Open Energy in Production
The Open Energy Playground is great to get started fast with prototyping and experimenting.
But it is also made to be used out in the real world! What is sometimes also called production.
This page is a collections of thoughts and recommendations regarding Open Energy in production. Though we try to keep the list updated, it should not be regarded as a complete list of everything you need to do to secure your production environment.
This page is targeted to more experienced developers and power users, and assumes that you have the playground running on a linux server.
Port exposure
By default, the playground exposes a number of ports to the wild dangerous internet. This should be reconfigured so that the containers can still access each other, but they cannot be reached from the outside.
To do this, in docker-compose.yml, change ports to expose. For example, you might not want to expose the influxDB web admin port. Change it from:
ports:
- "8083:8083"
To:
expose:
- 8083
Enabling authentication
InfluxDB
InfluxDB has authentication turned off by default. Either you can stop exposing the port and only access it from behind a firewall, or you can enable authentication.
Like this: Set up authentication
If you have a service accessing InfluxDB directly, consider creating a read-only user.
Grafana
Make sure to change the login credentials for the admin.
And disable user signup with:
environment:
- GF_USERS_ALLOW_SIGN_UP=false
node-RED
Don't forget to secure node-red, as it gives direct execution priviledges to anyone.
http://nodered.org/docs/security
Load Balancing & SSL
You can easily add load balancing and SSL termination by running this container https://github.com/jwilder/nginx-proxy.
To combine it with letsencrypt free SSL certs, use this companion container https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion.
Example configuration for running Grafana on hostname.com, with load balancing and ssl termination by nginx and automatic certs by letsencrypt:
letsencrypt:
image: 'jrcs/letsencrypt-nginx-proxy-companion'
restart: always
volumes_from:
- nginx
volumes:
- /certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
nginx:
image: jwilder/nginx-proxy
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- '/certs:/etc/nginx/certs:ro'
- '/etc/nginx/vhost.d'
- '/usr/share/nginx/html'
- '/var/run/docker.sock:/tmp/docker.sock:ro'
grafana:
image: grafana/grafana
volumes:
- ./data/grafana:/var/lib/grafana
expose:
- 3000
restart: always
environment:
- VIRTUAL_HOST=hostname.com
- LETSENCRYPT_HOST=hostname.com
- LETSENCRYPT_EMAIL=my@email.com