trusted proxy, TOTP replay protection, new tests
- Trusted proxy config option for proxy-aware IP extraction used by rate limiting and audit logs; validates proxy IP before trusting X-Forwarded-For / X-Real-IP headers - TOTP replay protection via counter-based validation to reject reused codes within the same time step (±30s) - RateLimit middleware updated to extract client IP from proxy headers without IP spoofing risk - New tests for ClientIP proxy logic (spoofed headers, fallback) and extended rate-limit proxy coverage - HTMX error banner script integrated into web UI base - .gitignore updated for mciasdb build artifact Security: resolves CRIT-01 (TOTP replay attack) and DEF-03 (proxy-unaware rate limiting); gRPC TOTP enrollment aligned with REST via StorePendingTOTP Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
4
dist/mcias.conf.docker.example
vendored
4
dist/mcias.conf.docker.example
vendored
@@ -25,6 +25,10 @@ listen_addr = "0.0.0.0:8443"
|
||||
grpc_addr = "0.0.0.0:9443"
|
||||
tls_cert = "/etc/mcias/server.crt"
|
||||
tls_key = "/etc/mcias/server.key"
|
||||
# If a reverse proxy (nginx, Caddy, Traefik) sits in front of this container,
|
||||
# set trusted_proxy to its container IP so real client IPs are used for rate
|
||||
# limiting and audit logging. Leave commented out for direct exposure.
|
||||
# trusted_proxy = "172.17.0.1"
|
||||
|
||||
[database]
|
||||
# VOLUME /data is declared in the Dockerfile; map a named volume here.
|
||||
|
||||
Reference in New Issue
Block a user