... Why? I think that nowadays it is important to isolate any application because there could be any CVE that can hurt our precious VPS!
BEWARE: CONTAINERS ARE NOT A SECURITY TOOLS. YOU MUST SECURE YOURSELF CONFIGURING A STRONG PROTECTION AGAIN ATTACKS
So, why create a container?
Let's imagine that we were running a Laravel WebApplication and someone used the latest known CVE to inject on our machine a cryptominer know as kdevtmpfsi . The cryptominer is a cron-job script that check if the miner process is running, if not it will download the binaries and run it. If you kill it... it will just respawn.
To get rid of the cryptominer you must FIND the faulty cronjob and delete it. Then you can hope that by deleting the binaries it will not respawn. I got a personal experience with such miner and it was a pain. My friend application was running on barehardware and the miner got injected into the main system...
If the application were running inside a container the solution could be very fast: just destroy and recreate the container! I mean, we were still vulnerable but the recovery process was much faster, as I have already said: containers aren't security tools!
Now, for example we want to run WP from scratch but inside a container? How can do such a complex thinh? Don't worry... using a container is easy as using a normal terminal connection
A basic way to create a basic container ready for any usage is:
Now, inside the container shell you can just follow @Mashiro tutorial 1:1 with commands, there is no differences!
After everything is setup, you must create a reverse proxy that points to the container...
Because @Mashiro used NGINX I will provide below a simple reverse-proxy configuration for our example case:
This reverse proxy is very basic, for example it lack of HTTPS redirect... but that is not the goal of this tutorial
I know that this container is not optimal, there is no persistent but it gives you a bit a "security" and doesn't require much of docker knowledge.
So, on @Mashiro topic about setting up a WP from scratch I wrote a simple command-list to create a container... Why? I think that nowadays it is important to isolate any application because there could be any CVE that can hurt our precious VPS!
BEWARE: CONTAINERS ARE NOT A SECURITY TOOLS. YOU MUST SECURE YOURSELF CONFIGURING A STRONG PROTECTION AGAIN ATTACKS
So, why create a container?
Let's imagine that we were running a Laravel WebApplication and someone used the latest known CVE to inject on our machine a cryptominer know as kdevtmpfsi . The cryptominer is a cron-job script that check if the miner process is running, if not it will download the binaries and run it. If you kill it... it will just respawn.
To get rid of the cryptominer you must FIND the faulty cronjob and delete it. Then you can hope that by deleting the binaries it will not respawn. I got a personal experience with such miner and it was a pain. My friend application was running on barehardware and the miner got injected into the main system...
If the application were running inside a container the solution could be very fast: just destroy and recreate the container! I mean, we were still vulnerable but the recovery process was much faster, as I have already said: containers aren't security tools!
Now, for example we want to run WP from scratch but inside a container? How can do such a complex thinh? Don't worry... using a container is easy as using a normal terminal connection
A basic way to create a basic container ready for any usage is:
Quote:docker run -it -d --name debian -p 9090:80 debian:latest
- "docker run": creates a new container;
- "-it": tags the container as a interactive one, you can access its shell;
- "-d": tags the container as detachable, it will not block your terminal once started;
- "--name debian": names the container for easy handling;
- "-p 9090:80": it binds your host port to the port of the container, very useful if we want to host services that requires port... such as Web services!;
- "debian:latest": points to the latest stable, Buster.
- Attach using
docker attach debian
- Deattach using the combination: CTRL+P + CTRL+ Q
- Attach using
docker exec -it debian /usr/bin/bash
- Deattach using the combination CTRL+C or the command exit
Now, inside the container shell you can just follow @Mashiro tutorial 1:1 with commands, there is no differences!
After everything is setup, you must create a reverse proxy that points to the container...
Because @Mashiro used NGINX I will provide below a simple reverse-proxy configuration for our example case:
Code: (Select All)
server {
listen 80;
server_name your_prefered_domain
location /{
proxy_pass 0.0.0.0:9090
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
I know that this container is not optimal, there is no persistent but it gives you a bit a "security" and doesn't require much of docker knowledge.