I am trying to minimize my attack surface for a running balena device. I have a service exposing port 80 on the device. This service is used to manage and maintain my application and I can’t allow this port to be exposed to the Internet at all times.
After some searching, I have discovered 2 options:
- Add a simple microservice that can proxy my original port 80. I can shutdown this service from the dashboard.
- Using reverse ssh and then
iptables
to drop
and accept
incoming traffic as per requirement.
Is this any other way I can achieve this? Ideally I would to set up some environment variable that I can set and clear to dynamically open/close ports.
Hi, @xandfury,
May I ask what kind of management do you provide on port 80?
For sure you could depend on an env var to enable/disable port 80 or even turn on/off a web server. If you prefer not to manipulate the original server listening on port 80, then a proxy container service should also work and you can probably add more env vars to provide a whitelist of allowed ip ranges.
@thgreasi Thanks for the prompt reply .
For sure you could depend on an env var to enable/disable port 80
Can you please explain this a bit more? A link or a tutorial would be great help. And if possible this too:
you can probably add more env vars to provide a whitelist of allowed ip ranges.
I have Node-Red connecting to several other containers and also fetching data from serial devices. I don’t want to turn off the web server and running a proxy service container is too much of an overhead.