Open Energy in Production

The Open Energy Playground is great to get started fast with prototyping and experimenting.

But it is also made to be used out in the real world! What is sometimes also called production.

This page is a collections of thoughts and recommendations regarding Open Energy in production. Though we try to keep the list updated, it should not be regarded as a complete list of everything you need to do to secure your production environment.

This page is targeted to more experienced developers and power users, and assumes that you have the playground running on a linux server.

Port exposure

By default, the playground exposes a number of ports to the wild dangerous internet. This should be reconfigured so that the containers can still access each other, but they cannot be reached from the outside.

To do this, in docker-compose.yml, change ports to expose. For example, you might not want to expose the influxDB web admin port. Change it from:

ports:  
    - "8083:8083"

To:

expose:  
    - 8083

Enabling authentication

InfluxDB

InfluxDB has authentication turned off by default. Either you can stop exposing the port and only access it from behind a firewall, or you can enable authentication.

Like this: Set up authentication

If you have a service accessing InfluxDB directly, consider creating a read-only user.

Grafana

Make sure to change the login credentials for the admin.

And disable user signup with:

environment:  
    - GF_USERS_ALLOW_SIGN_UP=false
node-RED

Don't forget to secure node-red, as it gives direct execution priviledges to anyone.

http://nodered.org/docs/security

Load Balancing & SSL

You can easily add load balancing and SSL termination by running this container https://github.com/jwilder/nginx-proxy.

To combine it with letsencrypt free SSL certs, use this companion container https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion.

Example configuration for running Grafana on hostname.com, with load balancing and ssl termination by nginx and automatic certs by letsencrypt:

letsencrypt:  
  image: 'jrcs/letsencrypt-nginx-proxy-companion'
  restart: always
  volumes_from:
    - nginx
  volumes:
    - /certs:/etc/nginx/certs:rw
    - /var/run/docker.sock:/var/run/docker.sock:ro
nginx:  
  image: jwilder/nginx-proxy
  restart: always
  ports:
    - '80:80'
    - '443:443'
  volumes:
    - '/certs:/etc/nginx/certs:ro'
    - '/etc/nginx/vhost.d'
    - '/usr/share/nginx/html'
    - '/var/run/docker.sock:/tmp/docker.sock:ro'
grafana:  
  image: grafana/grafana
  volumes:
    - ./data/grafana:/var/lib/grafana
  expose:
    - 3000
  restart: always
  environment:
    - VIRTUAL_HOST=hostname.com
    - LETSENCRYPT_HOST=hostname.com
    - LETSENCRYPT_EMAIL=my@email.com