Security Guide
Security Guide
Section titled “Security Guide”This guide covers security best practices for deploying and operating Bifrost in production environments.
TLS/HTTPS Configuration
Section titled “TLS/HTTPS Configuration”Enabling TLS on Listeners
Section titled “Enabling TLS on Listeners”server: http: listen: ":8443" tls: enabled: true cert_file: "/etc/bifrost/certs/server.crt" key_file: "/etc/bifrost/certs/server.key"Generating Self-Signed Certificates
Section titled “Generating Self-Signed Certificates”For testing only:
# Generate private keyopenssl genrsa -out server.key 4096
# Generate certificateopenssl req -new -x509 -sha256 -key server.key -out server.crt -days 365 \ -subj "/CN=bifrost.example.com"Using Let’s Encrypt
Section titled “Using Let’s Encrypt”For production, use certificates from Let’s Encrypt:
# Install certbotsudo apt install certbot
# Obtain certificatesudo certbot certonly --standalone -d bifrost.example.com
# Certificate location# /etc/letsencrypt/live/bifrost.example.com/fullchain.pem# /etc/letsencrypt/live/bifrost.example.com/privkey.pemserver: http: tls: enabled: true cert_file: "/etc/letsencrypt/live/bifrost.example.com/fullchain.pem" key_file: "/etc/letsencrypt/live/bifrost.example.com/privkey.pem"Certificate Permissions
Section titled “Certificate Permissions”# Secure key filechmod 600 /etc/bifrost/certs/server.keychown bifrost:bifrost /etc/bifrost/certs/server.keyAuthentication
Section titled “Authentication”Choosing an Authentication Mode
Section titled “Choosing an Authentication Mode”| Mode | Use Case | Security Level |
|---|---|---|
none | Internal networks only | Low |
native | Small deployments | Medium |
system | Unix/PAM integration | Medium-High |
ldap | Enterprise/AD integration | High |
oauth | SSO/Modern apps | High |
Native Authentication
Section titled “Native Authentication”Generate secure password hashes using bcrypt:
# Using htpasswd (Apache utils)htpasswd -nbBC 12 "" "your-password" | cut -d: -f2
# Using Pythonpython3 -c "import bcrypt; print(bcrypt.hashpw(b'your-password', bcrypt.gensalt(rounds=12)).decode())"Warning: Password Hash Security
- Always use bcrypt cost factor of 12 or higher
- Never store plaintext passwords in config files
- Rotate passwords regularly
auth: mode: native native: users: - username: admin password_hash: "$2a$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/X4.gS6T9I2P9z8K2G"LDAP Security
Section titled “LDAP Security”auth: mode: ldap ldap: url: "ldaps://ldap.example.com:636" # Use LDAPS tls: true insecure_skip_verify: false # Always verify in production bind_dn: "cn=bifrost-svc,ou=services,dc=example,dc=com" bind_password: "${LDAP_BIND_PASSWORD}" # Use environment variableTip: LDAP Best Practices
- Use a dedicated service account with minimal permissions
- Store bind password in environment variable
- Use LDAPS (port 636) instead of StartTLS
- Verify server certificates
OAuth/OIDC Security
Section titled “OAuth/OIDC Security”auth: mode: oauth oauth: client_id: "${OAUTH_CLIENT_ID}" client_secret: "${OAUTH_CLIENT_SECRET}" # Never commit to git issuer_url: "https://auth.example.com" redirect_url: "https://bifrost.example.com/callback" scopes: - openid - profileAPI Security
Section titled “API Security”API Token Authentication
Section titled “API Token Authentication”Always set an API token for production:
api: enabled: true listen: ":7082" token: "${BIFROST_API_TOKEN}"Generate a secure token:
# Generate random tokenopenssl rand -hex 32Using the API Token
Section titled “Using the API Token”# Header authentication (recommended)curl -H "Authorization: Bearer your-token" http://localhost:7082/api/v1/status
# Query parameter (less secure, avoid in production)curl "http://localhost:7082/api/v1/status?token=your-token"Restrict API Access
Section titled “Restrict API Access”Bind the API to localhost if only local access is needed:
api: listen: "127.0.0.1:7082" # Only localhostNetwork Security
Section titled “Network Security”Firewall Configuration
Section titled “Firewall Configuration”Linux (UFW)
Section titled “Linux (UFW)”# Allow proxy ports from specific networkssudo ufw allow from 10.0.0.0/8 to any port 8080 proto tcpsudo ufw allow from 10.0.0.0/8 to any port 1080 proto tcp
# Allow Web UI from admin network onlysudo ufw allow from 192.168.1.0/24 to any port 8081 proto tcp
# Block API from external accesssudo ufw deny 8082/tcpLinux (iptables)
Section titled “Linux (iptables)”# Allow proxy from internal networkiptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPTiptables -A INPUT -p tcp --dport 8080 -j DROPIP Access Control
Section titled “IP Access Control”Configure allowed/denied IP ranges:
access_control: enabled: true default_action: deny rules: - cidr: "10.0.0.0/8" action: allow - cidr: "192.168.0.0/16" action: allow - cidr: "0.0.0.0/0" action: denyRate Limiting
Section titled “Rate Limiting”Protect against abuse with rate limiting:
rate_limit: enabled: true requests_per_second: 100 burst_size: 200 per_ip: true per_user: trueBandwidth Throttling
Section titled “Bandwidth Throttling”Prevent bandwidth abuse:
rate_limit: bandwidth: enabled: true upload: "10Mbps" download: "100Mbps"Secrets Management
Section titled “Secrets Management”Environment Variables
Section titled “Environment Variables”Never commit secrets to version control. Use environment variables:
# config.yamlauth: ldap: bind_password: "${LDAP_PASSWORD}"
api: token: "${API_TOKEN}"# Set environment variablesexport LDAP_PASSWORD="secret"export API_TOKEN="your-secure-token"
# Run with environmentbifrost-server -c config.yamlSystemd Environment Files
Section titled “Systemd Environment Files”Create /etc/bifrost/env:
LDAP_PASSWORD=secretAPI_TOKEN=your-secure-tokenAdd to service file:
[Service]EnvironmentFile=/etc/bifrost/envSecure the file:
chmod 600 /etc/bifrost/envchown root:bifrost /etc/bifrost/envDocker Secrets
Section titled “Docker Secrets”# docker-compose.ymlservices: bifrost-server: environment: - API_TOKEN_FILE=/run/secrets/api_token secrets: - api_token
secrets: api_token: file: ./secrets/api_token.txtLogging Security
Section titled “Logging Security”Sensitive Data
Section titled “Sensitive Data”Bifrost automatically redacts sensitive data from logs, but review your configuration:
logging: level: info # Avoid 'debug' in production format: jsonWarning: Log Review
- Regularly review logs for sensitive data leaks
- Don’t log full request/response bodies in production
- Secure log files with appropriate permissions
Log File Permissions
Section titled “Log File Permissions”chmod 640 /var/log/bifrost/*.logchown bifrost:bifrost /var/log/bifrost/*.logSecurity Checklist
Section titled “Security Checklist”Pre-Production
Section titled “Pre-Production”- TLS enabled on all public listeners
- Valid certificates (not self-signed)
- Authentication enabled
- API token set
- Secrets in environment variables (not config)
- Config file permissions restricted (600)
- Firewall rules configured
- Rate limiting enabled
Regular Maintenance
Section titled “Regular Maintenance”- Rotate API tokens quarterly
- Update TLS certificates before expiry
- Review access logs for anomalies
- Update to latest Bifrost version
- Audit user accounts
- Test backup and recovery procedures
Incident Response
Section titled “Incident Response”- Document API endpoints and access
- Have a process for revoking tokens
- Know how to disable authentication temporarily
- Have backup configurations ready
- Know how to review logs quickly
Security Vulnerabilities
Section titled “Security Vulnerabilities”Reporting
Section titled “Reporting”If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Email the maintainers directly
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Updates
Section titled “Updates”Subscribe to releases to stay informed about security updates:
# Watch the repository on GitHub# Or check releases periodicallycurl -s https://api.github.com/repos/rennerdo30/bifrost-proxy/releases/latest | jq -r .tag_name