Dec 12, 2024

Level 63

Laravel and Docker

Hello,

I just had a discussion with my former boss about Laravel and Docker. Now I continue to work with him as a freelance, I don't do anything on Docker for him, but I'd like to advise him.

He knows Docker, not me. I know Laravel, not him.

In development mode, I'm using sail ; and in production I'm using docker-compose.

We have developed an application and put it in production with Docker. To do that, I have followed the series https://laracasts.com/series/the-docker-tutorial.

Here is an example of what I have done.

// docker-compose.prod.yml

services:
  nginx:
    build:
      context: .
      dockerfile: ./docker-services/nginx.dockerfile
    container_name: yggdra-nginx
    ports:
      - 80:80
    volumes:
      - .:/var/www/html
    depends_on:
      mariadb:
        condition: service_started
      php:
        condition: service_started
  ...

// nginx configuration

server {
    listen 80;
    index index.php index.html;
    server_name _;
    root /var/www/html/public;
    client_max_body_size 100M;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location /app/ {
        proxy_pass http://soketi:6001;
        proxy_http_version 1.1;
        proxy_set_header Upgrade 'websocket';
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}

What seems to perturb my former boss is this.

volumes:
  - .:/var/www/html

He is afraid that if a hacker enters a container, he will have access to all informations and he wanted to move several folders and files (like node_modules, .env, ...) inside another folder to avoid exposing some informations.

But I'm not sure it's a good idea because Laravel is structured to have all these folders and files to work properly. Furthermore the nginx configuration is set to not let people access to the Laravel files.

root /var/www/html/public;

The /var/www/html folder contains all Laravel files (it's the root of the project). And inside this folder, there is the public folder, exactly like in a standard Laravel application.

What would be your first reaction ? Is there any risk around security with this configuration, with Laravel ? with Docker ? What other informations would you need to answer my question ?

Thanks for your help to understand what could be risky.

LaryAI

1 year ago

Level 58

Your concern about security when using Docker with Laravel is valid, and it's great that you're considering best practices. Let's address the key points:

Volume Mounting and Security:
- The line volumes: - .:/var/www/html mounts your entire project directory into the Docker container. This is common in development for ease of use, but it can pose security risks in production.
- If a hacker gains access to the container, they could potentially access sensitive files like .env which contains environment variables, including database credentials.
Best Practices for Production:
- Limit Volume Mounts: In production, avoid mounting the entire project directory. Instead, only mount what's necessary. For example, you might only need to mount the public directory.
- Environment Variables: Use Docker secrets or environment variables set at the container level rather than including sensitive information in files that are mounted.
- Read-Only Mounts: If you must mount directories, consider making them read-only to limit what can be done within the container.
Nginx Configuration:
- Your Nginx configuration is correctly set to serve files only from the public directory, which is a good practice. This prevents direct access to sensitive files in the root Laravel directory.
Docker Security:
- User Permissions: Run your application as a non-root user within the container to minimize the impact of a potential breach.
- Network Policies: Use Docker's network features to isolate containers and control traffic between them.
- Regular Updates: Keep your Docker images and dependencies up to date to mitigate vulnerabilities.
File Structure:
- It's generally not recommended to alter Laravel's default file structure as it could lead to issues with the framework's functionality. Instead, focus on securing the environment and access controls.

Here's an example of how you might adjust your docker-compose.prod.yml to limit volume exposure:

services:
  nginx:
    build:
      context: .
      dockerfile: ./docker-services/nginx.dockerfile
    container_name: yggdra-nginx
    ports:
      - 80:80
    volumes:
      - ./public:/var/www/html/public:ro
    depends_on:
      mariadb:
        condition: service_started
      php:
        condition: service_started
  ...

In this example, only the public directory is mounted, and it's mounted as read-only (:ro), which helps mitigate some security risks.

By following these practices, you can enhance the security of your Laravel application running in Docker.

1 like

vincent15000

1 year ago

Level 63

I'd like to have also advices from real pepple and not only from th AI ;).

jlrdw

1 year ago

Level 75

The /var/www/html folder contains all Laravel files

I place main laravel files outside of web, only contents of public gets exposed.

I prefer a regular server setup, not docker.

1 like

vincent15000

1 year ago

Level 63

@jlrdw Sure the main Laravel files shouldn't be exposed, so should be placed outside of the web.

My nginx configuration is good. The only problem seems to be the volume mounted with Docker.

volumes:
  - .:/var/www/html

What I have remember from the documentation is that when a volume is mounted with Docker, it lets have the same content inside and outside the container.

Just writing these lines, I realize that it's probably useful in development mode and not useful at all in production mode.

Mega_Aleksandar

1 year ago

Level 18

Hi,

In my small experience with Docker, I use volumes to mount specific local directory to the provided directory from the documentation of the docker image. So if a php image wants your files to be in /var/www/html I'll mount volumes: -.src:/var/www/html and my local src directory is where the app lives. Both node container and php container have access to the same files as I state in a workdir... so if a hacker gets into a container, all of the scripts would be scoped to /var/www/html directory and nowhere else. While technically that is the whole app, it will not allow the hacker access to the server files, only the container files within the directory.

1 like

Please or to participate in this conversation.