search

timescale / docs

Timescale product documentation 📖
https://docs.timescale.com/
50 stars 96 forks source link

[Docs RFC]How to have a service in a VPC with a read replica outside of the VPC #3521

Open billy-the-fish opened 3 days ago

billy-the-fish commented 3 days ago

All replicas should be on same security levels.

My solution was to set up an NGINX reverse proxy on an EC2 instance in a public subnet with a security group configured to allow traffic originating from Vitally’s static IP addresses through our VPC and into Timescale’s VPCs. In case it helps others, here's the commands I followed to get it running on a Amazon Linux 2 AMI (HVM) - Kernel 5.10, SSD Volume Type EC2 instance:

sudo yum update -y # Update Yum sudo yum install docker -y # Install Docker sudo systemctl start docker # Start Docker sudo docker run hello-world # Ensure docker works sudo systemctl enable docker # Enable Docker to start on boot sudo usermod -a -G docker $(whoami) # Add user to docker group newgrp docker # Refresh group sudo docker run -d --name nginx-base -p 5432:5432 nginx:latest # Run Nginx nano nginx.conf # Load provided nginx.conf below docker cp nginx.conf nginx-base:/etc/nginx/nginx.conf # Copy nginx.conf to container sudo docker exec nginx-base nginx -t # Test Nginx config sudo docker exec nginx-base nginx -s reload # Reload Nginx

And this is the NGINX config I used Untitled

user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; Click to expand in-line (41 lines)

billy-the-fish commented 3 days ago

@erimatnor, are you ok with putting this solution in our docs, possibly as a section in https://docs.timescale.com/use-timescale/latest/vpc/.

jonatas commented 3 days ago

I brought this to @thanasisk attention. Here's his reply:

What happens if a malicious user gets access to Vitaliy's IPs? If this is the only layer of defense, it is bad. Additional access controls (i.e. username/pass or certificates should be on top

  1. docker should not expose the socket - yum indicates a Red Hat based system so if all things are equal, they can use Red Hat's podman but even with Docker, they can set permissions nginx looks legit BUT for both docker and nginx we have no insight towards the configurations - a lot of nasty stuff can creep up there given the information above, the first 2 steps (emphasis on second one) would be my concerns