Chewing_Bever
/
bever-dam
Archived
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Activity
This repository has been archived on 2021-08-14. You can view files and clone it, but cannot push or open issues/pull-requests.
bever-dam/content/posts/docker-tcp.md

3.0 KiB
Raw Blame History

draft title date
true Encrypting a Docker API for Remote Access Using Portainer 2021-05-16

tl;dr This script has everything you need, just run ./docker-tcp.sh -h (after making it executable) for any help.

Introduction

To manage my little army of servers, I use Portainer CE. It's an open-source management tool for controlling Dockerized applications across multiple hosts. It can handle regular Docker containers, compose stacks, Kubernetes clusters or Docker swarm mode. It's a really useful tool to keep track of everything, and nowadays, I really can't miss it.

Before we can add a host to Portainer, its Docker API has to be exposed to the public, and in order to do this, we need to protect it using encryption (unless of course you like random people controlling your server). This post will explain how this can be done, and I've also written a script that can automate the "heavy" lifting.

Note: This tutorial is only for Linux. I have no experience with managing a Windows server and therefore can't confirm these steps will also work on a Windows machine.

I recommend running these commands on your local Linux machine and just copying the certificates to the server later, as you'll need all the files in order to add the host to Portainer later.

Server-side

To make the connection as secure as possible, we'll use both a server- & a client-side certificate. This first section describes how to generate the former:

openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

These first two commands generate the CA key. You'll be asked for some basic information, e.g. your country, state, city, organization, etc. The most important one is the password. Keep this one safe, as you'll be asked for it later when creating the client key.

One thing to note here is the -days 365 flag. This defines after how many days this certificate will expire (but only when the -x509 flag is specified). By default, its value is set at 30 days, but I find this to be rather short. After this time, you'll have to repeat these steps and generate a new certificate. You'll have to figure out for yourself how long you'd like your certificate to be valid for.

Now we can generate the server key:

openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=<HOST>" -sha256 -new -key server-key.pem -out server.csr

In the above snippet, replace <HOST> with the hostname (output of the hostname command) of the machine who's API you want to expose. Now we've created server-key.pem and server.csr.

As a final step, we need to create a file named extfile.cnf with the following content:

subjectAltName = DNS:<HOST>,IP:<IP>,IP:127.0.0.1 >> extfile.cnf
extendedKeyUsage = serverAuth

Here, we once again replace <HOST> with the machine's hostname, and <IP> with the machine's public IP.