Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict internet access from siren container #286

Open
wants to merge 20 commits into
base: stable
Choose a base branch
from
Open

Restrict internet access from siren container #286

wants to merge 20 commits into from
+244 −13

Conversation

magick93
Copy link

@magick93 magick93 commented Dec 16, 2024
edited
Loading

Objective

Security harden, specifically by restricting egress traffic from the siren container unless to approved destinations.

@magick93
Restrict egress on siren container
a39f264
@magick93
siren container w/ no internet
fc6ae1a
@magick93
Enhance security and stability of docker-compose configuration
ff3abc8 
- Change restart policy to 'unless-stopped'
- Restrict permissions on tmp and run mounts
- Add security options to prevent privilege escalation
- Implement health checks for the siren service
- Enable network encryption for the no_internet network
@magick93
Update docker-compose to include BN_TARGET and VC_TARGET environment …
7a111b0 
…variables
@magick93
Update nginx proxy configuration to use BN_TARGET and VC_TARGET varia…
f032c1e 
…bles
@magick93
Remove non-root user configuration from nginx-proxy service in docker…
d0b9b21 
…-compose
@magick93
Refactor nginx proxy configuration to use upstream blocks for BN_TARG…
e61f51f 
…ET and VC_TARGET
@magick93
Update nginx proxy configuration file path in docker-compose
e15cf87
@magick93
Update BN_TARGET and VC_TARGET environment variables to use placehold…
3d22810 
…er IPs
@magick93
Update README to include BN_TARGET and VC_TARGET configuration instru…
0fa9a88 
…ctions
@magick93
Update docker-compose to configure SSL and use environment variables …
910e64e 
…for BN_TARGET and VC_TARGET
@magick93
Update README to remove outdated BN_TARGET and VC_TARGET configuratio…
45b78c5 
…n instructions
rickimoore
rickimoore requested changes Dec 16, 2024
View reviewed changes
Copy link
Member

@rickimoore rickimoore left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe antonD can look at the docker, i just made a small comment

README.md Outdated Show resolved Hide resolved
@antondlr
Copy link
Member

I added some small nitpicks, feel free to revert them!

question; this does not expose over SSL currently, right?
as that would create a new security hole while patching another one:
one of the main issues we faced initially is that a user would have to send their session password in plaintext to Siren.

@antondlr
Copy link
Member

it would also be nice to use the same template for nginx_proxy.conf.template and siren-http{,s}.conf, manipulating the template can be done from docker-assets/docker-entrypoint.sh
(this is by no means a must!)

@magick93
Copy link
Author

@antondlr

question; this does not expose over SSL currently, right?

Yes, the primary objective of this PR is getting the egress restrictions in place.

one of the main issues we faced initially is that a user would have to send their session password in plaintext to Siren.

Preventing the exfiltration of sensitive data (eg, keys) from the container can largely be achieved using egress rules. But from the browser is another another kettle of fish. I

@magick93
Copy link
Author

magick93 commented Dec 16, 2024
edited
Loading

@antondlr

it would also be nice to use the same template for nginx_proxy.conf.template and siren-http{,s}.conf, manipulating the template can be done from docker-assets/docker-entrypoint.sh

Yeah I considered that, but I also wanted to avoid changing the existing siren image, and instead try to wrap it in nice warm security blanket.

I would like to explore improving this, and also starting nginx in a container lifecycle hook and then running the container with less perms.

I suggest we explore this in a new issue.

@antondlr
Copy link
Member

Preventing the exfiltration of sensitive data (eg, keys) from the container can largely be achieved using egress rules. But from the browser is another another kettle of fish. I

yeah so, taking a step back here and looking at which dangers actually exist, I think securing browser-siren traffic is paramount because once the SESSION_PASSWORD has leaked, it's game over, and it's a more viable attack vector. I'm definitely not against restricting egress traffic from the container, I think it makes a lot of sense, but not at the cost of sacrificing the current ssl-by-default setup. happy to talk about it / be convinced otherwise!
so the question is... how do we do both?

I also wanted to avoid changing the existing siren image

feel free to go ham on the exiting image :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antondlr antondlr antondlr left review comments

@rickimoore rickimoore rickimoore requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@magick93 @antondlr @rickimoore