search

fititnt / uwazi-docker

Dockerized version of Uwazi (“openness" in Swahili). HURIDOCS designed Uwazi to make human rights information more open and accessible to the defenders who need it.
The Unlicense
11 stars 4 forks source link

service mongo should not publish port 27017 #31

Closed vasyugan closed 5 years ago

vasyugan commented 5 years ago

The docker-compose.xml for service mongo contains the stanza

ports:
  - 27017:27017

There is no reason why mongodb should be directly reachable from outside. Moreso since uwazi uses a passwordless setup. It appears that by publishing the port, one even makes it accessible to the outside world. By default, mongodb only listens on 127.0.0.1, but the publishing of the port by docker seems to circumvent this security measure and makes mongo accessible to the world, which is really not what you want as long as uwazi cannot handle db credentials.

fititnt commented 5 years ago

You are right. Made some additional comments at #32, most notably the changes on the ElasticSearch port, that also had some TODO from some time ago to stop sharing these ports by default. These changes does not break functionality at all and have another advantage: if the user already is running MongoDB or ElasticSearch on the host (or have multiples instances of Uwazi Docker) for sure it will make the uwazi-docker stop. So it is both a security improvement and somewat avoid this extra issue.

One point that will need some change is the Uwazi final port itself. Or the actual docker-compose.yml file must allow from remote port (for example, someone testing on a virtual machine could want to see changes immediately, or we make like the docker-compose production (https://docs.docker.com/compose/production/). But since this another change can take some time, we can accept faster these changes on both ElasticSearch and MongoDB.

vasyugan commented 5 years ago

I also tried to limit exposure of uwazi/yarn by changing the ports stanza from 3000:3000 to 127.0.0.1:3000:3000, which according to the documentation should make it listen only on the local loopback interface. (as connections to the outside world go through a reverse proxy with nginx) But strangely that didn't work. Uwazi remains accessible at fdqn:3000, not just localhost:3000. Even blocking the port via iptables did not work. Does it work for you?

fititnt commented 5 years ago

Later I will read more documentation and explain how to do it, but for now at least for the #32, is a good idea to separate the changes (one for mongo and elastic search, them later one related to uwazi port).

fititnt commented 5 years ago

Hey, @vasyugan, if you want, can also rename this issue to include Elastic Search, so later people can search it too.

fititnt commented 5 years ago

The actual https://github.com/fititnt/uwazi-docker/blob/master/docker-compose.yml have both mongo and elastic search ports closed as default (lines are commented).

Will close this issue for now.