Security

Jump to bottom

Alfred Gutierrez edited this page Dec 22, 2019 · 5 revisions

openencoder is built with security in mind. However, it is still recommended to run openencoder behind a firewall with access restrictions.

Below are some recommendations and configuration for this project.

Set Firewall Rules

It is highly recommended to run on a private network, only exposing the ports necessary.
- Port 80 and 8080 for web access
- Port 5432 for database
- Port 6379 for redis

Update configuration via environment variables

https://github.com/alfg/openencoder/blob/master/config/default.yml Environment variables will override defaults set in config/default.yml

Set JWT_KEY and KEYSEED environment variables to a secure value. These are used for JWT authentication and encrypting user settings.

You can generate one via hexdump:

$ hexdump -n 16 -e '4/4 "%08X" 1 "\n"' /dev/random

In the event where JWT_KEY or KEYSEED are compromised. Reset these values.

Protect Database Access

Set DATABASE_USER and DATABASE_PASSWORD
Set CLOUDINIT_DATABASE_USER and CLOUDINIT_DATABASE_PASSWORD.

Setup HTTPS via LetsEncrypt

See docker-compose-letsencrypt.yml for an example docker-compose setup.