Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity
Files
28f2aa17d819ff4d74cec61a8fb0b1056b5f9dd4
sofarr/.env.sample
Gronod bdbbcabfbc
All checks were successful
Build and Push Docker Image / build (push) Successful in 1m2s
Details
CI / Security audit (push) Successful in 3m29s
Details
feat(security): production hardening for external deployment 
Container (Dockerfile):
- Multi-stage build (deps + runtime) for minimal attack surface
- Upgrade base image from node:18-alpine to node:22-alpine
- Run as non-root 'node' user (UID 1000); source files owned by root
- /app/data directory owned by node for SQLite + logs
- Docker HEALTHCHECK: wget /health every 30s

docker-compose.yaml:
- Port bound to 127.0.0.1 only (expose via reverse proxy)
- read_only: true filesystem; /tmp tmpfs for Node.js
- no-new-privileges:true, cap_drop: ALL
- Named volume sofarr-data for persistent data
- TRUST_PROXY, COOKIE_SECRET, NODE_ENV added

Helmet v7 + CSP nonce:
- Upgrade helmet@4 → helmet@7, express-rate-limit@6 → @7
- CSP with per-request nonce injected into index.html script/link tags
  (replaces blanket unsafe-inline; nonce changes every request)
- HSTS: max-age=1yr, includeSubDomains, preload
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: camera/mic/geolocation/payment/usb all off
- index.html served dynamically with nonce injection; static assets
  served normally via express.static({index:false})

Trust proxy:
- TRUST_PROXY env var configures app.set('trust proxy') so rate
  limiting and secure cookies work correctly behind Nginx/Caddy

Session & auth:
- Token store migrated from in-memory Map to SQLite via better-sqlite3
  (server/utils/tokenStore.js): survives restarts, WAL mode, 31-day TTL
- CSRF double-submit cookie pattern (server/middleware/verifyCsrf.js):
  POST/PUT/PATCH/DELETE on /api/* require X-CSRF-Token header matching
  the csrf_token cookie; timing-safe comparison
- CSRF token issued on login + GET /api/auth/csrf; cleared on logout
- Login input validation: username/password length + type checked before
  hitting Emby
- skipSuccessfulRequests:true on login rate limiter (only count failures)
- express.json({ limit: '64kb' }) to reject oversized payloads

Rate limiting:
- General API limiter: 300 req/15min per IP on all /api/* routes
- Login limiter unchanged (10 failures/15min) but now only counts fails

Logging:
- Log file moved from /app/server.log to DATA_DIR/server.log (writable
  by non-root node user in container)
- Size-based rotation: rotate at 10 MB, keep 3 files (server.log.1-3)
- DATA_DIR defaults to ./data locally, /app/data in container

Error handling:
- Global Express error handler: catches unhandled errors, logs message,
  returns generic 500 (no stack traces to clients)

Health/readiness:
- GET /health: returns {status:'ok', uptime:N} — used by HEALTHCHECK
- GET /ready: returns 503 if EMBY_URL not configured

Error sanitization (sanitizeError.js):
- Added patterns for password= params, bearer tokens, Basic auth in URLs

Supply chain:
- Remove unused cors dependency
- add better-sqlite3@^9
- CI: upgrade to Node 22, raise audit level to --audit-level=high
- .gitignore: add data/, *.db, *.db-wal, *.db-shm

Docs:
- SECURITY.md: threat model, hardening checklist, proxy examples,
  header table, rate limit table, Docker secrets guidance
- .env.example + .env.sample: TRUST_PROXY, DATA_DIR documented
2026-05-17 06:47:25 +01:00

107 lines
5.1 KiB
Plaintext
Raw Blame History

# sofarr Configuration
# Copy this file to .env and update with your values
# =============================================================================
# SERVER SETTINGS
# =============================================================================
PORT=3001
# Logging level: debug, info, warn, error, silent
# - debug: Verbose logging for troubleshooting
# - info: Standard operational logging (default)
# - warn: Only warnings and errors
# - error: Only errors
# - silent: No logging
LOG_LEVEL=info
# Cookie signing secret for tamper-proof session cookies
# Required in production (server exits on startup if unset).
# Generate with: openssl rand -hex 32
COOKIE_SECRET=your-cookie-secret-here
# =============================================================================
# REVERSE PROXY & DEPLOYMENT
# =============================================================================
# Set to 1 when running behind a reverse proxy (Nginx, Caddy, Traefik).
# This makes Express trust X-Forwarded-For and X-Forwarded-Proto so that
# req.ip reflects the real client IP and cookies are marked secure correctly.
# Leave unset if sofarr is exposed directly to the internet.
# TRUST_PROXY=1
# Directory for persistent data (SQLite token store, server logs).
# Must be writable by the process user (UID 1000 in the container).
# Defaults to ./data relative to the project root.
# DATA_DIR=/app/data
# Background polling interval in milliseconds (default: 5000)
# sofarr polls all services in the background and caches results so
# dashboard requests are near-instant.
# Set to 0, "off", "false", or "disabled" to disable background polling.
# When disabled, data is fetched on-demand when a user opens the dashboard
# and cached for 30 seconds so other users benefit from the same fetch.
# POLL_INTERVAL=5000
# =============================================================================
# EMBY (Authentication - Required)
# =============================================================================
EMBY_URL=https://emby.example.com
EMBY_API_KEY=your-emby-api-key-here
# =============================================================================
# SABNZBD INSTANCES (JSON Array Format)
# Add one or more SABnzbd instances as a single-line JSON array
# Format: [{"name":"instance-name","url":"https://...","apiKey":"..."}]
# =============================================================================
SABNZBD_INSTANCES=[{"name":"primary","url":"https://sabnzbd.example.com","apiKey":"your-sabnzbd-api-key"}]
# Legacy single-instance format (optional - still supported)
# SABNZBD_URL=https://sabnzbd.example.com
# SABNZBD_API_KEY=your-sabnzbd-api-key
# =============================================================================
# QBITTORRENT INSTANCES (JSON Array Format)
# Add one or more qBittorrent instances as a single-line JSON array
# Uses username/password authentication (not API key)
# Format: [{"name":"instance-name","url":"https://...","username":"...","password":"..."}]
# =============================================================================
QBITTORRENT_INSTANCES=[{"name":"main","url":"https://qbittorrent.example.com","username":"admin","password":"your-password"}]
# Legacy single-instance format (optional - still supported)
# QBITTORRENT_URL=https://qbittorrent.example.com
# QBITTORRENT_USERNAME=admin
# QBITTORRENT_PASSWORD=your-password
# =============================================================================
# SONARR INSTANCES (JSON Array Format)
# Add one or more Sonarr instances as a single-line JSON array
# Format: [{"name":"instance-name","url":"https://...","apiKey":"..."}]
# =============================================================================
SONARR_INSTANCES=[{"name":"main","url":"https://sonarr.example.com","apiKey":"your-sonarr-api-key"}]
# Legacy single-instance format (optional - still supported)
# SONARR_URL=https://sonarr.example.com
# SONARR_API_KEY=your-sonarr-api-key
# =============================================================================
# RADARR INSTANCES (JSON Array Format)
# Add one or more Radarr instances as a single-line JSON array
# Format: [{"name":"instance-name","url":"https://...","apiKey":"..."}]
# =============================================================================
RADARR_INSTANCES=[{"name":"main","url":"https://radarr.example.com","apiKey":"your-radarr-api-key"}]
# Legacy single-instance format (optional - still supported)
# RADARR_URL=https://radarr.example.com
# RADARR_API_KEY=your-radarr-api-key
# =============================================================================
# NOTES
# =============================================================================
# 1. All JSON arrays must be on a single line (no line breaks)
# 2. Instance "name" can be anything descriptive (e.g., "main", "4k", "backup")
# 3. URLs should include protocol (http:// or https://)
# 4. For qBittorrent, ensure Web UI is enabled in settings
# 5. User downloads are matched by tags in Sonarr/Radarr - tag your media!
# 6. Background polling keeps data fresh; disable it for low-resource setups
# =============================================================================
Reference in New Issue View Git Blame Copy Permalink