siren icon indicating copy to clipboard operation
siren copied to clipboard
verified publisher icon sigp

Restrict internet access from siren container

Open magick93 opened this issue 1 year ago • 5 comments

Objective

Security harden, specifically by restricting egress traffic from the siren container unless to approved destinations.

magick93 avatar Dec 16 '24 01:12 magick93

I added some small nitpicks, feel free to revert them!

question; this does not expose over SSL currently, right? as that would create a new security hole while patching another one: one of the main issues we faced initially is that a user would have to send their session password in plaintext to Siren.

antondlr avatar Dec 16 '24 13:12 antondlr

it would also be nice to use the same template for nginx_proxy.conf.template and siren-http{,s}.conf, manipulating the template can be done from docker-assets/docker-entrypoint.sh (this is by no means a must!)

antondlr avatar Dec 16 '24 13:12 antondlr

@antondlr

question; this does not expose over SSL currently, right?

Yes, the primary objective of this PR is getting the egress restrictions in place.

one of the main issues we faced initially is that a user would have to send their session password in plaintext to Siren.

Preventing the exfiltration of sensitive data (eg, keys) from the container can largely be achieved using egress rules. But from the browser is another another kettle of fish. I

magick93 avatar Dec 16 '24 21:12 magick93

@antondlr

it would also be nice to use the same template for nginx_proxy.conf.template and siren-http{,s}.conf, manipulating the template can be done from docker-assets/docker-entrypoint.sh

Yeah I considered that, but I also wanted to avoid changing the existing siren image, and instead try to wrap it in nice warm security blanket.

I would like to explore improving this, and also starting nginx in a container lifecycle hook and then running the container with less perms.

I suggest we explore this in a new issue.

magick93 avatar Dec 16 '24 21:12 magick93

Preventing the exfiltration of sensitive data (eg, keys) from the container can largely be achieved using egress rules. But from the browser is another another kettle of fish. I

yeah so, taking a step back here and looking at which dangers actually exist, I think securing browser-siren traffic is paramount because once the SESSION_PASSWORD has leaked, it's game over, and it's a more viable attack vector. I'm definitely not against restricting egress traffic from the container, I think it makes a lot of sense, but not at the cost of sacrificing the current ssl-by-default setup. happy to talk about it / be convinced otherwise! so the question is... how do we do both?

I also wanted to avoid changing the existing siren image

feel free to go ham on the exiting image :-)

antondlr avatar Dec 17 '24 06:12 antondlr