41 lines
1.1 KiB
Markdown
41 lines
1.1 KiB
Markdown
# Security Runbook
|
|
|
|
## Trusted Proxy Setup (Caddy)
|
|
|
|
Set `WARPBOX_TRUSTED_PROXY_CIDRS` to only the CIDRs of your reverse proxies/load balancers.
|
|
|
|
Example:
|
|
|
|
```bash
|
|
WARPBOX_TRUSTED_PROXY_CIDRS=10.0.0.0/8,192.168.0.0/16
|
|
```
|
|
|
|
Caddy example:
|
|
|
|
```caddyfile
|
|
:443 {
|
|
reverse_proxy 127.0.0.1:8080 {
|
|
header_up X-Forwarded-For {http.request.remote.host}
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
}
|
|
}
|
|
```
|
|
|
|
WarpBox will trust `X-Forwarded-For` only if the direct remote IP is inside `WARPBOX_TRUSTED_PROXY_CIDRS`.
|
|
|
|
## IP Ban Operations
|
|
|
|
- Use temporary bans by default.
|
|
- Use `ban_until` only for active incidents requiring explicit windows.
|
|
- Before unbanning, inspect related activity and alerts for repeated abuse patterns.
|
|
- For destructive actions (`bulk_unban`, `unban_all`), require explicit confirmation.
|
|
|
|
## Tuning Guidance
|
|
|
|
- Low traffic deployments: reduce max-attempt thresholds to catch abuse faster.
|
|
- High traffic deployments: increase windows and max-attempts incrementally to reduce false positives.
|
|
- Watch for:
|
|
- repeated `auth.admin.failed`
|
|
- repeated `security.scan`
|
|
- frequent `security.upload_limit`
|