jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/SECURITY.md
Jeremie Fraeys cd5640ebd2 Slim and secure: move scripts, clean configs, remove secrets 
- Move ci-test.sh and setup.sh to scripts/
- Trim docs/src/zig-cli.md to current structure
- Replace hardcoded secrets with placeholders in configs
- Update .gitignore to block .env*, secrets/, keys, build artifacts
- Slim README.md to reflect current CLI/TUI split
- Add cleanup trap to ci-test.sh
- Ensure no secrets are committed
2025-12-07 13:57:51 -05:00

4.8 KiB
Raw Blame History

Security Guide for Fetch ML Homelab

This guide covers security best practices for deploying Fetch ML in a homelab environment.

Quick Setup

Run the secure setup script:

./scripts/setup-secure-homelab.sh

This will:

  • Generate secure API keys
  • Create TLS certificates
  • Set up secure configuration
  • Create environment files with proper permissions

Security Features

Authentication

  • API Key Authentication: SHA256 hashed API keys
  • Role-based Access Control: Admin, researcher, analyst roles
  • Permission System: Granular permissions per resource

Network Security

  • TLS/SSL: HTTPS encrypted communication
  • IP Whitelisting: Restrict access to trusted networks
  • Rate Limiting: Prevent abuse and DoS attacks
  • Reverse Proxy: Nginx with security headers

Data Protection

  • Path Traversal Protection: Prevents directory escape attacks
  • Package Validation: Blocks dangerous Python packages
  • Input Validation: Comprehensive input sanitization

Configuration Files

Secure Config Location

  • configs/environments/config-homelab-secure.yaml - Main secure configuration

API Keys

  • .api-keys - Generated API keys (600 permissions)
  • Never commit to version control
  • Store in password manager

TLS Certificates

  • ssl/cert.pem - TLS certificate
  • ssl/key.pem - Private key (600 permissions)

Environment Variables

  • .env.secure - JWT secret and other secrets (600 permissions)

Deployment Options

Option 1: Docker Compose (Recommended)

# Generate secure setup
./scripts/setup-secure-homelab.sh

# Deploy with security overlay
docker-compose -f docker-compose.yml -f docker-compose.homelab-secure.yml up -d

Option 2: Direct Deployment

# Generate secure setup
./scripts/setup-secure-homelab.sh

# Load environment variables
source .env.secure

# Start server
./api-server -config configs/environments/config-homelab-secure.yaml

Security Checklist

Before Deployment

  • Generate unique API keys (don't use defaults)
  • Set strong JWT secret
  • Enable TLS/SSL
  • Configure IP whitelist for your network
  • Set up rate limiting
  • Enable Redis authentication

Network Security

  • Use HTTPS only (disable HTTP)
  • Restrict API access to trusted IPs
  • Use reverse proxy (nginx)
  • Enable security headers
  • Monitor access logs

Data Protection

  • Regular backups of configuration
  • Secure storage of API keys
  • Encrypt sensitive data at rest
  • Regular security updates

Monitoring

  • Enable security logging
  • Monitor failed authentication attempts
  • Set up alerts for suspicious activity
  • Regular security audits

API Security

Authentication Headers

# Use API key in header
curl -H "X-API-Key: your-api-key" https://localhost:9101/health

# Or Bearer token
curl -H "Authorization: Bearer your-api-key" https://localhost:9101/health

Rate Limits

  • Default: 60 requests per minute
  • Burst: 10 requests
  • Per IP address

IP Whitelisting

Configure in config-homelab-secure.yaml:

security:
  ip_whitelist:
    - "127.0.0.1"
    - "192.168.1.0/24"  # Your local network

Container Security

Docker Security

  • Use non-root users
  • Minimal container images
  • Resource limits
  • Network segmentation

Podman Security

  • Rootless containers
  • SELinux confinement
  • Seccomp profiles
  • Read-only filesystems where possible

Troubleshooting

Common Issues

TLS Certificate Errors

# Regenerate certificates
openssl req -x509 -newkey rsa:4096 -keyout ssl/key.pem -out ssl/cert.pem -days 365 -nodes \
  -subj "/C=US/ST=Homelab/L=Local/O=FetchML/CN=localhost"

API Key Authentication Failed

# Check your API key
grep "ADMIN_API_KEY" .api-keys

# Verify hash matches config
echo -n "your-api-key" | sha256sum | cut -d' ' -f1

IP Whitelist Blocking

# Check your IP
curl -s https://api.ipify.org

# Add to whitelist in config

Security Logs

Monitor these files:

  • logs/fetch_ml.log - Application logs
  • /var/log/nginx/security.log - Nginx access logs
  • Docker logs: docker logs ml-experiments-api

Best Practices

  1. Regular Updates: Keep dependencies updated
  2. Principle of Least Privilege: Minimal required permissions
  3. Defense in Depth: Multiple security layers
  4. Monitor and Alert: Security monitoring
  5. Backup and Recovery: Regular secure backups

Emergency Procedures

Compromised API Keys

  1. Immediately revoke compromised keys
  2. Generate new API keys
  3. Update all clients
  4. Review access logs

Security Incident

  1. Isolate affected systems
  2. Preserve evidence
  3. Review access logs
  4. Update security measures
  5. Document incident

Support

For security issues:

  • Check logs for error messages
  • Review configuration files
  • Test with minimal setup
  • Report security vulnerabilities responsibly