kato/warpbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
43baade930de37cdf8d745f342a49c2d43e32316
warpbox/docs/security-runbook.md

1.1 KiB
Raw Blame History

Security Runbook

Trusted Proxy Setup (Caddy)

Set WARPBOX_TRUSTED_PROXY_CIDRS to only the CIDRs of your reverse proxies/load balancers.

Example:

WARPBOX_TRUSTED_PROXY_CIDRS=10.0.0.0/8,192.168.0.0/16

Caddy example:

:443 {
  reverse_proxy 127.0.0.1:8080 {
    header_up X-Forwarded-For {http.request.remote.host}
    header_up X-Real-IP {http.request.remote.host}
  }
}

WarpBox will trust X-Forwarded-For only if the direct remote IP is inside WARPBOX_TRUSTED_PROXY_CIDRS.

IP Ban Operations

  • Use temporary bans by default.
  • Use ban_until only for active incidents requiring explicit windows.
  • Before unbanning, inspect related activity and alerts for repeated abuse patterns.
  • For destructive actions (bulk_unban, unban_all), require explicit confirmation.

Tuning Guidance

  • Low traffic deployments: reduce max-attempt thresholds to catch abuse faster.
  • High traffic deployments: increase windows and max-attempts incrementally to reduce false positives.
  • Watch for:
    • repeated auth.admin.failed
    • repeated security.scan
    • frequent security.upload_limit
Reference in New Issue View Git Blame Copy Permalink