Setup information:
My current docker setup consists of the following containers:
- proxy and load balanceing server (HAproxy)
- http server (apache)
- multiple websocket servers (ratchet php)
- database server (mariadb)
In my docker-compose.yml file I created two networks an Internal and an external network (the internal network has the internal flag set to true).
Only the proxy server container is assigned the external network and port 80 and 443 are exposed, any request on port 80 is redirected to 443 through the proxy server.
The proxy server also handles the ssl connections and the connections between the proxy, http and websocket servers are not encrypted.
Assumptions:
To encrypt the connection within the docker network e.g. between the proxy and the websocket and http servers, I could use a self signed certificate.
I suppose that this would however cost performance.
As far as I know this would stop a compromised http server from reading the ws messages.
Question:
Does it make sense to encrypt connections within the docker network to improve security ?
