Security

Basic Protection

1. Authentication on Tunnel

ngrok:

ngrok http 8000 --auth="username:strongpassword"

Nginx Basic Auth:

location /admin/ {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://admin_app:5000/;
}

2. IP Whitelisting

ngrok:

ngrok http 8000 --cidr-allow 192.168.1.0/24

Nginx:

location /private/ {
    allow 192.168.1.0/24;
    deny all;
    proxy_pass http://app:3000/;
}

3. HTTPS Only

Most tunnels provide HTTPS by default. Enforce in nginx:

if ($http_x_forwarded_proto != "https") {
    return 301 https://$host$request_uri;
}

Container Security

Read-Only Volumes

volumes:
  - ./config:/etc/app/config:ro

Non-Root User

RUN adduser -D appuser
USER appuser

Network Isolation

services:
  database:
    networks:
      - backend_only  # Not exposed to nginx

Rate Limiting

Nginx config:

limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;

location /api/ {
    limit_req zone=api burst=20;
    proxy_pass http://api:8000/;
}

Environment Variables

Never commit secrets:

# docker-compose.yml
environment:
  - API_KEY=${API_KEY}  # From .env file

.env file:

API_KEY=your_secret_key
DB_PASSWORD=secure_password

Add to .gitignore:

.env
*.key
*.pem

Monitoring

Access Logs

# Watch nginx logs
docker logs -f personals_nginx

# Save logs
docker logs personals_nginx > access.log

Tunnel Dashboard

• ngrok: http://localhost:4040
• Cloudflare: Web dashboard

Best Practices

1. Separate sensitive services - Don't expose databases
2. Use specific ports - Avoid common ports
3. Regular updates:

   docker compose pull
   docker compose up -d
   

4. Limit container resources:

   deploy:
     resources:
       limits:
         memory: 512M
   

Emergency Shutdown

# Stop all services
docker compose down

# Kill tunnel
pkill ngrok

Checklist

• Authentication enabled
• HTTPS enforced
• Sensitive routes protected
• Environment variables secured
• Logs monitored
• Resource limits set
• Backup plan ready