security steps in the readme
This commit is contained in:
parent
888de34a69
commit
5bf8b75a11
30
README.md
30
README.md
|
@ -502,6 +502,36 @@ sudo systemctl reload nginx
|
||||||
At this step, you should also setup the SSL for Nginx.
|
At this step, you should also setup the SSL for Nginx.
|
||||||
[Certbot](https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx) can be a good option if you want a free SSL certificate.
|
[Certbot](https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx) can be a good option if you want a free SSL certificate.
|
||||||
|
|
||||||
|
### Optional, but recommended security steps
|
||||||
|
|
||||||
|
If you have followed the steps above, there will be 3 ports exposed over the internet: 7777 (sl-app), 20381 (sl-email) & 5432 (postgresql).
|
||||||
|
|
||||||
|
You can verify the ports are open by running the following command from a different machine
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo nmap -sS 107.172.193.177 -p 7777,20381,5432
|
||||||
|
```
|
||||||
|
|
||||||
|
It is important to secure the Postgres port.
|
||||||
|
|
||||||
|
Using `ufw` didn't help because docker writes persisten rules to the `iptables`.
|
||||||
|
|
||||||
|
To get around this, first run this command to allow only localhost connections to the docker containers:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
iptables -I DOCKER-USER -i eth0 ! -s 127.0.0.1 -j DROP
|
||||||
|
```
|
||||||
|
|
||||||
|
Next, to make the changes persistent across reboots, we are going to use `iptables-persistent` package.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo apt install iptables-persistent
|
||||||
|
sudo service netfilter-persistent save
|
||||||
|
```
|
||||||
|
|
||||||
|
Reboot your machine and run the above `nmap` command one more time to verify the said ports are not in closed/filtered state.
|
||||||
|
|
||||||
|
|
||||||
### Enjoy!
|
### Enjoy!
|
||||||
|
|
||||||
If all the above steps are successful, open http://app.mydomain.com/ and create your first account!
|
If all the above steps are successful, open http://app.mydomain.com/ and create your first account!
|
||||||
|
|
Loading…
Reference in New Issue