Docker

waf

#!/usr/sbin/nft -f # From https://wiki.gbe0.com/en/linux/firewalling-and-filtering/nftables/template-inbound-outbound ## Clear/flush all existing rules flush ruleset # 定義變數 define DOCKER_SUBNETS = { 172.17.0.0/16, 172.18.0.0/16, 172.19.0.0/16 } define PRIVATE_SUBNETS = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } # Main inet family filtering table table inet filter { # Rules for forwarded traffic chain forward { type filter hook forward priority 0; policy drop # 防止 IP 欺騙攻擊 iifname "docker0" ip saddr != $DOCKER_SUBNETS counter drop comment "防止 Docker IP 欺騙" iifname "br-*" ip saddr != $DOCKER_SUBNETS counter drop comment "防止 Docker 橋接網路 IP 欺騙" # 允許 Docker 容器網路轉發 # 允許從 Docker 網橋到任何地方的轉發，但有來源 IP 檢查 iifname "docker0" ip saddr $DOCKER_SUBNETS counter accept comment "允許來自 Docker 的轉發流量" iifname "br-*" ip saddr $DOCKER_SUBNETS counter accept comment "允許來自 Docker 網橋的轉發流量" # 允許已建立連接的回應流量 oifname { "docker0", "br-*" } ct state established,related counter accept comment "允許返回 Docker 的回應流量" meta l4proto { tcp, udp } th dport 53 counter accept comment "允許 DNS 查詢轉發" ## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute ## The default policy will be applied to unmatched traffic limit rate 60/minute burst 100 packets \ log prefix "Forward - Drop: " \ comment "Log any unmatched traffic" ## Count the unmatched traffic counter \ comment "Count any unmatched traffic" } # Rules for input traffic chain input { type filter hook input priority 0; policy drop ## Permit inbound traffic to loopback interface iif lo \ accept \ comment "Permit all traffic in from loopback interface" # 允許來自 Docker 網路的連接 iifname { "docker0", "br-*" } counter accept comment "允許來自 Docker 網路的流量" # 添加針對常見掃描攻擊的防禦 tcp flags & (fin|syn|rst|ack) == 0 counter drop comment "空封包丟棄" # 防止 TCP 探測掃描 tcp flags syn tcp option maxseg size 0 counter drop comment "丟棄異常的 MSS 值封包" # SYN flood 防護 tcp flags syn tcp dport { 22, 80, 443 } ct state new limit rate 10/second counter accept comment "防止 SYN flood" tcp flags syn tcp dport { 22, 80, 443 } ct state new counter drop comment "丟棄超出速率的 SYN 封包" ## Permit established and related connections ct state established,related \ counter \ accept \ comment "Permit established/related connections" ## Log and drop new TCP non-SYN packets tcp flags != syn ct state new \ limit rate 100/minute burst 150 packets \ log prefix "IN - New !SYN: " \ comment "Rate limit logging for new connections that do not have the SYN TCP flag set" tcp flags != syn ct state new \ counter \ drop \ comment "Drop new connections that do not have the SYN TCP flag set" ## Log and drop TCP packets with invalid fin/syn flag set tcp flags & (fin|syn) == (fin|syn) \ limit rate 100/minute burst 150 packets \ log prefix "IN - TCP FIN|SIN: " \ comment "Rate limit logging for TCP packets with invalid fin/syn flag set" tcp flags & (fin|syn) == (fin|syn) \ counter \ drop \ comment "Drop TCP packets with invalid fin/syn flag set" ## Log and drop TCP packets with invalid syn/rst flag set tcp flags & (syn|rst) == (syn|rst) \ limit rate 100/minute burst 150 packets \ log prefix "IN - TCP SYN|RST: " \ comment "Rate limit logging for TCP packets with invalid syn/rst flag set" tcp flags & (syn|rst) == (syn|rst) \ counter \ drop \ comment "Drop TCP packets with invalid syn/rst flag set" ## Log and drop invalid TCP flags tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) \ limit rate 100/minute burst 150 packets \ log prefix "IN - FIN:" \ comment "Rate limit logging for invalid TCP flags (fin|syn|rst|psh|ack|urg) < (fin)" tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) \ counter \ drop \ comment "Drop TCP packets with flags (fin|syn|rst|psh|ack|urg) < (fin)" ## Log and drop invalid TCP flags tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \ limit rate 100/minute burst 150 packets \ log prefix "IN - FIN|PSH|URG:" \ comment "Rate limit logging for invalid TCP flags (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)" tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \ counter \ drop \ comment "Drop TCP packets with flags (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)" ## Drop traffic with invalid connection state ct state invalid \ limit rate 100/minute burst 150 packets \ log flags all prefix "IN - Invalid: " \ comment "Rate limit logging for traffic with invalid connection state" ct state invalid \ counter \ drop \ comment "Drop traffic with invalid connection state" ## Permit IPv4 ping/ping responses but rate limit to 2000 PPS ip protocol icmp icmp type { echo-reply, echo-request } \ limit rate 2000/second \ counter \ accept \ comment "Permit inbound IPv4 echo (ping) limited to 2000 PPS" ## Permit all other inbound IPv4 ICMP ip protocol icmp \ counter \ accept \ comment "Permit all other IPv4 ICMP" ## Permit IPv6 ping/ping responses but rate limit to 2000 PPS icmpv6 type { echo-reply, echo-request } \ limit rate 2000/second \ counter \ accept \ comment "Permit inbound IPv6 echo (ping) limited to 2000 PPS" ## Permit all other inbound IPv6 ICMP meta l4proto { icmpv6 } \ counter \ accept \ comment "Permit all other IPv6 ICMP" ## Permit inbound traceroute UDP ports but limit to 500 PPS udp dport 33434-33524 \ limit rate 500/second \ counter \ accept \ comment "Permit inbound UDP traceroute limited to 500 PPS" ## Permit inbound SSH tcp dport ssh ct state new \ counter \ accept \ comment "Permit inbound SSH connections" ## Permit inbound HTTP and HTTPS tcp dport { http, https } ct state new \ counter \ accept \ comment "Permit inbound HTTP and HTTPS connections" ## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute ## The default policy will be applied to unmatched traffic limit rate 60/minute burst 100 packets \ log prefix "IN - Drop: " \ comment "Log any unmatched traffic" ## Count the unmatched traffic counter \ comment "Count any unmatched traffic" } # Rules for output traffic chain output { type filter hook output priority 0; policy drop ## Permit outbound traffic to loopback interface oif lo \ accept \ comment "Permit all traffic out to loopback interface" # 允許 Docker 相關的輸出流量 oifname { "docker0", "br-*" } counter accept comment "允許 Docker 網路輸出" ## Permit established and related connections ct state established,related \ counter \ accept \ comment "Permit established/related connections" ## Drop traffic with invalid connection state ct state invalid \ limit rate 100/minute burst 150 packets \ log flags all prefix "OUT - Invalid: " \ comment "Rate limit logging for traffic with invalid connection state" ct state invalid \ counter \ drop \ comment "Drop traffic with invalid connection state" ## Permit IPv4 ping/ping responses but rate limit to 2000 PPS ip protocol icmp icmp type { echo-reply, echo-request } \ limit rate 2000/second \ counter \ accept \ comment "Permit outbound IPv4 echo (ping) limited to 2000 PPS" ## Permit all other outbound IPv4 ICMP ip protocol icmp \ counter \ accept \ comment "Permit all other IPv4 ICMP" ## Permit IPv6 ping/ping responses but rate limit to 2000 PPS icmpv6 type { echo-reply, echo-request } \ limit rate 2000/second \ counter \ accept \ comment "Permit outbound IPv6 echo (ping) limited to 2000 PPS" ## Permit all other outbound IPv6 ICMP meta l4proto { icmpv6 } \ counter \ accept \ comment "Permit all other IPv6 ICMP" ## Permit outbound traceroute UDP ports but limit to 500 PPS udp dport 33434-33524 \ limit rate 500/second \ counter \ accept \ comment "Permit outbound UDP traceroute limited to 500 PPS" ## Allow outbound HTTP and HTTPS connections tcp dport { http, https } ct state new \ counter \ accept \ comment "Permit outbound HTTP and HTTPS connections" ## Permit outbound DNS requests meta l4proto { tcp, udp } th dport 53 \ counter \ accept \ comment "Permit outbound TCP and UDP DNS requests" ## Allow outbound NTP requests udp dport 123 \ counter \ accept \ comment "Permit outbound NTP requests" # 在日誌記錄前添加額外的計數器以便監控 counter comment "計數即將丟棄的流量" ## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute ## The default policy will be applied to unmatched traffic limit rate 60/minute burst 100 packets \ log prefix "OUT - Drop: " \ comment "Log any unmatched traffic" ## Count the unmatched traffic counter \ comment "Count any unmatched traffic" } } # 在主要表格後添加 table inet nat { chain prerouting { type nat hook prerouting priority -100; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; # 正確處理 Docker 網路 NAT ip saddr $DOCKER_SUBNETS oifname != { "docker0", "br-*" } masquerade comment "Docker 容器 NAT" } }

#!/usr/sbin/nft -f # From https://wiki.gbe0.com/en/linux/firewalling-and-filtering/nftables/template-inbound-outbound ## Clear/flush all existing rules flush ruleset # Main inet family filtering table table inet filter { # Rules for forwarded traffic chain forward { type filter hook forward priority 0; policy drop # 允許 Docker 容器網路轉發 # 允許從 Docker 網橋到任何地方的轉發 iifname "docker0" counter accept comment "允許來自 Docker 的轉發流量" iifname "br-*" counter accept comment "允許來自 Docker 網橋的轉發流量" # 允許已建立連接的回應流量 oifname { "docker0", "br-*" } ct state established,related counter accept comment "允許返回 Docker 的回應流量" meta l4proto { tcp, udp } th dport 53 counter accept comment "允許 DNS 查詢轉發" ## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute ## The default policy will be applied to unmatched traffic limit rate 60/minute burst 100 packets \ log prefix "Forward - Drop: " \ comment "Log any unmatched traffic" ## Count the unmatched traffic counter \ comment "Count any unmatched traffic" } # Rules for input traffic chain input { type filter hook input priority 0; policy drop ## Permit inbound traffic to loopback interface iif lo \ accept \ comment "Permit all traffic in from loopback interface" # 允許來自 Docker 網路的連接 iifname { "docker0", "br-*" } counter accept comment "允許來自 Docker 網路的流量" # 允許來自 Docker 網路的連接 iifname { "docker0", "br-*" } counter accept comment "允許來自 Docker 網路的流量" # 添加針對常見掃描攻擊的防禦 tcp flags & (fin|syn|rst|ack) == 0 counter drop comment "空封包丟棄" ## Permit established and related connections ct state established,related \ counter \ accept \ comment "Permit established/related connections" ## Log and drop new TCP non-SYN packets tcp flags != syn ct state new \ limit rate 100/minute burst 150 packets \ log prefix "IN - New !SYN: " \ comment "Rate limit logging for new connections that do not have the SYN TCP flag set" tcp flags != syn ct state new \ counter \ drop \ comment "Drop new connections that do not have the SYN TCP flag set" ## Log and drop TCP packets with invalid fin/syn flag set tcp flags & (fin|syn) == (fin|syn) \ limit rate 100/minute burst 150 packets \ log prefix "IN - TCP FIN|SIN: " \ comment "Rate limit logging for TCP packets with invalid fin/syn flag set" tcp flags & (fin|syn) == (fin|syn) \ counter \ drop \ comment "Drop TCP packets with invalid fin/syn flag set" ## Log and drop TCP packets with invalid syn/rst flag set tcp flags & (syn|rst) == (syn|rst) \ limit rate 100/minute burst 150 packets \ log prefix "IN - TCP SYN|RST: " \ comment "Rate limit logging for TCP packets with invalid syn/rst flag set" tcp flags & (syn|rst) == (syn|rst) \ counter \ drop \ comment "Drop TCP packets with invalid syn/rst flag set" ## Log and drop invalid TCP flags tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) \ limit rate 100/minute burst 150 packets \ log prefix "IN - FIN:" \ comment "Rate limit logging for invalid TCP flags (fin|syn|rst|psh|ack|urg) < (fin)" tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) \ counter \ drop \ comment "Drop TCP packets with flags (fin|syn|rst|psh|ack|urg) < (fin)" ## Log and drop invalid TCP flags tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \ limit rate 100/minute burst 150 packets \ log prefix "IN - FIN|PSH|URG:" \ comment "Rate limit logging for invalid TCP flags (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)" tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \ counter \ drop \ comment "Drop TCP packets with flags (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)" ## Drop traffic with invalid connection state ct state invalid \ limit rate 100/minute burst 150 packets \ log flags all prefix "IN - Invalid: " \ comment "Rate limit logging for traffic with invalid connection state" ct state invalid \ counter \ drop \ comment "Drop traffic with invalid connection state" ## Permit IPv4 ping/ping responses but rate limit to 2000 PPS ip protocol icmp icmp type { echo-reply, echo-request } \ limit rate 2000/second \ counter \ accept \ comment "Permit inbound IPv4 echo (ping) limited to 2000 PPS" ## Permit all other inbound IPv4 ICMP ip protocol icmp \ counter \ accept \ comment "Permit all other IPv4 ICMP" ## Permit IPv6 ping/ping responses but rate limit to 2000 PPS icmpv6 type { echo-reply, echo-request } \ limit rate 2000/second \ counter \ accept \ comment "Permit inbound IPv6 echo (ping) limited to 2000 PPS" ## Permit all other inbound IPv6 ICMP meta l4proto { icmpv6 } \ counter \ accept \ comment "Permit all other IPv6 ICMP" ## Permit inbound traceroute UDP ports but limit to 500 PPS udp dport 33434-33524 \ limit rate 500/second \ counter \ accept \ comment "Permit inbound UDP traceroute limited to 500 PPS" ## Permit inbound SSH tcp dport ssh ct state new \ counter \ accept \ comment "Permit inbound SSH connections" ## Permit inbound HTTP and HTTPS tcp dport { http, https } ct state new \ counter \ accept \ comment "Permit inbound HTTP and HTTPS connections" ## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute ## The default policy will be applied to unmatched traffic limit rate 60/minute burst 100 packets \ log prefix "IN - Drop: " \ comment "Log any unmatched traffic" ## Count the unmatched traffic counter \ comment "Count any unmatched traffic" } # Rules for output traffic chain output { type filter hook output priority 0; policy drop ## Permit outbound traffic to loopback interface oif lo \ accept \ comment "Permit all traffic out to loopback interface" # 允許 Docker 相關的輸出流量 oifname { "docker0", "br-*" } counter accept comment "允許 Docker 網路輸出" ## Permit established and related connections ct state established,related \ counter \ accept \ comment "Permit established/related connections" ## Drop traffic with invalid connection state ct state invalid \ limit rate 100/minute burst 150 packets \ log flags all prefix "OUT - Invalid: " \ comment "Rate limit logging for traffic with invalid connection state" ct state invalid \ counter \ drop \ comment "Drop traffic with invalid connection state" ## Permit IPv4 ping/ping responses but rate limit to 2000 PPS ip protocol icmp icmp type { echo-reply, echo-request } \ limit rate 2000/second \ counter \ accept \ comment "Permit outbound IPv4 echo (ping) limited to 2000 PPS" ## Permit all other outbound IPv4 ICMP ip protocol icmp \ counter \ accept \ comment "Permit all other IPv4 ICMP" ## Permit IPv6 ping/ping responses but rate limit to 2000 PPS icmpv6 type { echo-reply, echo-request } \ limit rate 2000/second \ counter \ accept \ comment "Permit outbound IPv6 echo (ping) limited to 2000 PPS" ## Permit all other outbound IPv6 ICMP meta l4proto { icmpv6 } \ counter \ accept \ comment "Permit all other IPv6 ICMP" ## Permit outbound traceroute UDP ports but limit to 500 PPS udp dport 33434-33524 \ limit rate 500/second \ counter \ accept \ comment "Permit outbound UDP traceroute limited to 500 PPS" ## Allow outbound HTTP and HTTPS connections tcp dport { http, https } ct state new \ counter \ accept \ comment "Permit outbound HTTP and HTTPS connections" ## Permit outbound DNS requests meta l4proto { tcp, udp } th dport 53 \ counter \ accept \ comment "Permit outbound TCP and UDP DNS requests" ## Allow outbound NTP requests udp dport 123 \ counter \ accept \ comment "Permit outbound NTP requests" # 在日誌記錄前添加額外的計數器以便監控 counter comment "計數即將丟棄的流量" ## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute ## The default policy will be applied to unmatched traffic limit rate 60/minute burst 100 packets \ log prefix "OUT - Drop: " \ comment "Log any unmatched traffic" ## Count the unmatched traffic counter \ comment "Count any unmatched traffic" } }

cron php laravel UI Boostrap jetstream docker-compose laravel_docker dokcer-compose.yml cron: build: ./infra/docker/cron env_file: ./env.mariadb.local.env stop_signal: SIGTERM depends_on: - app volumes: - ./backend:/work/backend Dockerfile FROM php:8.0.11-fpm-buster LABEL maintainer="ucan-lab <yes@u-can.pro>" #SHELL ["/bin/bash", "-oeux", "pipefail", "-c"] # timezone environment ENV TZ=Asia/Taipei \ # locale LANG=en_US.UTF-8 \ LANGUAGE=en_US:UTF-8 \ LC_ALL=en_US.UTF-8 \ # Laravel environment APP_SERVICES_CACHE=/tmp/cache/services.php \ APP_PACKAGES_CACHE=/tmp/cache/packages.php \ APP_CONFIG_CACHE=/tmp/cache/config.php \ APP_ROUTES_CACHE=/tmp/cache/routes.php \ APP_EVENTS_CACHE=/tmp/cache/events.php \ VIEW_COMPILED_PATH=/tmp/cache/views \ # SESSION_DRIVER=cookie \ LOG_CHANNEL=stderr \ DB_CONNECTION=mysql \ DB_PORT=3306 RUN apt-get update RUN apt-get -y install locales libicu-dev libzip-dev htop cron nano RUN apt-get -y install default-mysql-client RUN locale-gen en_US.UTF-8 && localedef -f UTF-8 -i en_US en_US.UTF-8 RUN docker-php-ext-install intl pdo_mysql zip bcmath exif RUN apt-get clean && rm -rf /var/lib/apt/lists/* # 自訂 RUN mkdir -p /tmp/cache WORKDIR /work/backend # 這行超級重要 把初始環境的變數寫死 RUN printenv > /etc/environment # 把log 輸出到 docker 上 RUN ln -sf /proc/1/fd/1 /var/log/laravel-scheduler.log #ADD crontab /var/spool/cron/crontabs/root #RUN chown root:crontab /var/spool/cron/crontabs/root #RUN chmod 0600 /var/spool/cron/crontabs/root #RUN crontab -l | { cat; echo "* * * * * . /usr/local/bin/php /work/backend/artisan config:cache && php artisan schedule:run >> /var/log/cron.log 2>&1"; } | crontab - #RUN crontab -l | { cat; echo "* * * * * date >> /var/log/cron.log"; } | crontab - #RUN crontab -l | { cat; echo "* * * * * echo hello > /proc/1/fd/1 2>/proc/1/fd/2"; } | crontab - COPY crontab /etc/cron.d/crontab RUN chmod 0644 /etc/cron.d/crontab RUN crontab /etc/cron.d/crontab CMD bash -c "/usr/local/bin/php /work/backend/artisan config:cache && cron -f" cron ...

1. IAM User -> New User -> Demo_ECR Add Permissions policies 新增許可 a. 直接連接現有政策 AmazonEC2ContainerRegistryPowerUser b. 建立policies -> Demo_ECR https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html 2. install aws cli tools windows https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-windows.html 3. aws ecr repositories -> private -> create repository input demo Keep ooxxooxxooxxooxx.dkr.ecr.ap-northeast-1.amazonaws.com/demo save 4. aws cli login powershell windows aws configure go back IAM, show Demo_ECR -> 安全登入資料 security login run 建立存取金鑰 create Access Key copy new Access Key ID and AWS Secret Access Key ...