
Intro to Docker, React, and Security - lowpro
https://gooddebate.org/2019/01/docker-react-and-security/
======
nl
Ironically it was only yesterday that someone asked "Ask HN: Why do tutorial
writers combine 10 technologies when 1 or 2 would do?"[1]

I think this is a perfect example of how _not_ to write a tutorial. It doesn't
actually _teach_ anything - instead it is effectively a set of commands that
someone should type in exactly and it will work.. hopefully.

I think this point in the introduction sums up this approach:

 _I’d like to point out that the broken branch wasn’t working for some (still)
unknown reason related to versioning between when we set up the system and
when we upgraded some of the components including nodejs._

and later:

 _Note for the app we created we used nodejs v8.10.0 and npm v6.4.0, although
installing newer versions shouldn’t be an issue._

So.. they don't know why it broke, but any newer version _should be fine_.

[1]
[https://news.ycombinator.com/item?id=18950679](https://news.ycombinator.com/item?id=18950679)

~~~
lowpro
Yeah, that's why in the 'Lessons from Docker' section in point #3 I mentioned
that docker might be better off for larger projects, since it seems excessive,
especially for small projects. The point of this exercise was to learn more
about the technology itself, this clearly isn't a viable way of doing things
in production though :) Thanks for the feedback!

------
praseodym
It is a bad idea to use a full-blown Node.js web server to serve some static
content. A better solution would be to build the app in one container and then
build another Nginx container to serve it. This container can then be hardened
(run as non-root, use a read-only filesystem). An added benefit is that Nginx
uses fewer system resources (~10 megabytes of RAM will work just fine).

We’re running such a setup in production; a sample Dockerfile can be found on
[https://github.com/WISVCH/docker-nginx](https://github.com/WISVCH/docker-
nginx).

~~~
toomim
I know that nginx is more traditionally known for hosting static content than
node.js, but are there any particular reasons why it's bad to just use node
for static content these days?

~~~
praseodym
From a security standpoint, the attack surface of Node.js and whatever
libraries are used to make `npm start` happen is a lot larger than plain
Nginx.

From a general usability standpoint, a Node.js container with all build
dependencies will surely turn into a bloated several hundred megabyte Docker
image — an Nginx image with just the built static files is a lot smaller.

~~~
shishy
I understand you're comparing NodeJS vs Nginx there, but for my curiosity, if
someone is building an API, how do you think NodeJS would compare to Ruby on
Rails or Python/Django from a security standpoint?

~~~
praseodym
I don’t think either language is fundamentally more secure than the other.

That being said, the Node.js ecosystem feels more immature than Python’s. The
common practice of using microdependencies means that an average project has
countless dependencies with varying levels of support — it’s all but
impossible to make sure every one of those dependencies is properly
maintained.

The framework/library churn rate seems to have decreased though, so that’s
certainly good from a security standpoint as well.

