Merge pull request 'Add caveats' (#12) from caveats into main
Reviewed-on: https://codeberg.org/grisu48/weblug/pulls/12
This commit is contained in:
Felix Niederwanger
commit
6a2e03ca5a
18
README.md
18
README.md
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
Webhook receiver program. `weblug` is is a configurable webhook receiver that allows users to define custom programs and script to be executed when a webhook is triggered.
|
||||
|
||||
The configuration happens via a [yaml file](weblug.yml).
|
||||
The configuration happens via a [yaml file](weblug.yml). Read the [usage caveats](#caveats)!
|
||||
|
||||
`weblug` supports multiple webhooks, limitations for concurrent web hooks to be executed, background execution and running webhooks as separate user (`uid`/`gid`).
|
||||
|
||||
|
|
@ -16,6 +16,22 @@ This starts the webserver and listens for incoming webhooks.
|
|||
|
||||
`weblug` can run as any user, however for custom `uid`/`gid` webhooks, the program needs to run as root.
|
||||
|
||||
### Caveats
|
||||
|
||||
1. `weblug` does not support https encryption!
|
||||
|
||||
weblug is expected to run behind a http reverse proxy (e.g. `apache` or `nginx`) which handles transport encryption. The program it self does not support https, nor are there any plans to implement this in the near future.
|
||||
|
||||
CAVE: Don't expose secrets and credentials by running this without any transport encryption!
|
||||
|
||||
2. Do not run this without reverse proxy
|
||||
|
||||
`weblug` relies on the standart go http implementation. To avoid a whole class of securtiy concerns, `weblug` should never run on the open internet without a http reverse proxy.
|
||||
|
||||
3. `weblug` runs as root, when using custom UID/GIDs
|
||||
|
||||
In it's current implementation, `weblug` requires to remain running as root without dropping privileges when using custom UID/GIDs. This is a current limitation that will be hopefully resolved soon.
|
||||
|
||||
## Build
|
||||
|
||||
make # Build weblug
|
||||
|
|
|
|||
10
doc/weblug.8
10
doc/weblug.8
|
|
@ -18,6 +18,16 @@ The system daemon uses the /etc/weblug.yml file. To enable the daemon, edit /etc
|
|||
.B -h|--help
|
||||
Print help message
|
||||
|
||||
.SH CAVEATS
|
||||
|
||||
1. weblug should always run behind a http reverse proxy to avoid a whole class of security issues by using the standart go webserver implementation.
|
||||
|
||||
2. weblug does not support transport encryption (https). To protect access credentials/tokens, it must run behind a http reverse proxy with configured transport encryption.
|
||||
|
||||
3. weblug should not be exposed to the public internet.
|
||||
|
||||
4. Custom UID/GIDs for webhook require weblug to run as root.
|
||||
|
||||
.SH CONFIGURATION FILES
|
||||
|
||||
.TP
|
||||
|
|
|
|||
Loading…
Reference in a new issue