Add caveats
Add usage caveats to the README file and manpage.
This commit is contained in:
parent
a4e21288db
commit
4c592cd1b7
18
README.md
18
README.md
|
@ -2,7 +2,7 @@
|
|||
|
||||
Webhook receiver program. `weblug` is is a configurable webhook receiver that allows users to define custom programs and script to be executed when a webhook is triggered.
|
||||
|
||||
The configuration happens via a [yaml file](weblug.yml).
|
||||
The configuration happens via a [yaml file](weblug.yml). Read the [usage caveats](#caveats)!
|
||||
|
||||
`weblug` supports multiple webhooks, limitations for concurrent web hooks to be executed, background execution and running webhooks as separate user (`uid`/`gid`).
|
||||
|
||||
|
@ -16,6 +16,22 @@ This starts the webserver and listens for incoming webhooks.
|
|||
|
||||
`weblug` can run as any user, however for custom `uid`/`gid` webhooks, the program needs to run as root.
|
||||
|
||||
### Caveats
|
||||
|
||||
1. `weblug` does not support https encryption!
|
||||
|
||||
weblug is expected to run behind a http reverse proxy (e.g. `apache` or `nginx`) which handles transport encryption. The program it self does not support https, nor are there any plans to implement this in the near future.
|
||||
|
||||
CAVE: Don't expose secrets and credentials by running this without any transport encryption!
|
||||
|
||||
2. Do not run this without reverse proxy
|
||||
|
||||
`weblug` relies on the standart go http implementation. To avoid a whole class of securtiy concerns, `weblug` should never run on the open internet without a http reverse proxy.
|
||||
|
||||
3. `weblug` runs as root, when using custom UID/GIDs
|
||||
|
||||
In it's current implementation, `weblug` requires to remain running as root without dropping privileges when using custom UID/GIDs. This is a current limitation that will be hopefully resolved soon.
|
||||
|
||||
## Build
|
||||
|
||||
make # Build weblug
|
||||
|
|
10
doc/weblug.8
10
doc/weblug.8
|
@ -18,6 +18,16 @@ The system daemon uses the /etc/weblug.yml file. To enable the daemon, edit /etc
|
|||
.B -h|--help
|
||||
Print help message
|
||||
|
||||
.SH CAVEATS
|
||||
|
||||
1. weblug should always run behind a http reverse proxy to avoid a whole class of security issues by using the standart go webserver implementation.
|
||||
|
||||
2. weblug does not support transport encryption (https). To protect access credentials/tokens, it must run behind a http reverse proxy with configured transport encryption.
|
||||
|
||||
3. weblug should not be exposed to the public internet.
|
||||
|
||||
4. Custom UID/GIDs for webhook require weblug to run as root.
|
||||
|
||||
.SH CONFIGURATION FILES
|
||||
|
||||
.TP
|
||||
|
|
Loading…
Reference in a new issue