Web Application Firewalls and Rootless Podman: The Bare Minimum Security Stack for Self-Hosted Forgejo
Layered security defenses are mandatory for anyone publicly hosting Forgejo. Recommendations mandate deploying Web Application Firewalls (WAFs) like Anubis and implementing Fail2ban for both HTTP and SSH access. Furthermore, the immediate operational advice is to disable public sign-ups and strip out external authentication methods like OAuth or OpenID if the instance is meant for restricted use.
The community splits sharply on public access versus defense. Some, like 'hendrik,' demand maximal restriction, insisting on blocking public sign-ups entirely. Conversely, 'morethanevil' argues that necessary functionality, such as allowing public repository viewing without logging in, demands the specific configuration setting `REQUIRE_SIGNIN_VIEW = false` in the `App.ini` file. On the security side, 'emerald' stresses bot defense, demanding Anubis and SSH password disablers.
The consensus screams for extreme hardening. The strongest technical advice points toward 'AcornTickler's' architecture—running the whole thing in a rootless Podman container and port-forwarding only the internal SSH port. The fault lines exist between those prioritizing maximum security lockdown and those who argue that certain core, visible features require targeted configuration exceptions.
Key Points
Implement Web Application Firewalls and Fail2ban for all entry points.
Multiple sources, notably 'emerald,' insist on Anubis and Fail2ban to combat bot traffic and unauthorized access.
Limit public authentication options immediately.
'hendrik' warns that personal instances must disable public signups and OAuth/OpenID to remain secure.
Public viewing of repositories requires specific configuration changes.
'morethanevil' states `REQUIRE_SIGNIN_VIEW = false` enables public viewing, contrasting with stricter advice.
Architectural isolation via rootless containers is a prime defense.
'AcornTickler' recommends using rootless Podman containers and precise port-forwarding for SSH.
Scrapers and bot traffic are constant threats.
'tofu' noted persistent threats from scraper bots targeting Git's link structure.
Source Discussions (3)
This report was synthesized from the following Lemmy discussions, ranked by community score.