2

I'm not a Docker specialist, I know how to install, configure and do only basic Docker hardening based on Docker official documentation.

I know nothing about AppArmor,SELinux and GRSEC.

But i need to put my C# app backend in production; My C# backend app have file upload features too.

In my case, is better to use docker and docker-compose only for not internet public exposed server/services and use Docker only more "internally" for thinks like database etc? And keep in bare metal (on host) all things that can be more critical like images and video converters, exposed servers like nginx etc?

This can reduce attack surface, i think. I'm right?

Thank you.

Improve this question
6
  • 1
    Why do you assume that this would reduce your attack surface? Have you considered rootless docker and using multiple users for the different images to separate privileges? Commented Oct 15, 2022 at 8:08
  • Some tips: 1. Use docker compose instead of docker-compose, which is a native plugin. 2. File upload management should be done in C# then or similar, not on Docker. 3. You should consider the legal matters when you let users upload content, if it's public. It also depends on your jurisdiction. Commented Oct 15, 2022 at 11:24
  • @SirMuffington C# is a programming language. Docker is not. I don't see the relevance of discussing language; file uploads can be done safely in many languages, with or without docker. Commented Oct 15, 2022 at 11:38
  • @vidarlo I don't get what you mean by that. You're misinterpreting my comment somewhy/somehow Commented Oct 15, 2022 at 17:37
  • @SirMuffington File upload management should be done in C# then or similar, not on Docker - I simply don't grok the comparison you do here. Commented Oct 16, 2022 at 10:30

1 Answer 1

Reset to default
2

Docker will help you isolate your app (if configured right) from the environment it is running in.

For example, if you have a Linux server that is the only machine in its network and the only thing you will use it for is to deploy your web app, then there is no need for Docker here (from a security perspective).

If you plan to have separate applications running on the same machine (e.g MySQL + Nginx + Redis) then from a security perspective, having them in Docker containers to isolate the ability of an attacker to move around after exploiting one of the services can be recommended.

I recommend you take a look here on how to properly secure your container.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.