https://d8f649ee.posternproxydocs.pages.dev/administration/Recent content in Administration on PosternProxy DocumentationHugoen-UShttps://d8f649ee.posternproxydocs.pages.dev/administration/security-hardening/Mon, 01 Jan 0001 00:00:00 +0000https://d8f649ee.posternproxydocs.pages.dev/administration/security-hardening/<h1 id="security-hardening">Security Hardening<a class="anchor" href="#security-hardening">#</a></h1> <p>The PosternProxy install script applies a comprehensive set of security hardening measures. This page documents what is applied and how to verify it.</p> <h2 id="application-level-hardening">Application-level hardening<a class="anchor" href="#application-level-hardening">#</a></h2> <h3 id="authentication">Authentication<a class="anchor" href="#authentication">#</a></h3> <ul> <li>JWT access tokens with 15-minute TTL</li> <li>Refresh tokens with 7-day TTL stored in HttpOnly / Secure / SameSite=Strict cookies</li> <li>bcrypt password hashing at cost factor 12</li> <li>Login rate limit: 5 attempts/min per IP (enforced by the API and by fail2ban)</li> <li>Account lockout is not time-based — use fail2ban to block IPs</li> </ul> <h3 id="api-security">API security<a class="anchor" href="#api-security">#</a></h3> <ul> <li><strong>Rate limiting:</strong> 120 requests/min per IP on authenticated management API routes; 5 login attempts/min per IP; 30 agent WebSocket connection attempts/min per IP</li> <li><strong>CSRF protection:</strong> Double-submit cookie pattern on all state-changing requests</li> <li><strong>Secure headers on all responses:</strong> <ul> <li><code>X-Content-Type-Options: nosniff</code></li> <li><code>X-Frame-Options: DENY</code></li> <li><code>Strict-Transport-Security: max-age=31536000; includeSubDomains</code></li> <li><code>Content-Security-Policy: default-src 'self'</code></li> </ul> </li> <li><strong>Input validation:</strong> All user input validated at the handler layer; domain names validated per RFC 1123; ports validated 1–65535; CIDRs parsed and validated; all database queries use parameterized statements (no SQL interpolation)</li> </ul> <h3 id="encrypted-storage">Encrypted storage<a class="anchor" href="#encrypted-storage">#</a></h3> <p>DNS provider credentials and SSH credentials are encrypted at rest using AES-256-GCM with a key derived from the JWT secret.</p>https://d8f649ee.posternproxydocs.pages.dev/administration/upgrading/Mon, 01 Jan 0001 00:00:00 +0000https://d8f649ee.posternproxydocs.pages.dev/administration/upgrading/<h1 id="upgrading-posternproxy">Upgrading PosternProxy<a class="anchor" href="#upgrading-posternproxy">#</a></h1> <h2 id="upgrading-the-controller">Upgrading the controller<a class="anchor" href="#upgrading-the-controller">#</a></h2> <ol> <li> <p><strong>Build the new binary</strong> on your development machine:</p> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>bash scripts/build.sh</span></span></code></pre></div></li> <li> <p><strong>Copy the binary to the server:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>scp posternproxy user@your-server:/tmp/</span></span></code></pre></div></li> <li> <p><strong>Stop the service, replace the binary, restart:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ssh root@your-server </span></span><span style="display:flex;"><span>systemctl stop posternproxy </span></span><span style="display:flex;"><span>cp /tmp/posternproxy /usr/local/bin/posternproxy </span></span><span style="display:flex;"><span>systemctl start posternproxy</span></span></code></pre></div></li> <li> <p><strong>Verify the service started:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>systemctl status posternproxy </span></span><span style="display:flex;"><span>journalctl -u posternproxy -n <span style="color:#a5d6ff">20</span></span></span></code></pre></div></li> </ol> <h3 id="database-migrations">Database migrations<a class="anchor" href="#database-migrations">#</a></h3> <p>PosternProxy runs embedded migrations automatically on startup. If a new version adds database columns or tables, the migration runs before the service starts serving requests. No manual intervention is needed.</p>https://d8f649ee.posternproxydocs.pages.dev/administration/troubleshooting/Mon, 01 Jan 0001 00:00:00 +0000https://d8f649ee.posternproxydocs.pages.dev/administration/troubleshooting/<h1 id="troubleshooting">Troubleshooting<a class="anchor" href="#troubleshooting">#</a></h1> <h2 id="service-not-starting">Service not starting<a class="anchor" href="#service-not-starting">#</a></h2> <h3 id="posternproxy-fails-to-start">PosternProxy fails to start<a class="anchor" href="#posternproxy-fails-to-start">#</a></h3> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>journalctl -u posternproxy -n <span style="color:#a5d6ff">50</span> --no-pager</span></span></code></pre></div><p>Common causes:</p> <table> <thead> <tr> <th>Symptom</th> <th>Cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td><code>database is locked</code></td> <td>Another PosternProxy instance is running</td> <td><code>systemctl stop posternproxy; systemctl start posternproxy</code></td> </tr> <tr> <td><code>migration failed</code></td> <td>Bad database state</td> <td>Restore from backup</td> </tr> <tr> <td><code>address already in use :81</code></td> <td>Another process owns port 81</td> <td><code>ss -tlnp | grep 81</code> to find it</td> </tr> <tr> <td><code>config.env not found</code></td> <td>Missing config file</td> <td>Re-run <code>scripts/install.sh</code> or create manually</td> </tr> </tbody> </table> <h3 id="caddy-fails-to-start">Caddy fails to start<a class="anchor" href="#caddy-fails-to-start">#</a></h3> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>journalctl -u caddy -n <span style="color:#a5d6ff">50</span> --no-pager </span></span><span style="display:flex;"><span>caddy validate --config /etc/caddy/Caddyfile <span style="color:#8b949e;font-style:italic"># if using Caddyfile fallback</span></span></span></code></pre></div><p>Common causes:</p>