Compare commits
No commits in common. "6205d19bbbbb49eb8c90c54a4237a037a21fdefa" and "ffd7b06cc0b7d4af59d82d7360ae7280ec807939" have entirely different histories.
6205d19bbb
...
ffd7b06cc0
@ -1,74 +0,0 @@
|
|||||||
---
|
|
||||||
title: "Securing communication between webserver and app"
|
|
||||||
date: 2024-04-19T17:31:06-04:00
|
|
||||||
tags:
|
|
||||||
- unix-sockets
|
|
||||||
- tmpfiles.d
|
|
||||||
- webserver
|
|
||||||
categories:
|
|
||||||
- sysadmin
|
|
||||||
---
|
|
||||||
|
|
||||||
Webapps usually listen on a random tcp port and a web server forwards the
|
|
||||||
requests to it. Webserver handles tls, static asset serving and sometimes
|
|
||||||
authentication, bruteforce check etc., However any local user in the system can
|
|
||||||
directly connect to the app's listen port bypassing the web server and thus
|
|
||||||
loose the protections offered by the webserver.
|
|
||||||
|
|
||||||
### Unix sockets
|
|
||||||
|
|
||||||
Unix sockets are special files in filesystem that processes can use to
|
|
||||||
communicate instead of tcp ports. Since they are files, filesytem ownership and
|
|
||||||
permissions can be used to restrict which system-users can listen or connect to
|
|
||||||
them
|
|
||||||
|
|
||||||
### Caddy ↔ Gitea
|
|
||||||
|
|
||||||
I use [Caddy][1] web server which reverse-proxies to [Gitea][2] server. For
|
|
||||||
caddy to connect to gitea and also disallow anyother user to connect, we want a
|
|
||||||
socket like below
|
|
||||||
|
|
||||||
```bash
|
|
||||||
srw-rw---- 1 gitea caddy 0 Apr 17 21:24 /run/gitea.sock
|
|
||||||
```
|
|
||||||
|
|
||||||
Unfortunately neither `user caddy` nor `user gitea`, can create such socket.
|
|
||||||
Regular users can only create files owned by themselves. Only root can
|
|
||||||
create/change ownership of files and folders.
|
|
||||||
|
|
||||||
### `tmpfiles.d` to rescue
|
|
||||||
|
|
||||||
[tmpfiles.d][3] provides a way to do it. Since it is run as root, it can create
|
|
||||||
files and directories as any user.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
❯ cat /etc/tmpfiles.d/caddy-run-unix.conf
|
|
||||||
d /run/gitea-caddy 0750 gitea caddy -
|
|
||||||
```
|
|
||||||
Above config creates below directory every time on startup.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
❯ sudo ls -ld /run/gitea-caddy/
|
|
||||||
drwxr-x--- 2 gitea caddy 60 Apr 17 21:24 /run/gitea-caddy/
|
|
||||||
```
|
|
||||||
|
|
||||||
With those permissions and ownership, only `user gitea` can create the socket
|
|
||||||
in `/run/gitea-caddy` and only `user caddy` can `cd` into that directory.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
❯ sudo ls -l /run/gitea-caddy/web.sock
|
|
||||||
srw-rw-rw- 1 gitea gitea 0 Apr 17 21:24 /run/gitea-caddy/web.sock
|
|
||||||
```
|
|
||||||
|
|
||||||
The socket file permission can be more liberal as no other user can read into
|
|
||||||
the `/run/gitea-caddy` directory
|
|
||||||
|
|
||||||
### Bonus!
|
|
||||||
|
|
||||||
If your app does not connect to any external services, it can even be run in a
|
|
||||||
[private network][4].
|
|
||||||
|
|
||||||
[1]: https://caddyserver.com
|
|
||||||
[2]: https://gitea.com
|
|
||||||
[3]: https://man.archlinux.org/man/tmpfiles.d.5
|
|
||||||
[4]: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=
|
|
||||||
2
public
2
public
@ -1 +1 @@
|
|||||||
Subproject commit 315118b85c7de204251c9038192ab1f4917ffc96
|
Subproject commit 2810706e99a7997cc2f9c1366d2c97b519187940
|
||||||
Loading…
Reference in New Issue
Block a user