From 0b22209c966ddd1a67d09f5c0c8e7cea4fa484f5 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Fri, 9 Apr 2021 16:22:31 +0200 Subject: [PATCH] documentation - userns remap feature --- README.md | 25 +++++++++++++++++++++---- {scripts => entrypoint}/permissions.sh | 0 2 files changed, 21 insertions(+), 4 deletions(-) rename {scripts => entrypoint}/permissions.sh (100%) diff --git a/README.md b/README.md index 5417c01..b7056fd 100644 --- a/README.md +++ b/README.md @@ -440,12 +440,29 @@ When `USE_ANTIBOT` is set to *captcha*, every users visiting your website must c ## Hardening +### Drop capabilities By default, *bunkerized-nginx* runs as non-root user inside the container and should not use any of the default [capabilities](https://docs.docker.com/engine/security/#linux-kernel-capabilities) allowed by Docker. You can safely remove all capabilities to harden the container : ```shell docker run ... --drop-cap=all ... bunkerity/bunkerized-nginx ``` +## User namespace remap +Another hardening trick is [user namespace remapping](https://docs.docker.com/engine/security/userns-remap/) : it allows you to map the UID/GID of users inside a container to another UID/GID on the host. For example, you can map the user nginx with UID 101 inside the container to a non-existent user with UID 100101 on the host. + +Let's assume you have the /etc/subuid and /etc/subgid like this : +``` +user:100000:65536 +``` +It means that everything done inside the container will be remapped to UID/GID 100101 (100000 + 101) on the host. + +Please note that you must set the rights on the volumes (e.g. : /etc/letsencrypt, /www, ...) according to the remapped UID/GID : +```shell +$ chown root:100101 /path/to/letsencrypt +$ chmod 770 /path/to/letsencrypt +$ docker run ... -v /path/to/letsencrypt:/etc/letsencrypt ... bunkerity/bunkerized-nginx +``` + # Tutorials and examples You will find some docker-compose examples in the [examples directory](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples). @@ -1234,18 +1251,18 @@ The list of reverse DNS suffixes to blacklist when `USE_BLACKLIST_REVERSE` is se Values : *yes* | *no* Default value : *yes* Context : *global*, *multisite* -If set to yes, the amount of HTTP requests made by a user will be limited during a period of time. -More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/). +If set to yes, the amount of HTTP requests made by a user for a given resource will be limited during a period of time. +More info rate limiting [here](https://www.nginx.com/blog/rate-limiting-nginx/) (the key used is $binary_remote_addr$uri). `LIMIT_REQ_RATE` Values : *Xr/s* | *Xr/m* -Default value : *20r/s* +Default value : *1r/s* Context : *global*, *multisite* The rate limit to apply when `USE_LIMIT_REQ` is set to *yes*. Default is 10 requests per second. `LIMIT_REQ_BURST` Values : ** -Default value : *40* +Default value : *2* Context : *global*, *multisite* The number of requests to put in queue before rejecting requests. diff --git a/scripts/permissions.sh b/entrypoint/permissions.sh similarity index 100% rename from scripts/permissions.sh rename to entrypoint/permissions.sh