Harden deployment and fix PEN-01
- Fix Bearer token extraction to validate prefix (PEN-01) - Add TestExtractBearerFromRequest covering PEN-01 edge cases - Fix flaky TestRenewToken timing (2s → 4s lifetime) - Move default config/install paths to /srv/mcias - Add RUNBOOK.md for operational procedures - Update AUDIT.md with penetration test round 4 Security: extractBearerFromRequest now uses case-insensitive prefix validation instead of fixed-offset slicing, rejecting non-Bearer Authorization schemes that were previously accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
18
dist/mcias.conf.docker.example
vendored
18
dist/mcias.conf.docker.example
vendored
@@ -1,38 +1,36 @@
|
||||
# mcias.conf.docker.example — Config template for container deployment
|
||||
#
|
||||
# Mount this file into the container at /etc/mcias/mcias.conf:
|
||||
# Mount this file into the container at /srv/mcias/mcias.toml:
|
||||
#
|
||||
# docker run -d \
|
||||
# --name mcias \
|
||||
# -v /path/to/mcias.conf:/etc/mcias/mcias.conf:ro \
|
||||
# -v /path/to/certs:/etc/mcias:ro \
|
||||
# -v mcias-data:/data \
|
||||
# -v /srv/mcias:/srv/mcias \
|
||||
# -e MCIAS_MASTER_PASSPHRASE=your-passphrase \
|
||||
# -p 8443:8443 \
|
||||
# -p 9443:9443 \
|
||||
# mcias:latest
|
||||
#
|
||||
# The container runs as uid 10001 (mcias). Ensure that:
|
||||
# - /data volume is writable by uid 10001
|
||||
# - /srv/mcias is writable by uid 10001
|
||||
# - TLS cert and key are readable by uid 10001
|
||||
#
|
||||
# TLS: The server performs TLS termination inside the container; there is no
|
||||
# plain-text mode. Mount your certificate and key under /etc/mcias/.
|
||||
# plain-text mode. Place your certificate and key under /srv/mcias/.
|
||||
# For Let's Encrypt certificates, mount the live/ directory read-only.
|
||||
|
||||
[server]
|
||||
listen_addr = "0.0.0.0:8443"
|
||||
grpc_addr = "0.0.0.0:9443"
|
||||
tls_cert = "/etc/mcias/server.crt"
|
||||
tls_key = "/etc/mcias/server.key"
|
||||
tls_cert = "/srv/mcias/server.crt"
|
||||
tls_key = "/srv/mcias/server.key"
|
||||
# If a reverse proxy (nginx, Caddy, Traefik) sits in front of this container,
|
||||
# set trusted_proxy to its container IP so real client IPs are used for rate
|
||||
# limiting and audit logging. Leave commented out for direct exposure.
|
||||
# trusted_proxy = "172.17.0.1"
|
||||
|
||||
[database]
|
||||
# VOLUME /data is declared in the Dockerfile; map a named volume here.
|
||||
path = "/data/mcias.db"
|
||||
# All data lives under /srv/mcias for a single-volume deployment.
|
||||
path = "/srv/mcias/mcias.db"
|
||||
|
||||
[tokens]
|
||||
issuer = "https://auth.example.com"
|
||||
|
||||
Reference in New Issue
Block a user