Closed rare-magma closed 3 months ago
Looking forward to merging this!
@Ahwxorg I just fixed an issue I noticed during testing, it should be ready for review now.
@prplwtf and @davidovski, can you review?
(I would request a review from you using GH's built-in stuff, but you need to be a collaborator for that)
LGTM
Don't really know that much about docker, but from what I've seen these changes seem reasonable
Alright, thanks, merging :)
Most of that stuff doesn't really make sense since it just defaults to nobody
user, which has even less privileges than the isolated nginx
user.
Also, doesn't the healthcheck kind of... not do anything? If a serious problem occurs, the container would crash the same way and it's not checking if Pinterest might've blocked the IP because Binternet doesn't connect to anything on index page.
In favour of most of the changes in the compose file though.
@codedipper a composite healthcheck (checking whether pinterest is reachable or not) would indeed be more useful, it should be fairly easy to implement.
@codedipper a composite healthcheck (checking whether pinterest is reachable or not) would indeed be more useful, it should be fairly easy to implement.
Still haven't seen a single incident of a Binternet instance being blocked though.
This PR hardens the security of the container by:
It also adds a default healthcheck command
For more info see https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-3-limit-capabilities-grant-only-specific-capabilities-needed-by-a-container