
100% automated, official certificates for Docker containers - telmich
https://ungleich.ch/u/blog/fully-automated-ssl-certificates-for-docker/
======
dimitar
Wait, the article says "Finally all your docker containers can be world wide
reachable, fully secured without any manual configuration required."

Is that a good thing? I hope it is tongue in cheek. I thought the secure
practice is to hide the docker containers behind reverse proxies in DMZs, not
expose them publically to the internet.

I expected this article to be about setting up your own CA in docker.

~~~
paulddraper
> hide the docker containers behind reverse proxies in DMZs

Why though?

Usually a reverse proxy is use for (a) load balancing (b) SSL/TLS termination.
The solves the second; the first can be solved via DNS.

Many times, it's actually quite difficult to obtain a suitable reverse proxy
proxy, e.g. FTPS.

~~~
dimitar
FTPS is also placed in a DMZ as it is internet facing and you can use any
layer 4 reverse proxy for it. And DNS load balancers have serious downsides,
like clients resolving IP adresses on which the service is down (removing
servers takes time due to DNS caching down the line)

The whole point of a DMZ is to have another layer keeping your data as far as
possible from the Internet. In the unlikely case a Reverse proxy is exploited
remotely, the potential damage is most likely limited to it. After getting in
the RP you would need to go through another firewall that is normally tuned to
allow only connections to the application server containers.

Worst thing you can do is connect your insecure DB to the public Internet and
leak the data of one billion people: [https://www.cisomag.com/elasticsearch-
server-exposed-1-2-bil...](https://www.cisomag.com/elasticsearch-server-
exposed-1-2-billion-people-data/)

The insecure Elasticsearch server could have had a nice green padlock, but if
the default admin/admin credentials weren't changed it will not help at all.
It is better to just assume that everything is not configured right and treat
it accordingly and do layering so you basically need to hack everything to
reach the most improtant prize.

TLS and x509 certs solve only the encryption and trust problems, making them
easy is very good, but there are other security issues to consider.

~~~
paulddraper
> FTPS is also placed in a DMZ as it is internet facing and you can use any
> layer 4 reverse proxy for it.

Not if you use passive FTPS, which most clients require.

> The whole point of a DMZ is to have another layer keeping your data as far
> as possible from the Internet.

That layer has to actually _do_ something though. Adding 10,000 feet of copper
wire between you and the internet doesn't make you safer; it makes you slower
and poorer.

------
wiseleo
Nice fluff-free article.

