1.5 KiB
Security
Here follows an explanation of security practices taken into account.
Refer to https://docs.docker.com/compose/compose-file/compose-file-v3/ for explanations of individual points.
Rootness
The container process runs as 5000:5000
.
No processes are run as root within the container.
Port Exposure
The container participates in the private mesh_public
overlay network.
This allows the reverse proxy, Traefik, to route traffic via. internal DNS.
This traffic is unencrypted HTTP. Thus, the overlay network must be run on a trusted (L3) network.
Volume Access
Only localtime
and timezone
are mounted (read-only).
All files to be served are either baked into the container image, or mounted with docker config
.
Resource Limits
The service employs CPU/Memory usage limits in the deploy
section.
This helps prevent a DDoS attack from crashing the entire host.
Capabilities
The container runs with default capabilities.
security.txt
See https://securitytxt.org/ for RFC + generator.
This stack comes with a security.txt
generator in scripts__security_txt
, which:
- Templates mail contact, expiry, GPG public key link, and canonical path.
- Signs the file with the GPG private key referenced in the link.
To use it, first adjust the following block in gen.py
:
MAILTO =
EXPIRY =
MAILTO_PGP_FINGERPRINT =
DEPLOY_DOMAIN =
Then, run ./gen.py
from any working directory. Remember to review the generated file, and update docker config
.