@r3g_5z@plem.sapphic.site 565ead8397 minor-changes (#313 )

Only real change here is making MRF rejects log as debug instead of info (https://akkoma.dev/AkkomaGang/akkoma/issues/234)

I don't know if it's the best way to do it, but it seems it's just MRF using this and almost always this is intended.

The rest are just minor docs changes and syncing the restricted nicknames stuff.

I compiled and ran my changes with Docker and they all work.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/313
Co-authored-by: @r3g_5z@plem.sapphic.site <june@girlboss.ceo>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@girlboss.ceo>

2022-11-26 19:27:58 +00:00

3.4 KiB

Raw Blame History

Hardening your instance

Here are some suggestions which improve the security of parts of your Akkoma instance.

Configuration file

These changes should go into prod.secret.exs or dev.secret.exs, depending on your MIX_ENV value.

`http`

This sets the Akkoma application server to only listen to the localhost interface. This way, you can only reach your server over the Internet by going through the reverse proxy. By default, Akkoma listens on all interfaces.

`secure_cookie_flag`

This sets the secure flag on Akkoma’s session cookie. This makes sure, that the cookie is only accepted over encrypted HTTPs connections. This implicitly renames the cookie from pleroma_key to __Host-pleroma-key which enforces some restrictions. (see cookie prefixes)

`:http_security`

This will send additional HTTP security headers to the clients, including:

X-XSS-Protection: "0"
X-Permitted-Cross-Domain-Policies: "none"
X-Frame-Options: "DENY"
X-Content-Type-Options: "nosniff"

A content security policy (CSP) will also be set:

content-security-policy:
  default-src 'none';
  base-uri 'none';
  frame-ancestors 'none';
  img-src 'self' data: blob: https:;
  media-src 'self' https:;
  style-src 'self' 'unsafe-inline';
  font-src 'self';
  script-src 'self';
  connect-src 'self' wss://example.tld;
  manifest-src 'self';
  upgrade-insecure-requests;

`sts`

An additional “Strict transport security” header will be sent with the configured sts_max_age parameter. This tells the browser, that the domain should only be accessed over a secure HTTPs connection.

`referrer_policy`

If you click on a link, your browser’s request to the other site will include from where it is coming from. The “Referrer policy” header tells the browser how and if it should send this information. (see Referrer policy). no-referrer can be used if a referrer is not needed for improved privacy.

systemd

A systemd unit example is provided at installation/akkoma.service.

PrivateTmp

Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.

ProtectHome

The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Akkoma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false.

ProtectSystem

Mount /usr, /boot, and /etc as read-only for processes invoked by this service.

PrivateDevices

Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. This may not work on devices like the Raspberry Pi, where you need to set this to false.

NoNewPrivileges

Ensures that the service process and all its children can never gain new privileges through execve().

CapabilityBoundingSet

Drops the sysadmin capability from the daemon.

3.4 KiB Raw Blame History Unescape Escape