Running a secure file uploading web app in a Docker container

by immontilla

Running a secure file uploading web app in a Docker container not only let you scale vertically its functionality, it is also a way to make it more secure. How so? Well, in the worst scenario, the web app fails and a malicious file is stored infecting/compromising the system. In this unfortunate event it is better to have only one isolated container infected/compromised rather than the whole system...isn't it?

I am going to make some changes in https://github.com/immontilla/file-uploading-web-app to create a Docker image using the Spotify Dockerfile Maven Plugin.

Update: Information published here is valid but there is a better way to build -specially maintain- a Docker image.

Steps

1.- Upgrade Spring Boot to 1.5.8.

<version>1.5.8.RELEASE</version>

2.- Upgrade jQuery, Twitter Bootstrap, Google Guava and Apache CommonsIO to their most recent version.

<jquery.version>3.2.1</jquery.version>
<guava.version>23.0</guava.version>
<commonsio.version>2.6</commonsio.version>

3.- Add Spotify' Dockerfile Maven Plugin 1.3.6

<docker.image.prefix>???</docker.image.prefix>

replace ??? with a valid value before building.

<plugin>
    <groupId>com.spotify</groupId>
    <artifactId>dockerfile-maven-plugin</artifactId>
    <version>1.3.6</version>
    <configuration>
    <repository>${docker.image.prefix}/${project.artifactId}</repository>
    <buildArgs>
        <JAR_FILE>target/${project.build.finalName}.jar</JAR_FILE>
    </buildArgs>
    </configuration>
</plugin>

4.- Create a Dockerfile

FROM openjdk:8-jdk-alpine
#application.properties file.path property
CMD mkdir /tmp/safe
#application.properties temp.path property
CMD mkdir /tmp/unsafe
VOLUME /tmp
ARG JAR_FILE
ADD ${JAR_FILE} app.jar
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]

5.- If ClamAV is running in a Docker container it has to be added to the Docker host network. Why? Because doing so ClamAV server will be available as localhost (application.properties clam.av.server.host property).

docker run -itd --name avserver --net=host -p 3310:3310 mkodockx/docker-clamav

In case, it is already running, just add it to the Docker host network. Check container' name running docker ps if you need to.

docker network connect host <container_name>

6.- To build the Docker image, run

mvn clean install dockerfile:build

Finally, run the secure-upload Docker image. It has to be connected to the Docker host network.

docker run -itd --name=secure_upload --net=host -p 8090:8090 ???/secure-upload

You need to replace ??? with the value you set in Step 3.

To see the container' log, run:

#get <container_id>
docker ps | awk '{print $1}'
docker logs <container_id>

As usual, you can clone the source code running

git clone https://github.com/immontilla/file-uploading-web-app.git --branch docker-maven --single-branch

Also, you can pull the Docker image from Docker Hub running

docker pull immontilla/secure-file-uploader