Implementation of one-click TLS encryption for docker remote api

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.
2. Encrypt TLS for Docker

Recently, the company's server was mined, and the cause was finally located at port 2375 of Docker.

Let's sort it out. At first, we found that there were several more images and running containers in docker for unknown reasons, and they were very CPU-intensive. In addition, no IP access rules were set for port 2375, which means that everyone can operate your docekr through your port 2375 and mount the host folder with the startup container. Because docker is started with root permissions, everyone can control your host as a root user through your port 2375.

Here are our response steps:

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.

$ vi /usr/lib/systemd/system/docker.service

insert image description here

Restart Docker:

$ systemctl daemon-reload
$ systemctl restart docker

2. Encrypt TLS for Docker

#!/bin/bash
mkdir -p /root/tls/pem
DOMAIN_HOST=`ifconfig eth0 | grep "inet" | awk '{ print $2}' | sed -n '1p;1q'`
#DOMAIN_HOST=`hostname` #Choose the best domain name plan HOST=$DOMAIN_HOST
# Custom information PASSWORD="yourPassword"
COUNTRY=CN
PROVINCE=gd
CITY=gz
ORGANIZATION=dounine
GROUP=dg
NAME=lake
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"
# Custom information#====================================================================================================================
#This form is to issue a certificate to yourself. You can be a CA organization or you can hand it over to a third party organization to issue it. #Generate the root certificate RSA private key, and use password as the private key password (ID card)
openssl genrsa -passout pass:$PASSWORD -aes256 -out /root/tls/pem/ca-key.pem 4096
# 2. Generate a self-signed root certificate (business license) using the root certificate RSA private key
openssl req -new -x509 -days 365 -passin pass:$PASSWORD -key /root/tls/pem/ca-key.pem -sha256 -subj $SUBJ -out /root/tls/pem/ca.pem
#============================================================================================
#Issue a certificate to the server# 1. The server generates its own private key openssl genrsa -out /root/tls/pem/server-key.pem 4096
# 2. The server generates a certificate (which contains the public key and server information)
openssl req -new -sha256 -key /root/tls/pem/server-key.pem -out /root/tls/pem/server.csr -subj "/CN=$DOMAIN_HOST"
# 3. How to connect to me? You can set multiple IP addresses and separate them with commas echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf
# 4. The authority stamps the certificate to make it effective openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/server.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/server-cert.pem -extfile /tmp/extfile.cnf
#============================================================================================
#Issue a certificate to the client openssl genrsa -out /root/tls/pem/client-key.pem 4096
openssl req -subj '/CN=client' -new -key /root/tls/pem/client-key.pem -out /root/tls/pem/client.csr
echo extendedKeyUsage = clientAuth > /tmp/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/client.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/client-cert.pem -extfile /tmp/extfile.cnf
#============================================================================================
# Clean up the file rm -rf /root/tls/pem/ca-key.pem
rm -rf /root/tls/pem/{server,client}.csr
rm -rf /root/tls/pem/ca.srl
# Final file# ca.pem == CA certificate# client-cert.pem == Client certificate# client-key.pem == Client private key# server-cert.pem == Server certificate# server-key.pem == Server private key

Notice:

When DOMAIN_HOST is set to the domain name, echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf The $DOMAIN_HOST in this code should be replaced with the public IP address of your server.
echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > IP:0.0.0.0 in /tmp/extfile.cnf means that all IPs can be accessed by carrying certificates. Although all are set here, the public IP of your server should not be omitted. That is, IP:$yourip,IP:0.0.0.0, not IP:0.0.0.0

Give the file execute permissions:

$ chmod +x tls.sh

After executing the shell script, ca.pem, client-cert.pem, client-key.pem, server-cert.pem, and server-key.pem are generated in the /root/tls/pem directory.

Then modify the docker configuration:

$ vim /usr/lib/systemd/system/docker.service

Add to:

		--tlsverify \
        --tlscacert=/root/tls/pem/ca.pem \
        --tlscert=/root/tls/pem/server-cert.pem \
        --tlskey=/root/tls/pem/server-key.pem \

Restart Docker:

$ systemctl daemon-reload
$ systemctl restart docker

Now connect using the docker remote api:

No certification:

$ docker -H tcp://192.168.0.150:2376 version

An error message will be displayed indicating that the authentication is not successful.

Carry authentication method:

docker --tlsverify --tlscacert=/root/tls/pem/ca.pem --tlscert=/root/tls/pem/client-cert.pem --tlskey=/root/tls/pem/client-key.pem -H tcp://192.168.0.150:2376 version

This is the end of this article about the implementation of one-click TLS encryption of docker remote api. For more related content about one-click TLS encryption of docker remote api, please search previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:

Detailed example of remotely connecting to Docker using TLS encrypted communication
How to enable TLS and CA authentication in Docker
Docker deploys mysql remote connection to solve 2003 problems
Docker enables secure TLS remote connection access

<<: The most comprehensive explanation of the locking mechanism in MySQL

>>: CSS sprites technology integrates multiple backgrounds into one PNG image CSS positioning

IE8 uses multi-compatibility mode to display web pages normally

Implementation of one-click TLS encryption for docker remote api

Table of contents

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.

2. Encrypt TLS for Docker

IE8 uses multi-compatibility mode to display web pages normally

MySQL 5.6.23 Installation and Configuration Environment Variables Tutorial

WeChat applet implements sorting function based on date and time

A quick solution to the problem of PC and mobile adaptation

CSS new feature contain controls page redrawing and rearrangement issues

Alignment issue between input text box and img verification code (img is always one head higher than input)

Database SQL statement optimization

The MySQL server is running with the --read-only option so it cannot execute this statement

CSS border half or partially visible implementation code

Detailed explanation of Vue configuration request multiple server solutions

Recommend

CenterOS7 installation and configuration environment jdk1.8 tutorial

PHP-HTMLhtml important knowledge points notes (must read)

Web design dimensions and rules for advertising design on web pages

MySQL trigger usage scenarios and method examples

Troubleshooting of master-slave delay issues when upgrading MySQL 5.6 to 5.7

Share 101 MySQL debugging and optimization tips

JavaScript to achieve digital clock effect

Use vue3 to implement a human-cat communication applet

Simple principles for web page layout design

Detailed explanation of using Vue.prototype in Vue

Execute initialization sql when docker mysql starts

How to install mysql in docker

The simplest MySQL data backup and restore tutorial in history (Part 2) (Part 36)

HTML optimization techniques you must know

The whole process of node.js using express to automatically build the project