SemaphoreDocs
Search…
Security
If you access semaphore over http, and input a private key, that's rather unsecure. So either put a https proxy in front, or do this over a trusted network.
Secure channels
For security reasons, you should use Semaphore via:
- VPN
- SSL
VPN
Use this option if the Semaphore server is located in the private network.
SSL
Semaphore doesn't support SSL. You should use NGINX or Apache before Semaphore to serve secure connections.
NGINX server configuration example:
1
server {
2
listen 443 ssl;
3
server_name _;
4
5
# add Strict-Transport-Security to prevent man in the middle attacks
6
add_header Strict-Transport-Security "max-age=31536000" always;
7
8
# SSL
9
ssl_certificate /etc/nginx/cert/cert.pem;
10
ssl_certificate_key /etc/nginx/cert/privkey.pem;
11
12
# Recommendations from
13
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
14
ssl_protocols TLSv1.1 TLSv1.2;
15
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
16
ssl_prefer_server_ciphers on;
17
ssl_session_cache shared:SSL:10m;
18
19
# required to avoid HTTP 411: see Issue #1486
20
# (https://github.com/docker/docker/issues/1486)
21
chunked_transfer_encoding on;
22
23
location / {
24
proxy_pass http://127.0.0.1/;
25
proxy_set_header Host $http_host;
26
proxy_set_header X-Real-IP $remote_addr;
27
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
28
29
proxy_set_header X-Forwarded-Proto $scheme;
30
31
proxy_buffering off;
32
proxy_request_buffering off;
33
}
34
35
location /api/ws {
36
proxy_pass http://127.0.0.1/api/ws;
37
proxy_http_version 1.1;
38
proxy_set_header Upgrade $http_upgrade;
39
proxy_set_header Connection "upgrade";
40
proxy_set_header Origin "";
41
}
42
}
Copied!
Database encryption
Sensitive data stored in database in encrypted form. You should set configuration option
access_key_encryption in configuration file to enable Access Keys encrytion. It must be generated by command:1
head -c32 /dev/urandom | base64
Copied!
Last modified 3mo ago
Copy link