I'm setting up a simple project with a Flask web server and a MariaDB container, and I want to make sure I'm following best practices. Here are some things I'm trying to figure out:
1. For SSL termination, would it be best to use an NGINX reverse proxy in front of my application?
2. I need to ensure I can access the MariaDB instance to update information, but exposing the port to the internet seems unwise. What's a good way to handle this? I'm considering using iptables to allow specific hosts access, but I also thought about using a WireGuard container — though that seems more complex.
3. Regarding Adminer, should I keep it running all the time or just spin it up when necessary?
4. For the MariaDB setup, besides setting proper user permissions, is there anything else I should consider?
1 Answer
Let’s tackle your questions one at a time:
1. For SSL termination, I'd skip NGINX; consider using Caddy instead. It handles automatic HTTPS and renewal with minimal configuration, making life easier.
2. Definitely don’t expose port 3306 of MariaDB to the outside. A WireGuard container would give you secure access without risking exposure, but if that's too much, you could also use SSH tunneling.
3. It's best not to leave Adminer open all the time. Bring it up only when you need it or secure it behind basic auth and an IP whitelist to avoid brute-force attacks.
4. On the MariaDB side, enable binary logging for recovery purposes, use named volumes for data, and set the innodb_buffer_pool_size to about 70% of your container's memory for better performance.
Also, ensure your firewall rules apply correctly, as Docker can manipulate iptables directly.
Thanks for the detailed breakdown! Just to clarify, I'm getting these containers from a hosting provider and won't have complete control over the host. I'll definitely check out Caddy. For MariaDB, I need to continuously sync data, so how about using iptables to restrict access in that case?