feat(security): add trusted proxies and abuse event cleanup
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 1m38s
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 1m38s
- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution. - Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events. - Update documentation with reverse proxy security guidelines and a production systemd deployment guide.
This commit is contained in:
72
README.md
72
README.md
@@ -33,6 +33,7 @@ Upload policy defaults are also configured in megabytes and can later be changed
|
||||
- `WARPBOX_SHORT_WINDOW_SECONDS=60`
|
||||
- `WARPBOX_ANONYMOUS_STORAGE_BACKEND=local`
|
||||
- `WARPBOX_USER_STORAGE_BACKEND=local`
|
||||
- `WARPBOX_TRUSTED_PROXIES=` controls whether forwarded client IP headers are accepted only from specific proxy IPs/CIDRs. See [SECURITY_PROXY.md](./SECURITY_PROXY.md).
|
||||
|
||||
Runtime data is configured with `WARPBOX_DATA_DIR` and defaults to `./data` in the dev environment.
|
||||
The dev script resolves that path from the repository root.
|
||||
@@ -74,6 +75,73 @@ The compose example also works with Podman compatible compose tools. Its data vo
|
||||
The image exposes `/health`, `/healthz`, and `/api/v1/health`. Docker and compose healthchecks
|
||||
use `/health`.
|
||||
|
||||
## Reverse Proxy Security
|
||||
|
||||
Warpbox uses the resolved client IP for anonymous limits, manual bans, and automatic bans. The
|
||||
default behavior trusts `X-Forwarded-For` and `X-Real-IP` so a normal Caddy reverse proxy works
|
||||
without extra setup. For hardened deployments where the app port might be reachable from more than
|
||||
one network, set `WARPBOX_TRUSTED_PROXIES` to trusted proxy IPs/CIDRs. See
|
||||
[SECURITY_PROXY.md](./SECURITY_PROXY.md) for Caddy examples and Docker/systemd notes.
|
||||
|
||||
## Systemd
|
||||
|
||||
Build the binary on the server, create a dedicated user, and keep runtime data outside the repo:
|
||||
|
||||
```bash
|
||||
cd /opt/warpbox-dev/backend
|
||||
go build -o /usr/local/bin/warpbox ./cmd/warpbox
|
||||
sudo useradd --system --home /var/lib/warpbox --shell /usr/sbin/nologin warpbox
|
||||
sudo mkdir -p /var/lib/warpbox /etc/warpbox
|
||||
sudo chown -R warpbox:warpbox /var/lib/warpbox
|
||||
sudo cp /opt/warpbox-dev/.env.example /etc/warpbox/warpbox.env
|
||||
```
|
||||
|
||||
Example `/etc/warpbox/warpbox.env` values:
|
||||
|
||||
```env
|
||||
WARPBOX_ENV=production
|
||||
WARPBOX_ADDR=127.0.0.1:6070
|
||||
WARPBOX_BASE_URL=https://warpbox.dev
|
||||
WARPBOX_DATA_DIR=/var/lib/warpbox
|
||||
WARPBOX_STATIC_DIR=/opt/warpbox-dev/backend/static
|
||||
WARPBOX_TEMPLATE_DIR=/opt/warpbox-dev/backend/templates
|
||||
WARPBOX_TRUSTED_PROXIES=127.0.0.1,::1
|
||||
```
|
||||
|
||||
Example `/etc/systemd/system/warpbox.service`:
|
||||
|
||||
```ini
|
||||
[Unit]
|
||||
Description=Warpbox file sharing service
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
User=warpbox
|
||||
Group=warpbox
|
||||
EnvironmentFile=/etc/warpbox/warpbox.env
|
||||
ExecStart=/usr/local/bin/warpbox
|
||||
Restart=always
|
||||
RestartSec=5
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/var/lib/warpbox
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
Then enable it:
|
||||
|
||||
```bash
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl enable --now warpbox
|
||||
sudo systemctl status warpbox
|
||||
```
|
||||
|
||||
Put Caddy in front of `127.0.0.1:6070` and keep the Warpbox port closed to the public internet.
|
||||
|
||||
## Layout
|
||||
|
||||
- `backend/cmd/warpbox` - main application entry point.
|
||||
@@ -138,6 +206,8 @@ from `examples/sharex/warpbox-anonymous.sxcu`; update `RequestURL` to match your
|
||||
user storage quota, and usage retention.
|
||||
- `/admin/users` shows storage/daily usage and lets admins set per-user storage quota overrides.
|
||||
- `/admin/storage` manages the built-in local file backend and S3-compatible bucket backends.
|
||||
- `/admin/bans` manages manual IP/CIDR bans and optional automatic bans for suspicious probes and
|
||||
repeated login failures. Auto-ban is off by default and configured from the admin UI.
|
||||
- Upload limits now include daily bytes, daily box counts, active box counts, short-window request
|
||||
limits, max expiration days, local storage capacity in GB, and per-user policy overrides.
|
||||
- Uploaded file content, thumbnails, and private box metadata use the selected storage backend.
|
||||
@@ -158,6 +228,8 @@ Warpbox keeps local runtime data under the configured data directory:
|
||||
- `data/db/warpbox.bbolt` also stores users, sessions, invites, and collections.
|
||||
- `data/db/warpbox.bbolt` stores upload policy settings and daily usage records keyed by plain IP
|
||||
for anonymous uploads and user ID for signed-in uploads.
|
||||
- `data/db/warpbox.bbolt` stores manual bans, automatic ban settings, abuse counters, and malicious
|
||||
path rules.
|
||||
- `data/logs/{YYYY-MM-DD}.log` - JSONL logs, one event per line.
|
||||
|
||||
## Static Asset Policy
|
||||
|
||||
Reference in New Issue
Block a user