The First Update: Whoops!
Published on 2024-11-02 - by: meSo I learned some stuff. Most importantly: you really do not want to expose port 2375
to the internet. Obvious to those who know what they're doing but I didn't. I
thought opening the port still required anyone connecting to authenticate with a password or an
SSH key. I was wrong.
What actually happens is that anyone who connects to the port has
full access to the Docker daemon. In practice, this means opening port 2375
is the same as requiring no authentication for full server access.
So now what? How do I connect to the Docker daemon without exposing this port? There's a couple of options:
- Add a reverse proxy in front of the Docker daemon that requires it's own authentication.
- Require the user to connect via a SSH tunnel.
- Require the user to connect with a client certificate on port
2376
. - Handle authentication via VPN.
All of these solutions suffer the same problem: they require the user to do something extra to connect to the Docker daemon. This seems unavoidable even if we use SSH keys. I think it is unavoidable to use a CLI and/or GUI to minimize user friction.
As is tradition, it's time rethink my initial idea within after the tiniest bit of progress. I'll keep researching to ensure I'm now on the right track. I'll also start looking into implementing the reverse proxy solution and integrating planned platform auth into it.
Sidenote: I'm building the stack with Next.js but I'm building this blog with SvelteKit and I'm starting to really like it. Maybe it's time for the other classic: rewrite everything before it's even reached v0.1