feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8 - Fail closed on missing SSH known_hosts in terminal proxy - Add Navidrome reverse proxy headers for Authelia SSO - Add Gitea docker-compose definition - Add Caddy configs for NAS and VPS edge proxies - Add dnsmasq split-horizon DNS config - Add security execution plan document
This commit is contained in:
@@ -21,12 +21,14 @@ HOSTS = {
|
||||
"command": "/volume1/@appstore/ContainerManager/usr/bin/docker exec -it claude-dev bash"},
|
||||
}
|
||||
|
||||
# Load known_hosts once at import time
|
||||
_known_hosts = None
|
||||
# Load known_hosts once at import time — fail closed if missing
|
||||
_known_hosts_available = False
|
||||
try:
|
||||
_known_hosts = asyncssh.read_known_hosts(config.SSH_KNOWN_HOSTS)
|
||||
_known_hosts_available = True
|
||||
except Exception:
|
||||
logger.warning("SSH known_hosts file not found at %s — host key verification disabled", config.SSH_KNOWN_HOSTS)
|
||||
_known_hosts = None
|
||||
logger.error("SSH known_hosts file not found at %s — terminal connections will be refused", config.SSH_KNOWN_HOSTS)
|
||||
|
||||
|
||||
async def ws_endpoint(websocket: WebSocket, host: str = Query("nas")):
|
||||
@@ -43,6 +45,10 @@ async def ws_endpoint(websocket: WebSocket, host: str = Query("nas")):
|
||||
await websocket.close(code=1008, reason="Unauthorized")
|
||||
return
|
||||
|
||||
if not _known_hosts_available:
|
||||
await websocket.close(code=1011, reason="SSH host verification unavailable")
|
||||
return
|
||||
|
||||
if len(_active_sessions) >= MAX_SESSIONS:
|
||||
await websocket.close(code=1013, reason="Too many sessions")
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user