This project is about doing something you’ve never done before.
Remind yourself the beginning of your journey in computer science.
Look at you now. Time to shine!
subject v.15
- docker
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin- make
sudo apt install makegit clone https://github.com/kichkiro/ft_transcendence.git
cd ft_transcendence/project
- make up:
- create images
- create volumes
- create networks
- start containers
- make down:
- stop containers
- remove containers
- remove networks
- make stop:
- stop containers
- make start:
- start containers
- make clean:
- remove all containers
- remove specified images (can specify with "make [re|clean] IMAGES=<image_name> ...", otherwise removes all images)
- remove all volums
- make fclean:
- make clean
- remove all networks
- remove all build cache
- make re:
- make clean
- make up
Below are the security measures that have been taken to protect the infrastructure:
-
Network Segmentation: All east-west traffic in the docker infrastructure was dropped by default through the OS firewall iptables.
-
Web Application Firewall: ModSecurity's WAF has been implemented as a module of Nginx, it serves to protect the web application from common attacks and vulnerabilities, such as SQL injection, cross-site scripting (XSS) and other known threats.
-
Non-Root Containers: VMware Bitnami images were used, renowned for its additional security over the official images, including non-root user by default.
-
Hashicorp Vault:
-
TLS Certs:
- Create role for host webclient:
docker exec -e VAULT_TOKEN=<ROOT_TOKEN> vault \ vault write pki_int/roles/webclient \ allow_any_name=true \ max_ttl="24h"
- Create certificate for host webclient:
response=$(curl -k -X POST \ -H "X-Vault-Token: <ROOT_TOKEN>" \ -H "Content-Type: application/json" \ -d '{ "common_name": "webclient", "ttl": "24h" }' https://10.0.0.1:8200/v1/pki_int/issue/webclient)
- Extract certificate, key and ca:
echo "$response" | jq -r '.data.certificate' > webclient.crt echo "$response" | jq -r '.data.private_key' > webclient.key echo "$response" | jq -r '.data.ca_chain[0]' > webclient-ca.crt
- Create a keystore, set a password and remember it:
openssl pkcs12 -export \ -in webclient.crt \ -inkey webclient.key \ -out keystore.p12 \ -name ft-transcendence-webclient \ -CAfile webcalient-ca.crt \ -caname root
-
Import KeyStore to your browser, now you can access to containers via web ui.
-
Cleanup:
rm -f keystore.p12 && rm -f webclient.crt && rm -f webclient.key && rm -f webclient-ca.crt
- Docker Images
- Docker Images Bugs and Workarounds
- Log System
- Monitor System
- Provision dashboards and data sources
- Dashboard API
- Prometheus Alert Manager Setup and Alert Configurations (Slack)
- Securing Prometheus API and UI endpoints using basic auth
- Securing Prometheus API and UI endpoints using TLS encryption
- Set up Grafana HTTPS for secure web traffic
- How to secure Grafana?
- Provision Grafana
- Monitor Vault telemetry with Prometheus & Grafana
- Monitoring Your Django Project with Prometheus and Grafana
- Secrets
See LICENSE
Work in Progress ...