SemaphoreDocs
Search…
Security
If you access semaphore over http, and input a private key, that's rather unsecure. So either put a https proxy in front, or do this over a trusted network.

Secure channels

For security reasons, you should use Semaphore via:
    VPN
    SSL

VPN

Use this option if the Semaphore server is located in the private network.

SSL

Semaphore doesn't support SSL. You should use NGINX or Apache before Semaphore to serve secure connections.
NGINX server configuration example:
1
server {
2
listen 443 ssl;
3
server_name _;
4
5
# add Strict-Transport-Security to prevent man in the middle attacks
6
add_header Strict-Transport-Security "max-age=31536000" always;
7
8
# SSL
9
ssl_certificate /etc/nginx/cert/cert.pem;
10
ssl_certificate_key /etc/nginx/cert/privkey.pem;
11
12
# Recommendations from
13
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
14
ssl_protocols TLSv1.1 TLSv1.2;
15
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
16
ssl_prefer_server_ciphers on;
17
ssl_session_cache shared:SSL:10m;
18
19
# required to avoid HTTP 411: see Issue #1486
20
# (https://github.com/docker/docker/issues/1486)
21
chunked_transfer_encoding on;
22
23
location / {
24
proxy_pass http://127.0.0.1/;
25
proxy_set_header Host $http_host;
26
proxy_set_header X-Real-IP $remote_addr;
27
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
28
29
proxy_set_header X-Forwarded-Proto $scheme;
30
31
proxy_buffering off;
32
proxy_request_buffering off;
33
}
34
35
location /api/ws {
36
proxy_pass http://127.0.0.1/api/ws;
37
proxy_http_version 1.1;
38
proxy_set_header Upgrade $http_upgrade;
39
proxy_set_header Connection "upgrade";
40
proxy_set_header Origin "";
41
}
42
}
Copied!

Database encryption

Sensitive data stored in database in encrypted form. You should set configuration option access_key_encryption in configuration file to enable Access Keys encrytion.
Last modified 30d ago