Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Update: Change JWT Secret and TLS Certificate automatically on build #74

Closed
wants to merge 8 commits into from

Conversation

Lednerb
Copy link
Contributor

@Lednerb Lednerb commented Jan 22, 2021

With those commits the security for production usage gets enhanced:

  • Automatic generation of a random JWT Secret for the backend
  • Automatic TLS Certificate creation for the backend and frontend
  • Main docker-compose.yml is adjusted to not expose port 4242 on the host system and removed mongo port binding

Signed-off-by: Sascha Brendel <mail@lednerb.eu>
… filesystem

Signed-off-by: Sascha Brendel <mail@lednerb.eu>
Signed-off-by: Sascha Brendel <mail@lednerb.eu>

volumes:
mongo-data:
report-templates:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure about the changes in this file?
Broke everything for me...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your check up!

You can fix this by copying the previous mongo-data and report-templates folder into the corresponding volume on the system.

I think the current file handling is not optimal either with putting the user-data into the code directories.

By using docker volumes on the other hand, we can archive the following:

  • easy moving the code folder to another place within the filesystem (currently that is not possible without sudo / root permissions) and keeping the files
  • better compatibility on different operating systems
  • compliance with the docker guide on Run your app in production

Volumes are the preferred mechanism for persisting data generated by and used by Docker containers. While bind mounts are dependent on the directory structure and OS of the host machine, volumes are completely managed by Docker. Volumes have several advantages over bind mounts:

  • Volumes are easier to back up or migrate than bind mounts.
  • You can manage volumes using Docker CLI commands or the Docker API.
  • Volumes work on both Linux and Windows containers.
  • Volumes can be more safely shared among multiple containers.
  • Volume drivers let you store volumes on remote hosts or cloud providers, to encrypt the contents of volumes, or to add other functionality.
  • New volumes can have their content pre-populated by a container.
  • Volumes on Docker Desktop have much higher performance than bind mounts from Mac and Windows hosts.

But you're right, this should be included in the release notes when getting merged.


@yeln4ts do you plan to introduce version numbering and a release-system, so users can see what the latest fixes are and if there will be some breaking changes in the new version instead of just pulling all changes from master?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I would like to introduce some kind of release system with changelogs when I have something stable enough so that I can start with a clean slate (should be soon now).
Until then, I prefer not introducing breaking changes if possible.

COPY .docker/nginx.conf /etc/nginx/conf.d/default.conf
RUN mkdir -p /etc/nginx/ssl
COPY ssl/server* /etc/nginx/ssl/
RUN openssl req -x509 -newkey rsa:4096 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.cert -days 365 -subj '/CN=pwndoc' -nodes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If using this then a new certificate would be issued at each build. You would have to add the exception in your browser each time you re-build the app.
Same thing if you want to use a custom certificate signed by a CA.
Checking for certificate existence before generating a new one would solve that

RUN npm install
COPY . .
# Security related changes to the codebase
RUN openssl req -x509 -newkey rsa:4096 -keyout /app/ssl/server.key -out /app/ssl/server.cert -days 365 -subj '/CN=pwndoc' -nodes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same thing from frontend/Dockerfile comment


volumes:
mongo-data:
report-templates:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I would like to introduce some kind of release system with changelogs when I have something stable enough so that I can start with a clean slate (should be soon now).
Until then, I prefer not introducing breaking changes if possible.

@yeln4ts
Copy link
Contributor

yeln4ts commented Aug 24, 2021

The dynamic JWT generation is implemented in v0.4.0

@yeln4ts yeln4ts closed this Aug 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants