Posted inProjects

Securely Hosting Multiple Services with Docker, UFW, and Nginx Proxy Manager

1 Comment
newVPS

In today’s digital landscape, hosting services publicly while keeping security tight is a challenge I’m passionate about overcoming. In this post, I’ll share how I built a secure, multi-service hosting environment on a VPS using Docker, UFW (Uncomplicated Firewall), and Nginx Proxy Manager. This setup not only demonstrates my sysadmin and cloud deployment skills but also underscores my commitment to cybersecurity best practices.

Overview of the Setup

The project was designed with security as a top priority. I started by renting a VPS and then implemented a series of security measures and best practices:

  • Firewall Hardening: Configured UFW to block all incoming connections except for essential ones (SSH on port 22 and HTTPS on port 443).
  • SSH Security: Secured SSH access by disabling root login, turning off password authentication, and enabling public key authentication.
  • Brute-force Protection: Installed Fail2ban to mitigate brute-force attacks.
  • Containerization: Deployed Docker to host multiple services on isolated networks.
  • Reverse Proxy: Configured Nginx Proxy Manager to manage incoming traffic and route it to internal services.
  • Monitoring & Alerts: Set up a local Netdata service connected to a Discord webhook to alert me of any abnormal sensor readings on the VPS.
  • Cloudflare Integration: Utilized Cloudflare’s proxy option to protect the VPS’s real IP from DDoS attacks.
  • Secure Internal Management: Employed an SSH SOCKS5 proxy to securely manage internal services.

Securing the VPS

Firewall Configuration with UFW

After setting up the VPS, I installed UFW and configured it to block all incoming traffic by default. The only exceptions were:

  • SSH (port 22): Essential for remote management.
  • HTTPS (port 443): Necessary for secure web traffic handled by the Nginx Proxy Manager.

Hardened SSH Access

To further secure the VPS:

  • Disabled Root Login: Prevents direct root access over SSH.
  • Disabled Password Authentication: Enforces the use of public key authentication.
  • Installed Fail2ban: Monitors logs and bans IPs that exhibit brute-force attack behavior.

Deploying Docker Services with Isolation

With the server secured, I moved on to Docker. My goal was to host multiple services (e.g., WordPress, Nextcloud, Laravel) while keeping them isolated and secure.

Key Docker Practices:

  • No Exposed Ports: I avoided exposing container ports directly to the internet. Docker’s iptables rules can bypass ufw, so this was a critical step.
  • Isolated Networks: Service were assigned their own shared Docker network subnet (e.g., 172.18.0.7/16 for Nginx Proxy Manager).
  • Inter-Container Communication: Services communicated using Docker hostnames and internal ports.

Reverse Proxy with Nginx Proxy Manager

To route traffic to the appropriate services, I used Nginx Proxy Manager. It’s a user-friendly tool that simplifies reverse proxying and automatically manages SSL certificates.

For example:

  • khaled.qasimfiles.uk → WordPress container (port 80)
  • cloud.qasimfiles.uk → Nextcloud container (port 80)
  • orekuwait.com → Laravel container (port 32772)

Cloudflare Integration for Added Security

To further enhance security, I used Cloudflare:

  • Proxy Mode: Enabled the PROXY option to hide the VPS’s real IP address, protecting against DDoS attacks.
  • SSL/TLS Encryption: Configured Cloudflare to enforce HTTPS.

Secure Maintenance with SSH Proxy

Since none of the services (other than the Nginx proxy manager) were exposed to the public, I used an SSH proxy to access them for maintenance. This involved setting up a SOCKS5 proxy over SSH, allowing my browser to act as if it were on the VPS’s local network.

ssh -D $PORT_FOR_PROXY -C -q -N user@vps-ip

I then configured my browser to use the SOCKS5 proxy (127.0.0.1:$PORT_FOR_PROXY), enabling secure access to local services via their hostnames or IP addresses.

Conclusion

This project showcases my skills in system administration, cloud deployment, and cybersecurity. By prioritizing security at every step, I was able to host multiple services securely on a single VPS. Key takeaways include:

  • Minimizing Attack Surface: Only essential ports were exposed.
  • Isolation: Docker networks kept services separate and secure.
  • Layered Security: Combined ufw, fail2ban, SSH hardening, and Cloudflare for increased protection.
  • Ease of Management: Nginx Proxy Manager simplified reverse proxying and SSL management.

If you’re planning a similar setup, I highly recommend following these practices to ensure a secure and efficient deployment.

Tags:
Show 1 Comment

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *