Portainer News and Blog

How to correctly secure Portainer when presented on the Internet

Written by Neil Cresswell, CEO | March 1, 2022

So, you have Portainer running; you got it up pretty quickly using our standard deployment scripts, and that's neat..

But now you've decided you want to allow access to Portainer from the public internet, so you are either port forwarding the Portainer UI ports (http:9000/https:9443) from a public IP to Portainer, or you're deploying a reverse proxy, and presenting Portainer through a subdomain.

Remember, Portainer is an exceptionally privileged piece of software, and it has near root-level access to your Container infrastructure, so first up, are you really sure you want to expose it to the internet directly, and not via a VPN?

Assuming you're happy to expose it, you absolutely must must must make sure the "admin" user (the one you setup when you deployed Portainer) has a seriously complicated password, as this is the most trusted account in Portainer. It should NEVER have a dictionary-based password. If this isn't the case, change the password for that account RIGHT NOW.

Next, you need to make sure you have configured our authentication system to use a suitably secure external mechanism, such as "LDAP" or "OAuth" (the latter of which supports 2FA/MFA)..

Contrary to some opinions, both of these authentication sources are included in the free open-source version of Portainer. Portainer Business Edition, (our premium offering) has "click to configure" convenience buttons that help you do this quicker, but the raw authentication capability is in available in both versions (LDAP and Custom OAuth).

For the documentation (and examples) on how to configure LDAP authentication in Portainer CE, click here: https://docs.portainer.io/admin/settings/authentication/ldap

For the documentation (and examples) on how to configure OAuth authentication in Portainer CE, click here: https://docs.portainer.io/admin/settings/authentication/oauth

Portainer Business Edition customers, please contact us for guidance on how to configure authentication correctly.

Portainer's internal authentication system should never be used when presenting Portainer to the internet, either directly or via a reverse proxy. This is for non-production/demo purposes only. For those of you that still want to use Portainer's internal authentication AND present Portainer on the internet, PLEASE ensure you set complicated (non-dictionary) passwords for ALL of your users. Portainer helps to protect against dictionary based brute force hacks through an authentication rate limiter, but with enough time, a dictionary word password WILL be compromised.

Portainer added support for HTTPS in mid 2021 (Port 9443) and we recommend that no one uses Port 9000 any longer, so please upgrade to a Portainer version that supports 9443 (or just use the most recent version of Portainer, which is currently 2.11.1).

Additionally, if you are presenting Portainer publicly on the internet, we strongly recommend network ACLs on your firewall, so you only allow access from known trusted IP addresses (or geoblock all countries were you don't need access). We wouldn't ever recommend allowing access from any/0.0.0.0 as this doesn't provide you any defence against "drive-by" brute force attacks.

And finally, you should already be aware that Portainer needs to persist its data, and as such requires a persistent volume. If you are running Portainer on a cluster, make sure that volume is available across the cluster, as if its not, and Portainer restarts on another node, it will not be configured, and will leave you vulnerable.

Be safe out there, and always secure your Portainer instance.

Neil