security: round 3 hardening (CSRF double-submit, TRX MITM, container hardening)

2026-05-12 01:47:58 +03:00
parent c8bc40af97
commit 8dc0855827
37 changed files with 1852 additions and 318 deletions
--- a/start.sh
+++ b/start.sh
@@ -6,10 +6,12 @@ cd "$(dirname "$0")"
 command -v docker >/dev/null 2>&1 || { echo "[ERROR] Docker not installed"; exit 1; }
 docker compose version >/dev/null 2>&1 || { echo "[ERROR] docker compose plugin missing"; exit 1; }

+# .env handling
 if [ ! -f .env ]; then
    if [ -f .env.example ]; then
        cp .env.example .env
-        echo "[INFO] .env создан из примера — заполни Vault креды и запусти снова"
+        chmod 600 .env
+        echo "[INFO] .env создан из примера (mode 600) — заполни Vault креды и запусти снова"
        exit 1
    else
        echo "[ERROR] нет ни .env, ни .env.example"
@@ -17,25 +19,41 @@ if [ ! -f .env ]; then
    fi
 fi

+# Защита: .env должен быть 600 (только владелец) — содержит Vault role/secret IDs.
+ENV_MODE=$(stat -c %a .env 2>/dev/null || stat -f %A .env 2>/dev/null)
+if [ "$ENV_MODE" != "600" ]; then
+    echo "[WARN] .env mode is $ENV_MODE, enforcing 600"
+    chmod 600 .env
+fi
+
+# Logs dir для audit-log mount — container's app user is uid 1001
+mkdir -p logs
+chmod 750 logs
+# Если есть права — попытаться выставить нужный owner (требует sudo на host)
+if [ "$(stat -c %u logs 2>/dev/null)" != "1001" ]; then
+    chown 1001:1001 logs 2>/dev/null || echo "[INFO] chown logs 1001:1001 пропущен (нет прав; audit может не писаться)"
+fi
+
 echo "[INFO] Building and starting containers..."
 docker compose up -d --build

 echo "[INFO] Waiting for API to become healthy..."
 for i in $(seq 1 30); do
-    if curl -sf http://localhost:3001/api/health >/dev/null 2>&1; then
+    if curl -sf http://127.0.0.1:3001/api/health >/dev/null 2>&1; then
        echo "[OK] API is healthy"
        break
    fi
    if [ "$i" = "30" ]; then
-        echo "[ERROR] API not healthy after 60s. Logs:"
-        docker compose logs --tail=50 api
+        echo "[ERROR] API not healthy after 60s. Запусти 'docker compose logs --tail=50 api' для диагностики."
        exit 1
    fi
    sleep 2
 done

 echo ""
-echo "API:    http://localhost:3001"
-echo "Health: http://localhost:3001/api/health"
-echo "Docs:   http://localhost:3001/api/docs"
-echo "Logs:   docker compose logs -f api"
+echo "API (loopback only):   http://127.0.0.1:3001"
+echo "  Перед публичным доступом → настрой reverse proxy (Caddy/Nginx) с TLS."
+echo "Health:                http://127.0.0.1:3001/api/health"
+echo "Docs:                  http://127.0.0.1:3001/api/docs"
+echo "Logs:                  docker compose logs -f api"
+echo "Audit:                 tail -f logs/audit.log"