SemaphoreDocs
Search…
SemaphoreDocs
Introduction
Administration Guide
Installation
Configuration
Upgrading
Security
CLI
API
Build and deploy
User Guide
Projects
Task Templates
Tasks
Key Store
Inventory
Environment
Repositories
FAQ
Powered By GitBook
Security
If you access semaphore over http, and input a private key, that's rather unsecure. So either put a https proxy in front, or do this over a trusted network.

Secure channels

For security reasons, you should use Semaphore via:
    VPN
    SSL

VPN

Use this option if the Semaphore server is located in the private network.

SSL

Semaphore doesn't support SSL. You should use NGINX or Apache before Semaphore to serve secure connections.
NGINX server configuration example:
1
server {
2
listen 443 ssl;
3
server_name _;
4
5
# add Strict-Transport-Security to prevent man in the middle attacks
6
add_header Strict-Transport-Security "max-age=31536000" always;
7
8
# SSL
9
ssl_certificate /etc/nginx/cert/cert.pem;
10
ssl_certificate_key /etc/nginx/cert/privkey.pem;
11
12
# Recommendations from
13
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
14
ssl_protocols TLSv1.1 TLSv1.2;
15
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
16
ssl_prefer_server_ciphers on;
17
ssl_session_cache shared:SSL:10m;
18
19
# required to avoid HTTP 411: see Issue #1486
20
# (https://github.com/docker/docker/issues/1486)
21
chunked_transfer_encoding on;
22
23
location / {
24
proxy_pass http://127.0.0.1/;
25
proxy_set_header Host $http_host;
26
proxy_set_header X-Real-IP $remote_addr;
27
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
28
29
proxy_set_header X-Forwarded-Proto $scheme;
30
31
proxy_buffering off;
32
proxy_request_buffering off;
33
}
34
35
location /api/ws {
36
proxy_pass http://127.0.0.1/api/ws;
37
proxy_http_version 1.1;
38
proxy_set_header Upgrade $http_upgrade;
39
proxy_set_header Connection "upgrade";
40
proxy_set_header Origin "";
41
}
42
}
Copied!

Database encryption

Sensitive data stored in database in encrypted form. You should set configuration option access_key_encryption in configuration file to enable Access Keys encrytion.
Administration Guide - Previous
Upgrading
Next - Administration Guide
CLI
Last modified 30d ago
Copy link
Contents
Secure channels
Database encryption