missinglink
commented
3 years ago Looks good thanks, can you please change the host for pelias/api to 0.0.0.0 so it's exposed on all IPv4 addresses by default.
Closed Jezternz closed 2 years ago
missinglink
commented
3 years ago Looks good thanks, can you please change the host for pelias/api to 0.0.0.0 so it's exposed on all IPv4 addresses by default.
Jezternz
commented
3 years ago Made the change as described, thanks!
missinglink
commented
3 years ago Yea this seems right to me, I really wasn't aware that the Docker iptables chain ran before anything you specify yourself:
Rules added to the FORWARD chain -- either manually, or by another iptables-based firewall -- are evaluated after these chains. This means that if you expose a port through Docker, this port gets exposed no matter what rules your firewall has configured. If you want those rules to apply even when a port gets exposed through Docker, you must add these rules to the DOCKER-USER chain.
missinglink
commented
3 years ago The default bind address for Docker is 0.0.0.0 (all interfaces), which can be changed with the --ip flag:
By default, the Docker daemon will expose ports on the 0.0.0.0 address, i.e. any address on the host. If you want to change that behavior to only expose ports on an internal IP address, you can use the --ip option to specify a different IP address. However, setting --ip only changes the default, it does not restrict services to that IP.
So I see three options here:
0.0.0.0 and only explicitly specify 127.0.0.1 on internal services127.0.0.1 and only explicitly specify 0.0.0.0 on external services0.0.0.0 or 127.0.0.1 on all servicesI think option 3 (as per this PR) is the best solution as it's the most explicit of the three.
Jezternz
commented
3 years ago That also makes the most sense to me, agreed re being explicit about security-related configuration.
missinglink
commented
3 years ago I'm still a little reluctant to hit merge on this out of fear of breaking existing installations.
@Joxit @orangejulius Are you guys cool with me hitting the big green button?
orangejulius
commented
2 years ago We got a report from a white-hat security organization today that they found a Pelias instance exposed to the internet. It's clearly Elasticsearch from this docker repo directly exposed to the whole world, so it's probably well past time we merge this.
It might break something, but we have some responsibility to make it harder for people to make this all-too-easy mistake (although there are other Docker related "footguns" we can't help with).
So...here we go 🚢
:wave: I did some awesome work for the Pelias project and would love for everyone to have a look at it and provide feedback.
This change should improve the default security level for the docker containers in pelias-docker.
Here's the reason for this change :rocket:
This is a change based on feedback from pelias/docker#254
Here's what actually got changed :clap:
Very little got changed, just port bindings in the docker compose files (for all api's - including pelias).
Here's how others can test the changes :eyes:
I have already done some testing, this behaved as expected. (I completed a full Australia build and deploy, and it correctly deployed, enabled access to apis on the machine itself, but did not allow network access to them). The API's that were to be exposed had to be explicitly exposed via a mechanism that re-routed the internal requests to external access (reverse proxy in my case).
A standard run-through install and use of the docker files, should prove this works.