Security and harding

FileWall

Docker best practices

1. Use different networks

One (external) network for Ngninx and the web serveurs

One internal network for each web app services

2. Secure the secrets

Protect the .env file with

chmod 600 .env

3. Only expose the required

In particular, do not export the port to ouside

ports:
  - "5432:5432"  # ⚠️ Binds to 0.0.0.0 by default

If you bind to 0.0.0.0, you're telling Docker:

"Let this container accept connections from anywhere, including the public internet."

It will change iptable to open the port !!

Solutions :

Only bind localhost

ports:
  - "127.0.0.1:5432:5432"  # PostgreSQL only accessible from host

Do not pulish the port

Instead use:

expose:
    - "80"  # ✅ Internal only, not published to host

So that you can get this:

[Internet] ─▶ Nginx Proxy (443)
                    │
                    ▼
            Docker internal network
                    │
      ┌────────┬─────────────┬──────────────┐
      ▼        ▼             ▼              ▼
   Nextcloud  WordPress   Guacamole     Authentik

4. SELinux Options for Docker Containers

Examples:

services:
  nextcloud:
    image: nextcloud
    ...
    security_opt:
      - label:type:container_t     # 🔐 standard confinement
      - no-new-privileges:true     # 🔐 Docker feature, not SELinux-specific

2. Audit

docker run -it --net host --pid host --cap-add audit_control \
  -v /var/lib:/var/lib:ro -v /var/run/docker.sock:/var/run/docker.sock \
  --label docker_bench_security \
  docker/docker-bench-security