fix: implement 22 security pentest remediation fixes

Server-side session management with SHA-256 hashed tokens and HttpOnly
cookies. Auth middleware gating all RPC/WS/proxy routes with method
allowlist. Login rate limiting (5/60s per IP). CORS restricted to
config origin. Docker registry allowlist. App ID and path validation.
P2P message sanitization (HTML + log injection). Onion address and
known-peer validation. Nginx security headers (CSP, X-Frame-Options,
etc.) and AIUI proxy auth. Systemd hardening (non-root, NoNewPrivileges,
ProtectSystem).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-06 03:26:56 +00:00
parent 6623dbc4ab
commit 6656d2f1d9
12 changed files with 503 additions and 77 deletions

View File

@@ -2,10 +2,17 @@ server {
listen 80;
listen 100.91.10.103:80;
server_name _;
root /opt/archipelago/web-ui;
index index.html;
# Security headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' ws: wss:; frame-src 'self' http://127.0.0.1:* http://localhost:*" always;
# AIUI SPA (Chat mode iframe)
location /aiui/ {
alias /opt/archipelago/web-ui/aiui/;
@@ -13,8 +20,11 @@ server {
try_files $uri $uri/ /aiui/index.html;
}
# AIUI Claude API proxy — routes through claude-proxy service (port 3141)
# AIUI Claude API proxy — requires valid session cookie
location /aiui/api/claude/ {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass http://127.0.0.1:3141/;
proxy_http_version 1.1;
proxy_set_header Host $host;
@@ -27,8 +37,11 @@ server {
proxy_send_timeout 120s;
}
# AIUI OpenRouter API proxy
# AIUI OpenRouter API proxy — requires valid session cookie
location /aiui/api/openrouter/ {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass https://openrouter.ai/api/;
proxy_http_version 1.1;
proxy_set_header Host openrouter.ai;
@@ -342,8 +355,8 @@ server {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
# WebSocket timeout
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Cookie $http_cookie;
proxy_read_timeout 86400s;
}
}
@@ -352,16 +365,23 @@ server {
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/archipelago/ssl/archipelago.crt;
ssl_certificate_key /etc/archipelago/ssl/archipelago.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
root /opt/archipelago/web-ui;
index index.html;
include snippets/archipelago-pwa.conf;
# Security headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' ws: wss:; frame-src 'self' http://127.0.0.1:* http://localhost:*" always;
# AIUI SPA (Chat mode iframe)
location /aiui/ {
alias /opt/archipelago/web-ui/aiui/;
@@ -369,6 +389,9 @@ server {
try_files $uri $uri/ =404;
}
location /aiui/api/claude/ {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass http://127.0.0.1:3141/;
proxy_http_version 1.1;
proxy_set_header Host $host;
@@ -381,6 +404,9 @@ server {
proxy_send_timeout 120s;
}
location /aiui/api/openrouter/ {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass https://openrouter.ai/api/;
proxy_http_version 1.1;
proxy_set_header Host openrouter.ai;