Quick Commands

# edit + deploy
git status
git add -A
git commit -m "docs: update"
git push

# rebuild static blog output (local)
cd site
npm ci --no-audit --no-fund
npm run build

# VPS: pull only
# (on server)
git pull --ff-only

security concept summary

Got it. Here’s a tight security-focused verification straight from your chat dump (only facts I can cite in your file).

1) Security controls present

  • Port exposure & isolation
    • Test-proxy and sidecar are loopback-only: 127.0.0.1:7777 (test-proxy), 127.0.0.1:2001 (sidecar); external access only via main gateway on 80/443.
    • Rootless Podman fix for 502: upstream must be host.containers.internal:2001 (not 127.0.0.1 inside the container).
  • Gateway hardening
    • Blackhole defaults: listen 80 default_server → 444, listen 443 ssl default_server → ssl_reject_handshake on.
    • Strong TLS baseline (TLS 1.2/1.3, hardened ciphers, tickets off) + HSTS (enable once HTTPS verified).
  • Request limiting & logging
    • limit_conn_zone / limit_req_zone defined; used in test-proxy (limit_conn perip 50, limit_req zone=reqs …).
    • Single log_format main; split access logs by status class to aid detection.
  • Real client IP handling
    • Guidance to use real_ip_header X-Forwarded-For + set_real_ip_from limited to trusted ranges; note that current peer may be localhost/bridge (adjust list).
  • Health endpoints (safe, no auth)
    • /__nginx_ok, /__gw_ok, /__app_ok return 200 for checks; encourages minimal surface.
  • ACME & certs
    • ACME locations on HTTP; wildcard cert support noted; restrict private key file permissions to proxy user.
  • Firewall stance
    • Primary protection via loopback binding; optional host firewall “belt & suspenders”: allow 80/443, deny 2001/7777.
  • Git/SSH hardening (shared agent)
    • Strict SSH: IdentitiesOnly=yes, IdentityAgent=/run/gitshared/ssh-agent.sock, StrictHostKeyChecking=yes, global /etc/ssh/ssh_known_hosts; socket & dir perms (0770 dir, 0660 sock) via gitshare group.
    • No PATs per user; key remains with host user; others only use the agent socket.

2) Verification of our last analysis

  • “No firewalld for pods” — confirmed rationale: loopback-only publishing of internal ports; optional ufw/nftables rules if you want extra host enforcement.
  • Final test-proxy port — 7777 is the settled inbound for the test-proxy.
  • Upstream fix — host.containers.internal:2001 is the correct route from test-proxy to sidecar under rootless Podman (not 127.0.0.1).
  • Blackhole + redirects — default servers in place; 80→redirect + ACME pattern documented; 443 blackhole present.
  • Include & logging cleanup — single include path and one log_format to avoid duplicate definition errors.

No conflicts found with the last summary you asked me to verify; items above match the dump.

3) Current security state (snapshot)

  • Flow: Internet → Main gateway (80/443) → Test-proxy 127.0.0.1:7777 → Sidecar on host 127.0.0.1:2001 → App 127.0.0.1:4001.
  • Bindings: 7777 and 2001 are loopback; 80/443 public.
  • TLS/HSTS: hardened TLS + HSTS scaffold at gateway.
  • Abuse controls: connection/request rate-limits active in test-proxy; health endpoints isolated.
  • Real IP: guidance present to trust only known hops; needs correct CIDRs for your environment.
  • SSH/Git: shared agent with strict options; global known_hosts; group-gated socket.

4) Open security follow-ups noted in your dump

  • Enable OCSP stapling on the main proxy.
  • Apply security headers globally (gateway & test-proxy).
  • Double-check private key file ownership/permissions under /etc/letsencrypt/live/*.

If you want, I can turn this into a small Security Posture checklist (gateway, test-proxy, sidecar/app, SSH/Git) extracted verbatim from your dump for ongoing audits.