Docker USER and named volume

To secure docker, we use a specific user instead of root. We add the following code in Dockerfile.

RUN useradd -u 2000 wwwuser
USER wwwuser

Those code create user with uid=2000.
Since host volume is mounted as root user, all files and folders is readonly for user wwwuser. If the wwwuser needs to write files to volume, we can create a named volume for it.

docker volume create --driver local --opt type=tmpfs --opt device=tmpfs  --opt o=uid=2000,gid=2000,size=2g,mode=0750 myHomeVolume

Use the following command to run container

docker run -d -v myHomeVolume:/home/wwwuser --name myapps <image>

TO backup the data, taring all files at ‘/var/lib/docker/volumes/myHomeVolume/_data’ with root.

Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.


For Apache on Ubuntu 16.04

$ sudo apt-get install python-letsencrypt-apache 
$ sudo letsencrypt --apache

Add cornjob

$ sudo vi /etc/crontab
# renew domain certificate
00 7   * * * root letsencrypt renew
00 19  * * * root letsencrypt renew

Secure Apache2 and PHP on Ubuntu 16.04

Create /etc/apache2/sites-available/000-security.conf

$ sudo vi /etc/apache2/sites-available/000-security.conf
# Secure apache website

# Disable Trace HTTP Request
TraceEnable off

# Disable Signature
ServerSignature Off

# Disable Banner
ServerTokens Prod

# If enabled ssl (sudo a2enmod ssl)
# Use only TLS, Disable SSLv2, SSLv3
# SSLProtocol -ALL +TLSv1

# Disable Null and Weak Ciphers

# Disable Directory Listing
Options all -Indexes

# If enabled headers (sudo a2enmod headers)
# Disable x-powered by
Header always unset X-Powered-By
$ sudo a2ensite 000-security.conf

On ubuntu 16.04. The default php settings is good. Please make sure settings in php.ini



expose_php = Off
display_errors = Off


UFW command examples

sudo ufw status
sudo ufw status verbose
sudo ufw status numbered

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow mysql

sudo ufw delete allow https

sudo ufw allow to any port 2345
sudo ufw delete allow to any port 2345

sudo ufw allow to any port 2345 proto udp
sudo ufw delete allow to any port 2345 proto udp

sudo ufw allow from to any port 2345
sudo ufw delete allow from to any port 2345

sudo ufw allow from to any port 2345
sudo ufw delete allow from to any port 2345


BY Default, UFW blocks IP Forwarding. To enable packet forwarding, two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:


Then edit /etc/ufw/sysctl.conf and uncomment:

#for IPv6 forwarding uncomment:

To enable IPv4 packet forwarding by editing /etc/sysctl.conf and uncomment the following line:

# If you wish to enable IPv6 forwarding also uncomment:

Execute the sysctl command to enable the new settings in the configuration file:

sudo sysctl -p

Create my-iptables-rules:

$ sudo vi /etc/network/if-up.d/my-iptables-rules
if [ -f ${FLAG} ]; then
  echo "Already set my iptables rules. Skip it."
  exit 0

#sample iptables rules
iptables -t nat -A POSTROUTING -s -o ppp0 -j MASQUERADE

touch ${FLAG}
exit 0


Securing Linux SSH

$ sudo vi /etc/ssh/sshd_config
# Run ssh on a non-standard port:
Port 2345 # Change the port as you want 

# Disable protocol 1
# Protocol 2,1
Protocol 2

# Prevent root logins:
PermitRootLogin no

# Limit user logins:
AllowUsers alice bob

# Disable password authentication forcing use of keys
PasswordAuthentication no

How to generate your own private key

$ ssh-keygen -t rsa

Add custom security check for protected resources on Magento

Assume catalog needs be protected for register customer and there is an url ‘/secure/url’ which need be protected too.

  1. Modify templete ‘page/html/head.phtml’ and add following code

        //check security contents
        echo $this->getLayout()->createBlock('core/template')->setTemplate('page/html/security.phtml')->toHtml();
  2. Create a new file ‘page/html/security.phtml’ with the following contents

        // check security content
        if (("catalog" === Mage::app()->getRequest()->getModuleName()) || (0 === strpos(Mage::app()->getRequest()->getRequestUri(), '/secure/url'))) {
            if (!($this->helper('customer')->isLoggedIn())){
                <script type="text/javascript">
                      window.location.href = "<?php echo $this->getUrl('customer/account/login')?>";

Get request information for test purpose:

    echo Mage::app()->getRequest()->getModuleName();
    echo "<br />";
    echo Mage::app()->getRequest()->getControllerName();
    echo "<br />";
    echo Mage::app()->getRequest()->getActionName();
    echo "<br />";
    echo Mage::app()->getRequest()->getRequestUri();
    echo "<br />";