Ahwxorg
commented
3 months ago Looking forward to merging this!
Closed rare-magma closed 3 months ago
Ahwxorg
commented
3 months ago Looking forward to merging this!
rare-magma
commented
3 months ago @Ahwxorg I just fixed an issue I noticed during testing, it should be ready for review now.
Ahwxorg
commented
3 months ago @prplwtf and @davidovski, can you review?
(I would request a review from you using GH's built-in stuff, but you need to be a collaborator for that)
prplwtf
commented
3 months ago LGTM
davidovski
commented
3 months ago Don't really know that much about docker, but from what I've seen these changes seem reasonable
Ahwxorg
commented
3 months ago Alright, thanks, merging :)
codedipper
commented
1 month ago Most of that stuff doesn't really make sense since it just defaults to nobody user, which has even less privileges than the isolated nginx user.
Also, doesn't the healthcheck kind of... not do anything? If a serious problem occurs, the container would crash the same way and it's not checking if Pinterest might've blocked the IP because Binternet doesn't connect to anything on index page.
In favour of most of the changes in the compose file though.
rare-magma
commented
1 month ago @codedipper a composite healthcheck (checking whether pinterest is reachable or not) would indeed be more useful, it should be fairly easy to implement.
codedipper
commented
1 month ago @codedipper a composite healthcheck (checking whether pinterest is reachable or not) would indeed be more useful, it should be fairly easy to implement.
Still haven't seen a single incident of a Binternet instance being blocked though.
This PR hardens the security of the container by:
It also adds a default healthcheck command
For more info see https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-3-limit-capabilities-grant-only-specific-capabilities-needed-by-a-container