I am n00b-ish when it comes to Docker, which is why I opt for Portainer to manage my containers. I am also n00bish enough to know enough to get myself into bother.
I am currently running a few services which I would like to expose, via a reverse proxy, to the nasties of the outside world. I am sure that this question has been asked a million times before but due to the holes in my understanding I am not yet satisfied that I know the answer to my particular scenario.
If I enumerate my assumptions then it will make it easier for people to confirm or dispel them.
As I understand it:
- Diet-Pi creates a new user for each software installed via
dietpi-software
and therefore it makes it more difficult for any intrusion attempt to gain control over other services. - Installing Portainer via
dietpi-software
means that it runs asroot
(as suggested byhtop
) but the volumes that are described in the compose files are owned bydietpi
(a peasant user) - Docker/containerisation, provides isolation between containers which means that forwarding ports to a specific container would effectively prevent bad actors from gaining access to other containers/volumes that are not mounted by them.
Which leads me to the main questions:
- Is Diet-Pi, in general, safe to expose to the world?
- How safe is it to proxy to a container?
- What steps should I take in order to make this more secure, if indeed it is possible.
Some background info on my current setup:
- Diet-Pi currently runs in a Hyper-V VM (the plan is to move to Unraid when I have some time, hence why I am containerising everything)
- I have a number of containers running on the same Portainer instance: torrent client, podcast manager, photo manager…
- I have a reverse proxy running on a separate Diet-Pi machine that is acting as a gateway and managing the SSL for a bunch of subdomains which are currently blackholing until I build up the courage to let them do their thing.
I realise that there is a lot here. I also feel that Diet-Pi has managed to do so much for me in terms of making my current setup a reality that I do not want to ruin it all by allowing naughty people to peruse holiday photos of my shockingly beach (un)ready body!