New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Update: Change JWT Secret and TLS Certificate automatically on build #74
Conversation
Signed-off-by: Sascha Brendel <mail@lednerb.eu>
Signed-off-by: Sascha Brendel <mail@lednerb.eu>
Signed-off-by: Sascha Brendel <mail@lednerb.eu>
Signed-off-by: Sascha Brendel <mail@lednerb.eu>
… filesystem Signed-off-by: Sascha Brendel <mail@lednerb.eu>
Signed-off-by: Sascha Brendel <mail@lednerb.eu>
|
|
||
| volumes: | ||
| mongo-data: | ||
| report-templates: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure about the changes in this file?
Broke everything for me...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your check up!
You can fix this by copying the previous mongo-data and report-templates folder into the corresponding volume on the system.
I think the current file handling is not optimal either with putting the user-data into the code directories.
By using docker volumes on the other hand, we can archive the following:
- easy moving the code folder to another place within the filesystem (currently that is not possible without
sudo/rootpermissions) and keeping the files - better compatibility on different operating systems
- compliance with the docker guide on Run your app in production
Volumes are the preferred mechanism for persisting data generated by and used by Docker containers. While bind mounts are dependent on the directory structure and OS of the host machine, volumes are completely managed by Docker. Volumes have several advantages over bind mounts:
- Volumes are easier to back up or migrate than bind mounts.
- You can manage volumes using Docker CLI commands or the Docker API.
- Volumes work on both Linux and Windows containers.
- Volumes can be more safely shared among multiple containers.
- Volume drivers let you store volumes on remote hosts or cloud providers, to encrypt the contents of volumes, or to add other functionality.
- New volumes can have their content pre-populated by a container.
- Volumes on Docker Desktop have much higher performance than bind mounts from Mac and Windows hosts.
But you're right, this should be included in the release notes when getting merged.
@yeln4ts do you plan to introduce version numbering and a release-system, so users can see what the latest fixes are and if there will be some breaking changes in the new version instead of just pulling all changes from master?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I would like to introduce some kind of release system with changelogs when I have something stable enough so that I can start with a clean slate (should be soon now).
Until then, I prefer not introducing breaking changes if possible.
| COPY .docker/nginx.conf /etc/nginx/conf.d/default.conf | ||
| RUN mkdir -p /etc/nginx/ssl | ||
| COPY ssl/server* /etc/nginx/ssl/ | ||
| RUN openssl req -x509 -newkey rsa:4096 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.cert -days 365 -subj '/CN=pwndoc' -nodes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If using this then a new certificate would be issued at each build. You would have to add the exception in your browser each time you re-build the app.
Same thing if you want to use a custom certificate signed by a CA.
Checking for certificate existence before generating a new one would solve that
| RUN npm install | ||
| COPY . . | ||
| # Security related changes to the codebase | ||
| RUN openssl req -x509 -newkey rsa:4096 -keyout /app/ssl/server.key -out /app/ssl/server.cert -days 365 -subj '/CN=pwndoc' -nodes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same thing from frontend/Dockerfile comment
|
|
||
| volumes: | ||
| mongo-data: | ||
| report-templates: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I would like to introduce some kind of release system with changelogs when I have something stable enough so that I can start with a clean slate (should be soon now).
Until then, I prefer not introducing breaking changes if possible.
|
The dynamic JWT generation is implemented in v0.4.0 |
With those commits the security for production usage gets enhanced:
docker-compose.ymlis adjusted to not expose port 4242 on the host system and removedmongoport binding