75 lines
2.3 KiB
Markdown
75 lines
2.3 KiB
Markdown
---
|
||
title: "Securing communication between webserver and app"
|
||
date: 2024-04-19T17:31:06-04:00
|
||
tags:
|
||
- unix-sockets
|
||
- tmpfiles.d
|
||
- webserver
|
||
categories:
|
||
- sysadmin
|
||
---
|
||
|
||
Webapps usually listen on a random tcp port and a web server forwards the
|
||
requests to it. Webserver handles tls, static asset serving and sometimes
|
||
authentication, bruteforce check etc., However any local user in the system can
|
||
directly connect to the app's listen port bypassing the web server and thus
|
||
loose the protections offered by the webserver.
|
||
|
||
### Unix sockets
|
||
|
||
Unix sockets are special files in filesystem that processes can use to
|
||
communicate instead of tcp ports. Since they are files, filesytem ownership and
|
||
permissions can be used to restrict which system-users can listen or connect to
|
||
them
|
||
|
||
### Caddy ↔ Gitea
|
||
|
||
I use [Caddy][1] web server which reverse-proxies to [Gitea][2] server. For
|
||
caddy to connect to gitea and also disallow anyother user to connect, we want a
|
||
socket like below
|
||
|
||
```bash
|
||
srw-rw---- 1 gitea caddy 0 Apr 17 21:24 /run/gitea.sock
|
||
```
|
||
|
||
Unfortunately neither `user caddy` nor `user gitea`, can create such socket.
|
||
Regular users can only create files owned by themselves. Only root can
|
||
create/change ownership of files and folders.
|
||
|
||
### `tmpfiles.d` to rescue
|
||
|
||
[tmpfiles.d][3] provides a way to do it. Since it is run as root, it can create
|
||
files and directories as any user.
|
||
|
||
```bash
|
||
❯ cat /etc/tmpfiles.d/caddy-run-unix.conf
|
||
d /run/gitea-caddy 0750 gitea caddy -
|
||
```
|
||
Above config creates below directory every time on startup.
|
||
|
||
```bash
|
||
❯ sudo ls -ld /run/gitea-caddy/
|
||
drwxr-x--- 2 gitea caddy 60 Apr 17 21:24 /run/gitea-caddy/
|
||
```
|
||
|
||
With those permissions and ownership, only `user gitea` can create the socket
|
||
in `/run/gitea-caddy` and only `user caddy` can `cd` into that directory.
|
||
|
||
```bash
|
||
❯ sudo ls -l /run/gitea-caddy/web.sock
|
||
srw-rw-rw- 1 gitea gitea 0 Apr 17 21:24 /run/gitea-caddy/web.sock
|
||
```
|
||
|
||
The socket file permission can be more liberal as no other user can read into
|
||
the `/run/gitea-caddy` directory
|
||
|
||
### Bonus!
|
||
|
||
If your app does not connect to any external services, it can even be run in a
|
||
[private network][4].
|
||
|
||
[1]: https://caddyserver.com
|
||
[2]: https://gitea.com
|
||
[3]: https://man.archlinux.org/man/tmpfiles.d.5
|
||
[4]: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=
|