I'm trying to use docker for an nginx reverse proxy and Radicale caldav server, set up on top of an existing openmediavault server . I've managed after many hours research to get it working (I think) I use docker compose to create my containers.
I would prefer an experienced user cast an eye over my setup to suggest where I can improve/ better secure my setup.
I run the reverse nginx proxy container in a network with only the radicale container that way I can run other containers(like jellyfin) with out exposing them also.
My main worry is have I covered all the bases before exposing the radicale server to open ports? I'm using the certbot --standalone option of receiving the lets encrypt certs and using hooks to stop the container ,check for a renewal and then restart the containers. I've utilised mainly this guide to get my setup up and running.
The Radicale server utilises basic authentication but also has its own user authentication to login so I'm not entirely sure how a client logs in twice to sync the calendar.
below is my code so far
Docker-compose.yml
version: '3.7'
services:
nginx:
depends_on:
- radicale
image: nginx:latest
container_name: nginx_reverse_proxy
volumes:
- /home/tim/nginx.conf:/etc/nginx/nginx.conf
- /home/tim/radicale/users:/etc/nginx/users
- /home/tim/nginx/error.log:/etc/nginx/error_log.log
- /etc/letsencrypt/:/etc/letsencrypt/
ports:
- 80:80
- 443:443
restart: unless-stopped
networks:
- radicale
radicale:
image: tomsquest/docker-radicale
container_name: radicale
expose:
- "5232"
init: true
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- SETUID
- SETGID
- CHOWN
- KILL
healthcheck:
test: curl -f http://127.0.0.1:5232 || exit 1
interval: 30s
retries: 3
restart: unless-stopped
volumes:
- /home/tim/radicale/data:/data
- /home/tim/radicale/config:/config:ro
networks:
- radicale
networks:
radicale:
nginx.conf
events {
}
http {
error_log /etc/nginx/error_log.log warn;
server {
listen 80 default_server;
server_name myserver.duckdns.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name myserver.duckdns.org;
location /radicale/ {
proxy_pass http://radicale:5232/;
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-User $remote_user;
auth_basic "Radicale - Password Required";
auth_basic_user_file /etc/nginx/users;
}
ssl_certificate /etc/letsencrypt/live/myserver.duckdns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myserver.duckdns.org/privkey.pem;
}
}
and my radicale config
[server]
hosts = 0.0.0.0:5232
[storage]
filesystem_folder = /data/collections
[auth]
type = http_x_remote_user
htpasswd_filename = /etc/nginx/users
htpasswd_encryption = md5
I used md5 as the password encryption, although bcrypt is better because bcrypt doesnt work with the debian based image for nginx , so in the future I may use the apline image so I can use the more secure bcrypt.
After Docker-compose up and as soon as I open the ports, I can see that the reverse proxy works and I can login albeit twice to the Radicale server and all http traffic is diverted back to https but as expected I instantly get interest from malicious IP's, so to be certain I want to make sure I dotted all the i's and crossed all the t's as practically as possible, before I let the exposed server loose.
is there any improvements I can make? is my setup correct?
thanks in advance .