├── .github ├── dependabot.yml └── workflows │ ├── approve.yml │ ├── pr.yaml │ ├── release.yaml │ ├── security.yaml │ └── versionpush.yaml ├── Dockerfile ├── LICENSE ├── README.md ├── example ├── Dockerfile └── nginx.conf └── post-install.sh /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: github-actions 4 | directory: "/" 5 | schedule: 6 | interval: daily 7 | time: '04:00' 8 | open-pull-requests-limit: 10 9 | - package-ecosystem: docker 10 | directory: "/." 11 | schedule: 12 | interval: daily 13 | time: '04:00' 14 | commit_message: 15 | prefix: "feat" 16 | open-pull-requests-limit: 10 17 | -------------------------------------------------------------------------------- /.github/workflows/approve.yml: -------------------------------------------------------------------------------- 1 | on: pull_request_target 2 | name: Approver 3 | 4 | jobs: 5 | 6 | approve: 7 | name: Dependabot PR Auto-approve 8 | if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]' 9 | runs-on: ubuntu-latest 10 | steps: 11 | - 12 | uses: hmarr/auto-approve-action@v2.1.0 13 | with: 14 | github-token: "${{ secrets.GITHUB_TOKEN }}" 15 | -------------------------------------------------------------------------------- /.github/workflows/pr.yaml: -------------------------------------------------------------------------------- 1 | 2 | on: pull_request 3 | name: pull request checks 4 | jobs: 5 | dockerfilelint: 6 | name: dockerfile lint 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v3.1.0 10 | - name: hadolint 11 | uses: burdzwastaken/hadolint-action@1.14.0 12 | env: 13 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 14 | HADOLINT_ACTION_DOCKERFILE_FOLDER: . 15 | 16 | dockerbuild: 17 | name: docker build 18 | runs-on: ubuntu-latest 19 | steps: 20 | - uses: actions/checkout@v3.1.0 21 | - name: extract tag 22 | id: vars 23 | run: echo ::set-output name=debian_version::$(grep '^FROM debian' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2) 24 | - name: Build docker image 25 | run: | 26 | docker build . --file Dockerfile --tag image:${{ steps.vars.outputs.debian_version }} 27 | docker save --output image.tar image:${{ steps.vars.outputs.debian_version }} 28 | - name: Squash docker image 29 | run: | 30 | wget https://github.com/jwilder/docker-squash/releases/download/v0.2.0/docker-squash-linux-amd64-v0.2.0.tar.gz 31 | tar -C . -xzvf docker-squash-linux-amd64-v0.2.0.tar.gz 32 | mkdir -p image/ 33 | sudo ./docker-squash -i image.tar -t image:${{ steps.vars.outputs.debian_version }} -verbose -o image/image.tar 34 | rm image.tar 35 | - name: cache docker image 36 | uses: actions/cache@v2.1.7 37 | with: 38 | path: image/ 39 | key: ${{ runner.os }}-docker-${{ github.sha }} 40 | 41 | dockerscan: 42 | name: docker security scan 43 | runs-on: ubuntu-latest 44 | needs: dockerbuild 45 | steps: 46 | - uses: actions/checkout@v3.1.0 47 | - name: extract tag 48 | id: vars 49 | run: echo ::set-output name=debian_version::$(grep '^FROM debian' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2) 50 | - name: load cached docker image 51 | uses: actions/cache@v2.1.7 52 | with: 53 | path: image/ 54 | key: ${{ runner.os }}-docker-${{ github.sha }} 55 | - name: load cached docker container 56 | run: docker load -i image/image.tar 57 | - name: cached scan db 58 | uses: actions/cache@v2.1.7 59 | with: 60 | path: vulndb/ 61 | key: trivy-vulndb 62 | - name: Install Trivy 63 | run: | 64 | trivyRelease="$(curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | cut -d 'v' -f 2)" 65 | wget https://github.com/aquasecurity/trivy/releases/download/v${trivyRelease}/trivy_${trivyRelease}_Linux-64bit.tar.gz 66 | tar zxvf trivy_${trivyRelease}_Linux-64bit.tar.gz 67 | - name: Scan 68 | run: ./trivy --exit-code 1 --no-progress --severity HIGH,CRITICAL,MEDIUM --cache-dir vulndb/ image:${{ steps.vars.outputs.debian_version }} 69 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | on: 2 | push: 3 | branches: 4 | - master 5 | 6 | name: Publish Image 7 | jobs: 8 | dockerpush: 9 | name: docker build 10 | runs-on: ubuntu-latest 11 | steps: 12 | - 13 | uses: actions/checkout@v3.1.0 14 | - 15 | uses: go-semantic-release/action@v1.21 16 | id: version 17 | with: 18 | github-token: ${{ secrets.GITHUB_TOKEN }} 19 | - 20 | run: echo "Pushing version ${{ steps.version.outputs.version }}" 21 | - 22 | name: Publish to Registry 23 | uses: elgohr/Publish-Docker-Github-Action@3.04 24 | with: 25 | registry: ghcr.io 26 | name: "ghcr.io/ironpeakservices/iron-debian:${{ steps.version.outputs.version }}" 27 | username: hazcod 28 | password: ${{ secrets.PACKAGE_TOKEN }} 29 | - 30 | name: Create GitHub release 31 | uses: actions/create-release@v1.1.4 32 | with: 33 | tag_name: ${{ steps.version.outputs.version }} 34 | release_name: iron-debian 35 | draft: false 36 | prerelease: false 37 | env: 38 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 39 | -------------------------------------------------------------------------------- /.github/workflows/security.yaml: -------------------------------------------------------------------------------- 1 | 2 | name: Security 3 | 4 | on: 5 | push: 6 | branches: [master] 7 | schedule: 8 | - cron: '0 11 * * 2' 9 | 10 | jobs: 11 | dockerscan: 12 | name: Docker Scan 13 | runs-on: ubuntu-latest 14 | steps: 15 | - 16 | uses: actions/checkout@v3.1.0 17 | - 18 | name: Set env 19 | run: echo ::set-env name=RELEASE_VERSION::$(git describe --tags $(git rev-list --tags --max-count=1)) 20 | - 21 | name: Docker login 22 | env: 23 | USER: hazcod 24 | REGISTRY: docker.pkg.github.com 25 | run: echo "${{ secrets.PACKAGE_TOKEN }}" | docker login -u "${USER}" --password-stdin "${REGISTRY}" 26 | - 27 | name: Docker pull 28 | run: docker pull "docker.pkg.github.com/ironpeakservices/iron-debian:${{ env.RELEASE_VERSION }}" 29 | - 30 | name: Run vulnerability scanner 31 | uses: aquasecurity/trivy-action@master 32 | with: 33 | image-ref: 'docker.pkg.github.com/ironpeakservices/iron-debian:${{ env.RELEASE_VERSION }}' 34 | format: 'template' 35 | template: '@/contrib/sarif.tpl' 36 | output: 'trivy-results.sarif' 37 | ignore-unfixed: true 38 | severity: 'CRITICAL,HIGH,MEDIUM' 39 | - 40 | name: Upload Trivy scan results to Security tab 41 | uses: github/codeql-action/upload-sarif@v1 42 | with: 43 | sarif_file: 'trivy-results.sarif' 44 | 45 | goscan: 46 | name: Go Scan 47 | runs-on: ubuntu-latest 48 | steps: 49 | - 50 | uses: actions/checkout@v3.1.0 51 | - 52 | run: git checkout HEAD^2 53 | if: ${{ github.event_name == 'pull_request' }} 54 | - 55 | name: Initialize CodeQL 56 | uses: github/codeql-action/init@v1 57 | with: 58 | languages: go 59 | - 60 | name: Perform CodeQL Analysis 61 | uses: github/codeql-action/analyze@v1 62 | -------------------------------------------------------------------------------- /.github/workflows/versionpush.yaml: -------------------------------------------------------------------------------- 1 | name: Create upstream version 2 | on: 3 | push: 4 | branches-ignore: 5 | - '**' 6 | tags: 7 | - '**' 8 | jobs: 9 | update-semver: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v3.1.0 13 | - uses: haya14busa/action-update-semver@v1.2.1 14 | with: 15 | major_version_tag_only: false 16 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:11.6-slim 2 | 3 | # make a pipe fail on the first failure 4 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 5 | 6 | # The user the app should run as 7 | ENV APP_USER=app 8 | # The home directory 9 | ENV APP_DIR="/$APP_USER" 10 | # Where persistent data (volume) should be stored 11 | ENV DATA_DIR "$APP_DIR/data" 12 | # Where configuration should be stored 13 | ENV CONF_DIR "$APP_DIR/conf" 14 | 15 | # Update base system 16 | # hadolint ignore=DL3018,DL3009,DL3008 17 | RUN apt-get update \ 18 | && apt-get install -y --no-install-recommends ca-certificates \ 19 | && apt-get clean \ 20 | && find / -xdev -name '*apt*' -print0 | xargs rm -rf 21 | 22 | # Add custom user and setup home directory 23 | RUN adduser --shell /bin/true --uid 1000 --home $APP_DIR --gecos '' $APP_USER \ 24 | && mkdir "$DATA_DIR" "$CONF_DIR" \ 25 | && chown -R "$APP_USER" "$APP_DIR" "$CONF_DIR" \ 26 | && chmod 700 "$APP_DIR" "$DATA_DIR" "$CONF_DIR" 27 | 28 | # Remove existing crontabs, if any. 29 | RUN rm -fr /var/spool/cron \ 30 | && rm -fr /etc/crontabs \ 31 | && rm -fr /etc/periodic 32 | 33 | # Remove all but a handful of admin commands. 34 | RUN find /sbin /usr/sbin \ 35 | ! -type d -a ! -name apk -a ! -name ln \ 36 | -delete 37 | 38 | # Remove world-writeable permissions except for /tmp/ 39 | RUN find / -xdev -type d -perm /0002 -exec chmod o-w {} + \ 40 | && find / -xdev -type f -perm /0002 -exec chmod o-w {} + \ 41 | && chmod 777 /tmp/ \ 42 | && chown $APP_USER:root /tmp/ 43 | 44 | # Remove unnecessary accounts, excluding current app user and root 45 | RUN sed -i -r "/^($APP_USER|root|nobody)/!d" /etc/group \ 46 | && sed -i -r "/^($APP_USER|root|nobody)/!d" /etc/passwd 47 | 48 | # Remove interactive login shell for everybody 49 | RUN sed -i -r 's#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd 50 | 51 | # Disable password login for everybody 52 | RUN while IFS=: read -r username _; do passwd -l "$username"; done < /etc/passwd || true 53 | 54 | # Remove apt configs. -> Commented out because we need apk to install other stuff 55 | #RUN find /bin /etc /lib /sbin /usr \ 56 | # -xdev -type f -regex '.*apt.*' \ 57 | # ! -name apt \ 58 | # -exec rm -fr {} + 59 | 60 | # Remove temp shadow,passwd,group 61 | RUN find /bin /etc /lib /sbin /usr -xdev -type f -regex '.*-$' -exec rm -f {} + 62 | 63 | # Ensure system dirs are owned by root and not writable by anybody else. 64 | RUN find /bin /etc /lib /sbin /usr -xdev -type d \ 65 | -exec chown root:root {} \; \ 66 | -exec chmod 0755 {} \; 67 | 68 | # Remove suid & sgid files 69 | RUN find /bin /etc /lib /sbin /usr -xdev -type f -a \( -perm /4000 -o -perm /2000 \) -delete 70 | 71 | # Remove dangerous commands 72 | RUN find /bin /etc /lib /sbin /usr -xdev \( \ 73 | -name hexdump -o \ 74 | -name chgrp -o \ 75 | -name chown -o \ 76 | -name ln -o \ 77 | -name od -o \ 78 | -name strings -o \ 79 | -name su \ 80 | -name sudo \ 81 | \) -delete 82 | 83 | # Remove init scripts since we do not use them. 84 | RUN rm -fr /etc/init.d /lib/rc /etc/conf.d /etc/inittab /etc/runlevels /etc/rc.conf /etc/logrotate.d 85 | 86 | # Remove kernel tunables 87 | RUN rm -fr /etc/sysctl* /etc/modprobe.d /etc/modules /etc/mdev.conf /etc/acpi 88 | 89 | # Remove root home dir 90 | RUN rm -fr /root 91 | 92 | # Remove fstab 93 | RUN rm -f /etc/fstab 94 | 95 | # Remove any symlinks that we broke during previous steps 96 | RUN find /bin /etc /lib /sbin /usr -xdev -type l -exec test ! -e {} \; -delete 97 | 98 | # add-in post installation file for permissions 99 | COPY post-install.sh $APP_DIR/ 100 | RUN chmod 500 $APP_DIR/post-install.sh 101 | 102 | # default directory is /app 103 | WORKDIR $APP_DIR 104 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ironpeakservices/iron-debian 2 | Hardened debian linux baseimage for Docker. 3 | 4 | Note: If you use Golang/Rust/..., build statically and use [iron-scratch](https://github.com/ironpeakservices/iron-scratch). 5 | 6 | If you are using Java/Python/NodeJS/dotnet, use a [distroless image](https://github.com/GoogleContainerTools/distroless) instead. 7 | 8 | `docker pull ghcr.io/ironpeakservices/iron-debian:1.0.0` 9 | 10 | ## How is this different? 11 | - ca-certificates included 12 | - /app for everything app-related; /app/conf, /app/tmp, /app/data 13 | - no interactive shells for users 14 | - removed unneccessary accounts, only 'app' and 'root' users 15 | - removed crontabs 16 | - removed dangerous commands and utilities 17 | - strictened permissions on system files and directories 18 | - removed temporary shadow/passwd/group 19 | - removed suid/guid files 20 | - removed init scripts 21 | - removed kernel tunables 22 | - removed /root/ 23 | - removed fstab 24 | - post-install.sh: 25 | - removes apk manager after installation 26 | - sets permissions on /app after installation 27 | 28 | ## Example 29 | `docker pull ghcr.io/ironpeakservices/iron-debian:1.0.0` 30 | 31 | See [the nginx example](example/). 32 | 33 | ## Update policy 34 | Updates to the official debian docker image are automatically created as a pull request and trigger linting & a docker build. When those checks complete without errors, a merge into master will trigger a deploy with the same version to packages. 35 | 36 | ## Additional 37 | If you want, you can also enable vulnerability scanning during your build (for free). 38 | Take a look at https://github.com/aquasecurity/microscanner 39 | -------------------------------------------------------------------------------- /example/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM docker.pkg.github.com/ironpeakservices/iron-debian/iron-debian 2 | RUN apt-get install --yes --no-install-recommends nginx \ 3 | && rm -rf /etc/nginx /var/cache/nginx /var/log/nginx /var/cache/apk 4 | 5 | COPY nginx.conf $CONF_DIR/ 6 | 7 | RUN $APP_DIR/post-install.sh 8 | 9 | EXPOSE 8080 8443 10 | USER $APP_USER 11 | CMD ["nginx", "-c", "/app/conf/nginx.conf", "-g", "pid /app/tmp/nginx.pid; error_log /dev/stderr;", "-p", "/app"] 12 | -------------------------------------------------------------------------------- /example/nginx.conf: -------------------------------------------------------------------------------- 1 | # read more here http://tautt.com/best-nginx-configuration-for-security/ 2 | http { 3 | 4 | # don't send the nginx version number in error pages and Server header 5 | server_tokens off; 6 | 7 | # config to don't allow the browser to render the page inside an frame or iframe 8 | # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking 9 | # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri 10 | # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options 11 | add_header X-Frame-Options SAMEORIGIN; 12 | 13 | # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, 14 | # to disable content-type sniffing on some browsers. 15 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers 16 | # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx 17 | # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx 18 | # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 19 | add_header X-Content-Type-Options nosniff; 20 | 21 | # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. 22 | # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 23 | # this particular website if it was disabled by the user. 24 | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers 25 | add_header X-XSS-Protection "1; mode=block"; 26 | 27 | # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), 28 | # you can tell the browser that it can only download content from the domains you explicitly allow 29 | # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ 30 | # https://www.owasp.org/index.php/Content_Security_Policy 31 | # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' 32 | # directives for css and js(if you have inline css or js, you will need to keep it too). 33 | # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful 34 | add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; 35 | 36 | # redirect all http traffic to https 37 | server { 38 | listen 8080 default_server; 39 | server_name .example.com; 40 | return 301 https://$host$request_uri; 41 | } 42 | 43 | server { 44 | listen 8443 ssl http2; 45 | server_name .forgott.com; 46 | 47 | #ssl_certificate /etc/nginx/ssl/star_forgott_com.crt; 48 | #ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key; 49 | 50 | # enable session resumption to improve https performance 51 | # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html 52 | ssl_session_cache shared:SSL:50m; 53 | ssl_session_timeout 1d; 54 | ssl_session_tickets off; 55 | 56 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits 57 | ssl_dhparam /etc/nginx/ssl/dhparam.pem; 58 | 59 | # enables server-side protection from BEAST attacks 60 | # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html 61 | ssl_prefer_server_ciphers on; 62 | # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 63 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 64 | # ciphers chosen for forward secrecy and compatibility 65 | # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html 66 | ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; 67 | 68 | # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) 69 | # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ 70 | resolver 8.8.8.8 8.8.4.4; 71 | ssl_stapling on; 72 | ssl_stapling_verify on; 73 | ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt; 74 | 75 | # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security 76 | # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping 77 | # also https://hstspreload.org/ 78 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; 79 | 80 | # ... the rest of your configuration 81 | } 82 | 83 | } -------------------------------------------------------------------------------- /post-install.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # fail if a command fails 4 | set -e 5 | set -o pipefail 6 | 7 | # remove apt package manager 8 | find / -type f -iname '*apt*' -xdev -delete 9 | find / -type d -iname '*apt*' -print0 -xdev | xargs -0 rm -r -- 10 | 11 | # set rx to all directories, except data directory/ 12 | find "$APP_DIR" -type d -exec chmod 500 {} + 13 | 14 | # set r to all files 15 | find "$APP_DIR" -type f -exec chmod 400 {} + 16 | chmod -R u=rwx "$DATA_DIR/" 17 | 18 | # chown all app files 19 | chown "$APP_USER":"$APP_USER" -R "$APP_DIR" "$DATA_DIR" 20 | 21 | # finally remove this file 22 | rm "$0" 23 | --------------------------------------------------------------------------------