kato/warpbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
v1.0.4
warpbox/docs/security-runbook.md
Daniel Legt fbeff3f6c0
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 1m44s
Details
feat/security 
Reviewed-on: #2
2026-05-04 00:00:36 +03:00

1.1 KiB
Raw Permalink Blame History

Security Runbook

Trusted Proxy Setup (Caddy)

Set WARPBOX_TRUSTED_PROXY_CIDRS to only the CIDRs of your reverse proxies/load balancers.

Example:

WARPBOX_TRUSTED_PROXY_CIDRS=10.0.0.0/8,192.168.0.0/16

Caddy example:

:443 {
  reverse_proxy 127.0.0.1:8080 {
    header_up X-Forwarded-For {http.request.remote.host}
    header_up X-Real-IP {http.request.remote.host}
  }
}

WarpBox will trust X-Forwarded-For only if the direct remote IP is inside WARPBOX_TRUSTED_PROXY_CIDRS.

IP Ban Operations

  • Use temporary bans by default.
  • Use ban_until only for active incidents requiring explicit windows.
  • Before unbanning, inspect related activity and alerts for repeated abuse patterns.
  • For destructive actions (bulk_unban, unban_all), require explicit confirmation.

Tuning Guidance

  • Low traffic deployments: reduce max-attempt thresholds to catch abuse faster.
  • High traffic deployments: increase windows and max-attempts incrementally to reduce false positives.
  • Watch for:
    • repeated auth.admin.failed
    • repeated security.scan
    • frequent security.upload_limit
Reference in New Issue View Git Blame Copy Permalink