feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s

- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
This commit is contained in:
Gan, Jimmy
2026-02-28 22:25:39 +08:00
parent 8c30fb7a3a
commit 3fd045aacb
8 changed files with 338 additions and 4 deletions
+1 -1
View File
@@ -61,7 +61,7 @@ def is_lan_ip(ip_str: str) -> bool:
except ValueError:
return False
TRUSTED_PROXIES = os.environ.get("TRUSTED_PROXIES", "127.0.0.1,::1,172.16.0.0/12,10.0.0.0/8").split(",")
TRUSTED_PROXIES = os.environ.get("TRUSTED_PROXIES", "127.0.0.1,::1,172.16.0.0/12").split(",")
def is_trusted_proxy(ip_str: str) -> bool:
import ipaddress
+9 -3
View File
@@ -21,12 +21,14 @@ HOSTS = {
"command": "/volume1/@appstore/ContainerManager/usr/bin/docker exec -it claude-dev bash"},
}
# Load known_hosts once at import time
_known_hosts = None
# Load known_hosts once at import time — fail closed if missing
_known_hosts_available = False
try:
_known_hosts = asyncssh.read_known_hosts(config.SSH_KNOWN_HOSTS)
_known_hosts_available = True
except Exception:
logger.warning("SSH known_hosts file not found at %s — host key verification disabled", config.SSH_KNOWN_HOSTS)
_known_hosts = None
logger.error("SSH known_hosts file not found at %s — terminal connections will be refused", config.SSH_KNOWN_HOSTS)
async def ws_endpoint(websocket: WebSocket, host: str = Query("nas")):
@@ -43,6 +45,10 @@ async def ws_endpoint(websocket: WebSocket, host: str = Query("nas")):
await websocket.close(code=1008, reason="Unauthorized")
return
if not _known_hosts_available:
await websocket.close(code=1011, reason="SSH host verification unavailable")
return
if len(_active_sessions) >= MAX_SESSIONS:
await websocket.close(code=1013, reason="Too many sessions")
return