I am wondering If I could pick some brains in-terms of planning my Openmedia Vault docker design.
Basically I am a little bit worried about security.
Design consists of :
- External bridge network which only carries https (encrypted traffic) (port 80 redirects are set).
- internal bridge network which can potentially carry unencrypted traffic. This network does not have any ports open/published/exposed so traffic from external cannot get onto this network. Only Container to Container communication.
- Each container runs under its own user context.
- The permissions on the storage will be allowed to only the user's that need to access them. I will use groups for this (not shown).
- Idea is to have all traffic hit the reverse proxy. I am not aware of any WAF capable reverse proxy so I am just using Traefik reverse proxy.
Can anyone make any improvements/recommendations to this design ?
I am just after security best practises and I am pretty new to docker.