48 lines
1.5 KiB
Markdown
48 lines
1.5 KiB
Markdown
|
# Security
|
||
|
|
Here follows an explanation of security practices taken into account.
|
||
|
|
|
||
|
|
Refer to https://docs.docker.com/compose/compose-file/compose-file-v3/ for explanations of individual points.
|
||
|
|
|
||
|
|
## Rootness
|
||
|
|
The container process runs as `5000:5000`.
|
||
|
|
No processes are run as root within the container.
|
||
|
|
|
||
|
|
## Port Exposure
|
||
|
|
The container participates in the private `mesh_public` overlay network.
|
||
|
|
This allows the reverse proxy, Traefik, to route traffic via. internal DNS.
|
||
|
|
|
||
|
|
This traffic is unencrypted HTTP.
|
||
|
|
Thus, **the overlay network must be run on a trusted (L3) network**.
|
||
|
|
|
||
|
|
## Volume Access
|
||
|
|
Only `localtime` and `timezone` are mounted (read-only).
|
||
|
|
|
||
|
|
All files to be served are either baked into the container image, or mounted with `docker config`.
|
||
|
|
|
||
|
|
## Resource Limits
|
||
|
|
The service employs CPU/Memory usage limits in the `deploy` section.
|
||
|
|
|
||
|
|
This helps prevent a DDoS attack from crashing the entire host.
|
||
|
|
|
||
|
|
## Capabilities
|
||
|
|
All capabilities are dropped with `--cap_drop ALL`.
|
||
|
|
|
||
|
|
No capabilities need to be added back, so none are.
|
||
|
|
|
||
|
|
## security.txt
|
||
|
|
*See https://securitytxt.org/ for RFC + generator.*
|
||
|
|
|
||
|
|
This stack comes with a `security.txt` generator in `scripts__security_txt`, which:
|
||
|
|
- Templates mail contact, expiry, GPG public key link, and canonical path.
|
||
|
|
- Signs the file with the GPG private key referenced in the link.
|
||
|
|
|
||
|
|
To use it, first adjust the following block in `gen.py`:
|
||
|
|
```python
|
||
|
|
MAILTO =
|
||
|
|
EXPIRY =
|
||
|
|
MAILTO_PGP_FINGERPRINT =
|
||
|
|
DEPLOY_DOMAIN =
|
||
|
|
```
|
||
|
|
|
||
|
|
Then, run `./gen.py` from any working directory. Remember to review the generated file, and update `docker config`.
|