Skip to content

Restrict internet access from siren container#286

Open
magick93 wants to merge 3 commits intosigp:unstablefrom
magick93:dc-enhance
Open

Restrict internet access from siren container#286
magick93 wants to merge 3 commits intosigp:unstablefrom
magick93:dc-enhance

Conversation

@magick93
Copy link

@magick93 magick93 commented Dec 16, 2024
edited
Loading

Objective

Security harden, specifically by restricting egress traffic from the siren container unless to approved destinations.

rickimoore
rickimoore suggested changes Dec 16, 2024
View reviewed changes
Copy link
Contributor

@rickimoore rickimoore left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe antonD can look at the docker, i just made a small comment

@antondlr
Copy link
Member

antondlr commented Dec 16, 2024

I added some small nitpicks, feel free to revert them!

question; this does not expose over SSL currently, right?
as that would create a new security hole while patching another one:
one of the main issues we faced initially is that a user would have to send their session password in plaintext to Siren.

@antondlr
Copy link
Member

antondlr commented Dec 16, 2024

it would also be nice to use the same template for nginx_proxy.conf.template and siren-http{,s}.conf, manipulating the template can be done from docker-assets/docker-entrypoint.sh
(this is by no means a must!)

antondlr
antondlr reviewed Dec 16, 2024
View reviewed changes
@magick93
Copy link
Author

magick93 commented Dec 16, 2024

@antondlr

question; this does not expose over SSL currently, right?

Yes, the primary objective of this PR is getting the egress restrictions in place.

one of the main issues we faced initially is that a user would have to send their session password in plaintext to Siren.

Preventing the exfiltration of sensitive data (eg, keys) from the container can largely be achieved using egress rules. But from the browser is another another kettle of fish. I

@magick93
Copy link
Author

magick93 commented Dec 16, 2024
edited
Loading

@antondlr

it would also be nice to use the same template for nginx_proxy.conf.template and siren-http{,s}.conf, manipulating the template can be done from docker-assets/docker-entrypoint.sh

Yeah I considered that, but I also wanted to avoid changing the existing siren image, and instead try to wrap it in nice warm security blanket.

I would like to explore improving this, and also starting nginx in a container lifecycle hook and then running the container with less perms.

I suggest we explore this in a new issue.

@antondlr
Copy link
Member

antondlr commented Dec 17, 2024

Preventing the exfiltration of sensitive data (eg, keys) from the container can largely be achieved using egress rules. But from the browser is another another kettle of fish. I

yeah so, taking a step back here and looking at which dangers actually exist, I think securing browser-siren traffic is paramount because once the SESSION_PASSWORD has leaked, it's game over, and it's a more viable attack vector. I'm definitely not against restricting egress traffic from the container, I think it makes a lot of sense, but not at the cost of sacrificing the current ssl-by-default setup. happy to talk about it / be convinced otherwise!
so the question is... how do we do both?

I also wanted to avoid changing the existing siren image

feel free to go ham on the exiting image :-)

@magick93 magick93 requested a review from rickimoore December 19, 2024 03:41
@magick93 magick93 changed the base branch from stable to unstable February 13, 2025 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@antondlr antondlr antondlr left review comments

@rickimoore rickimoore Awaiting requested review from rickimoore

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@magick93 @antondlr @rickimoore