Introduction to Docker for API Gateway Proxy
Docker containerization provides a standardized way to package, deploy, and run your API gateway proxy across different environments. This guide covers everything you need to know about containerizing your API gateway proxy for production deployment.
Container Isolation
Each microservice runs in its own isolated container, preventing dependency conflicts and ensuring consistent behavior across environments.
Fast Deployment
Containers start in milliseconds, enabling rapid scaling, zero-downtime deployments, and efficient resource utilization.
Security Hardening
Docker provides built-in security features like user namespace isolation, seccomp profiles, and resource constraints.
Resource Efficiency
Containers share the host OS kernel, resulting in significantly lower overhead compared to virtual machines.
Production-Ready Dockerfile
Create an optimized Dockerfile for your API gateway proxy that follows security and performance best practices.
# ===== PRODUCTION DOCKERFILE FOR API GATEWAY PROXY =====
# Multi-stage build for minimal image size
# Stage 1: Builder
FROM node:20-alpine AS builder
# Set working directory
WORKDIR /app
# Install dependencies first (caching layer)
COPY package*.json ./
RUN npm ci --only=production
# Copy application source
COPY . .
# Build the application
RUN npm run build
# Stage 2: Runtime
FROM node:20-alpine AS runtime
# Create non-root user for security
RUN addgroup -g 1001 -S appgroup && \
adduser -u 1001 -S appuser -G appgroup
# Install security updates and necessary packages
RUN apk add --no-cache tini curl
# Set working directory
WORKDIR /app
# Copy built application from builder stage
COPY --from=builder --chown=appuser:appgroup /app/package*.json ./
COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules
COPY --from=builder --chown=appuser:appgroup /app/dist ./dist
# Switch to non-root user
USER appuser
# Health check for container orchestration
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f http://localhost:3000/health || exit 1
# Use tini as init system for proper signal handling
ENTRYPOINT ["/sbin/tini", "--"]
# Start the application
CMD ["node", "dist/index.js"]Note: This Dockerfile uses multi-stage builds to reduce the final image size by separating build dependencies from runtime dependencies.
Docker Compose Configuration
Set up a complete development and production environment using Docker Compose with networking, volumes, and service dependencies.
# Docker Compose v3.8 Configuration
version: '3.8'
services:
# API Gateway Proxy Service
api-gateway:
build: .
container_name: api-gateway-proxy
ports:
- "3000:3000"
environment:
- NODE_ENV=production
- REDIS_HOST=redis
- RATE_LIMIT_ENABLED=true
- LOG_LEVEL=info
env_file:
- .env.production
volumes:
- ./logs:/app/logs:rw
- ./config:/app/config:ro
networks:
- gateway-network
depends_on:
- redis
- postgres
restart: unless-stopped
deploy:
resources:
limits:
cpus: '1'
memory: 512M
reservations:
cpus: '0.5'
memory: 256M
# Redis Cache for Rate Limiting
redis:
image: redis:7-alpine
container_name: gateway-redis
command: redis-server --appendonly yes --requirepass ${REDIS_PASSWORD}
volumes:
- redis-data:/data
networks:
- gateway-network
restart: unless-stopped
healthcheck:
test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "ping"]
interval: 30s
timeout: 10s
retries: 3
# PostgreSQL Database
postgres:
image: postgres:15-alpine
container_name: gateway-db
environment:
- POSTGRES_DB=gateway
- POSTGRES_USER=${DB_USER}
- POSTGRES_PASSWORD=${DB_PASSWORD}
volumes:
- postgres-data:/var/lib/postgresql/data
- ./init-db:/docker-entrypoint-initdb.d
networks:
- gateway-network
restart: unless-stopped
# Nginx Reverse Proxy
nginx:
image: nginx:alpine
container_name: gateway-nginx
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./ssl:/etc/nginx/ssl:ro
- ./logs/nginx:/var/log/nginx
networks:
- gateway-network
depends_on:
- api-gateway
restart: unless-stopped
networks:
gateway-network:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/16
volumes:
redis-data:
driver: local
postgres-data:
driver: localSecurity Hardening Guide
Implement essential security measures to protect your containerized API gateway proxy from common threats.
Use Non-Root Users
Always run containers as non-root users to limit potential damage in case of container escape attacks. Create a dedicated user with minimal privileges in your Dockerfile.
Implement Resource Limits
Set CPU and memory limits to prevent denial-of-service attacks and ensure fair resource sharing among containers in production environments.
Regular Security Scanning
Integrate vulnerability scanning tools like Trivy or Grype into your CI/CD pipeline to detect known vulnerabilities in container images and dependencies.
Seccomp Profiles
Use custom seccomp profiles to restrict the system calls available to containers, reducing the attack surface and preventing privilege escalation.
Performance Optimization
Optimize your Docker containers for maximum performance and resource efficiency in production environments.
Multi-Stage Builds
Reduce final image size by separating build dependencies from runtime dependencies, resulting in faster deployment and improved security.
Layer Caching
Optimize Dockerfile layer ordering to maximize cache hits and reduce build times during development and CI/CD pipelines.
Resource Optimization
Configure appropriate CPU and memory limits based on your application's requirements to ensure efficient resource utilization.
Health Checks
Implement comprehensive health checks to enable automatic container recovery and load balancing in orchestration platforms.