Ways to harden a publicly accessible Baby Buddy setup.

[gbballpack]

I worked on options to increase the security of Baby Buddy installs publicly available over the internet. Here are some insights that may be beneficial to others.

1. Apache2 reverse proxy, for those who prefer Apache2 over Nginx, especially for smaller project.
#HTTP proxy
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/

2. If using Docker on a VPS or another machine with a public IP address, restrict the open ports for Baby Buddy to the host only and serve Baby Buddy only through the reverse proxy, via the docker-compose config. I.e,
- 127.0.0.1:8000:8000

Docker can leave ports open to the world that a person thought otherwise closed by UFW. By restricting the docker ports to the host only, it prevents docker from unexpectedly leaving port 8000 open to the world.

3. Modsecurity + CRS rules can block a number of attacks, including a number of SQL injection attacks and various DDOS attacks.

I found this guide helpful for installing Modsecurity on Apache2 and it works behind the free version of Cloudflare. Be sure to use the latest release CRS release rules. 3.3.2, at the time of this post, instead of the guide's recommended 3.3.0 CRS rules.
https://www.linuxbabe.com/security/modsecurity-apache-debian-ubuntu

Modsecurity + OWASP Core Rule Set is an easy and effective way to block a number of attacks, including various DDOS methods. Modsecurity will not stop a volumetric DDOS attack, but will stop a number of "low hanging fruit" attacks.

4. Use Cloudflare. Cloudflare now has free tunnels for those who do not want to open ports to the world in general and allows a person to block/easily add captchas to restrict connections from IPs from a location your Baby Buddy users are unlikely to ever visit.

https://blog.cloudflare.com/tunnel-for-everyone/

5. Add Security Headers to the reverse proxy config to harden Baby Buddy from a number of attacks.

https://observatory.mozilla.org/

My goal was to get the maximum score I could from the Mozilla observatory that still allowed Cloudflare's security features to function properly. Using the below headers, I managed a "B+" score. For those not using a CDN like Cloudflare, the rules could likely be tighten further to achieve a full "A" score from the observatory. These rules should work with both newer versions of Apache2 and Nginx, I believe.

These headers assume a person is using a reverse proxy, with an HTTPS redirect.

Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set X-Frame-Options: DENY
Header set X-Content-Type-Options: nosniff
Header set Content-Security-Policy "default-src https://ajax.cloudflare.com 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src 'self' https: data:; connect-src 'self' https:; font-src 'self' https: data:; media-src 'self'; form-action 'self' https:; frame-ancestors 'self'; frame-src 'self'; prefetch-src https:; upgrade-insecure-requests"

Only add the following if you want HSTS. If you don't know what HSTS is or what it does, do not add the following header. By adding an HSTS header and later removing it and not using HTTPS, you will see persistent browser warnings until the HSTS setting expires, which can take months or years, depending upon the setting.

Header always set Strict-Transport-Security "max-age=31536000"

[cdubz]

Thanks for sharing, @gbballpack! I wonder if we could go anywhere in the docs as well. Most everything there assumes NGINX and some of this advice is pretty specific. Not sure if it really fits anywhere...

[gbballpack]

The one thing I would put in the docs, if I had to pick one item, is the info about restricting Docker to the host, for those using non-Docker reverse proxies.

Without the host-only restriction, Baby Buddy remains accessible to the internet at large at the Docker port, which allows someone to completely skip the reverse proxy. Depending upon a person's setup, this could result in a security issue.