Compare commits

...

2 Commits

2 changed files with 75 additions and 1 deletions

View File

@ -0,0 +1,74 @@
---
title: "Securing communication between webserver and app"
date: 2024-04-19T17:31:06-04:00
tags:
- unix-sockets
- tmpfiles.d
- webserver
categories:
- sysadmin
---
Webapps usually listen on a random tcp port and a web server forwards the
requests to it. Webserver handles tls, static asset serving and sometimes
authentication, bruteforce check etc., However any local user in the system can
directly connect to the app's listen port bypassing the web server and thus
loose the protections offered by the webserver.
### Unix sockets
Unix sockets are special files in filesystem that processes can use to
communicate instead of tcp ports. Since they are files, filesytem ownership and
permissions can be used to restrict which system-users can listen or connect to
them
### Caddy ↔ Gitea
I use [Caddy][1] web server which reverse-proxies to [Gitea][2] server. For
caddy to connect to gitea and also disallow anyother user to connect, we want a
socket like below
```bash
srw-rw---- 1 gitea caddy 0 Apr 17 21:24 /run/gitea.sock
```
Unfortunately neither `user caddy` nor `user gitea`, can create such socket.
Regular users can only create files owned by themselves. Only root can
create/change ownership of files and folders.
### `tmpfiles.d` to rescue
[tmpfiles.d][3] provides a way to do it. Since it is run as root, it can create
files and directories as any user.
```bash
cat /etc/tmpfiles.d/caddy-run-unix.conf
d /run/gitea-caddy 0750 gitea caddy -
```
Above config creates below directory every time on startup.
```bash
sudo ls -ld /run/gitea-caddy/
drwxr-x--- 2 gitea caddy 60 Apr 17 21:24 /run/gitea-caddy/
```
With those permissions and ownership, only `user gitea` can create the socket
in `/run/gitea-caddy` and only `user caddy` can `cd` into that directory.
```bash
sudo ls -l /run/gitea-caddy/web.sock
srw-rw-rw- 1 gitea gitea 0 Apr 17 21:24 /run/gitea-caddy/web.sock
```
The socket file permission can be more liberal as no other user can read into
the `/run/gitea-caddy` directory
### Bonus!
If your app does not connect to any external services, it can even be run in a
[private network][4].
[1]: https://caddyserver.com
[2]: https://gitea.com
[3]: https://man.archlinux.org/man/tmpfiles.d.5
[4]: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=

2
public

@ -1 +1 @@
Subproject commit 2810706e99a7997cc2f9c1366d2c97b519187940
Subproject commit 315118b85c7de204251c9038192ab1f4917ffc96