phoenix/weblug
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add caveats

Browse source 
Add usage caveats to the README file and manpage.
This commit is contained in:
Felix Niederwanger 2023-05-28 11:45:17 +02:00
parent a4e21288db
commit 4c592cd1b7
Signed by: phoenix
GPG key ID: 31860289A704FB3C
2 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
README.md
View file

@ -2,7 +2,7 @@
Webhook receiver program. `weblug` is is a configurable webhook receiver that allows users to define custom programs and script to be executed when a webhook is triggered.
The configuration happens via a [yaml file](weblug.yml).
The configuration happens via a [yaml file](weblug.yml). Read the [usage caveats](#caveats)!
`weblug` supports multiple webhooks, limitations for concurrent web hooks to be executed, background execution and running webhooks as separate user (`uid`/`gid`).
@ -16,6 +16,22 @@ This starts the webserver and listens for incoming webhooks.
`weblug` can run as any user, however for custom `uid`/`gid` webhooks, the program needs to run as root.
### Caveats
1. `weblug` does not support https encryption!
weblug is expected to run behind a http reverse proxy (e.g. `apache` or `nginx`) which handles transport encryption. The program it self does not support https, nor are there any plans to implement this in the near future.
CAVE: Don't expose secrets and credentials by running this without any transport encryption!
2. Do not run this without reverse proxy
`weblug` relies on the standart go http implementation. To avoid a whole class of securtiy concerns, `weblug` should never run on the open internet without a http reverse proxy.
3. `weblug` runs as root, when using custom UID/GIDs
In it's current implementation, `weblug` requires to remain running as root without dropping privileges when using custom UID/GIDs. This is a current limitation that will be hopefully resolved soon.
## Build
make # Build weblug

10
doc/weblug.8
View file

@ -18,6 +18,16 @@ The system daemon uses the /etc/weblug.yml file. To enable the daemon, edit /etc
.B -h|--help
Print help message
.SH CAVEATS
1. weblug should always run behind a http reverse proxy to avoid a whole class of security issues by using the standart go webserver implementation.
2. weblug does not support transport encryption (https). To protect access credentials/tokens, it must run behind a http reverse proxy with configured transport encryption.
3. weblug should not be exposed to the public internet.
4. Custom UID/GIDs for webhook require weblug to run as root.
.SH CONFIGURATION FILES
.TP