security hardening
Ivshti opened this issue · 0 comments
Ivshti commented
- check if git hooks can run arbitrary code on push, in the way they're configured by dokku; in other words, can you inject code via git hooks
- dokku allows nginx config to be customized; while we don't use that config as we just auto-configure nginx on the swarm, can the nginx config customization feature be used to attack the deployer? perhaps by hijacking port 5000
- in any case, better to disallow it
- customize the default dokku CHECK so that it ensures what you're pushing is an addon
- limit size of docker images and containers
- harder than it initially looks cause this is no longe rsupported on the default storage driver (overlayfs) unless you're running xfs underneath
- nginx: short timeouts, 5-10 seconds
- firewall: only expose 80 (or 443) from the swarm, only 22 from the deployer