From 258cd891d3b299401b80e758bde307e66515e9e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20K=C3=B6ssler?= Date: Mon, 13 Jul 2026 13:32:19 +0200 Subject: [PATCH] feat: Add new security env vars --- content/docs/advanced/security.mdx | 2 ++ content/docs/configuration/env-variables.mdx | 26 +++++++++++--------- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/content/docs/advanced/security.mdx b/content/docs/advanced/security.mdx index d16b6fa..638eb24 100644 --- a/content/docs/advanced/security.mdx +++ b/content/docs/advanced/security.mdx @@ -10,6 +10,8 @@ OrcaCD is designed to be safe by default, but of course, there are always additi - Disable password authentication for the Hub and use a secure OIDC provider instead, that enforces strong authentication methods, including secure multi-factor authentication (MFA). - Always run the hub behind a secure reverse proxy and ensure that all communicationis encrypted using TLS. - Make sure to configure the `TRUSTED_PROXIES` environment variable correctly to prevent IP spoofing attacks. +- Restrict the IPs that can access the hub by configuring the `ALLOWED_IPS` environment variable. This will prevent unauthorized access to the hub and does not apply to webhooks or the agent connections. +- Restrict the volumes that can be mounted to locations within the OrcaCD deployments directory by setting the `RESTRICT_VOLUMES_TO_DEPLOYMENTS_DIR` environment variable to `true`. This will prevent malicious applications from accessing sensitive files on the host system. ## Why is it safe by default? diff --git a/content/docs/configuration/env-variables.mdx b/content/docs/configuration/env-variables.mdx index ab8caa5..40d901c 100644 --- a/content/docs/configuration/env-variables.mdx +++ b/content/docs/configuration/env-variables.mdx @@ -17,18 +17,20 @@ These environment variables can be used in both the agent and the hub. ## Hub -| Variable | Default Value | Recommended to change | Description | -| ---------------------- | ------------- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `APP_URL` | `-` | yes (required) | The URL of the OrcaCD instance | -| `APP_SECRET` | `-` | yes (required) | Secret used for authentication and encryption. Generate one with `openssl rand -base64 42` | -| `HOST` | `0.0.0.0` | no | Host address | -| `PORT` | `8080` | no | Container port | -| `DISABLE_LOCAL_AUTH` | `false` | no | Disable password authentication. Useful when using SSO with OIDC | -| `TRUSTED_PROXIES` | `-` | no | Recommended if using a reverse proxy. Comma seperated list of network origins | -| `ALLOWED_IPS` | `-` | no | Harden the hub by only allowing requests from certain IPs. Comma seperated list of CIDR ranges or single IPs. This does not apply to webhooks or the agent connections. | -| `DISABLE_UI` | `false` | no | Disable serving the frontend. Useful when using the hub only for API access. | -| `ALLOWED_INTERNAL_IPS` | `-` | no | Private IPs that should be ignored by the SSRF protection. Comma seperated list of CIDR ranges or single IPs | -| `DEMO` | `false` | no | This mode disables all functions except the login and additionally seeds some demo data in the database | +| Variable | Default Value | Recommended to change | Description | +| ------------------------------------- | ------------- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `APP_URL` | `-` | yes (required) | The URL of the OrcaCD instance | +| `APP_SECRET` | `-` | yes (required) | Secret used for authentication and encryption. Generate one with `openssl rand -base64 42` | +| `HOST` | `0.0.0.0` | no | Host address | +| `PORT` | `8080` | no | Container port | +| `DISABLE_LOCAL_AUTH` | `false` | no | Disable password authentication. Useful when using SSO with OIDC | +| `TRUSTED_PROXIES` | `-` | no | Recommended if using a reverse proxy. Comma seperated list of network origins | +| `ALLOWED_IPS` | `-` | no | Harden the hub by only allowing requests from certain IPs. Comma seperated list of CIDR ranges or single IPs. This does not apply to webhooks or the agent connections. | +| `RESTRICT_VOLUMES_TO_DEPLOYMENTS_DIR` | `false` | no | Restrict the volumes that can be mounted to locations within the OrcaCD deployments directory. This enhances security. | +| `ALLOWED_PRIVILEGED_APPS` | `-` | no | Comma seperated list of app id that are allowed to bypass certain restrictions enforced by OrcaCD | +| `DISABLE_UI` | `false` | no | Disable serving the frontend. Useful when using the hub only for API access. | +| `ALLOWED_INTERNAL_IPS` | `-` | no | Private IPs that should be ignored by the SSRF protection. Comma seperated list of CIDR ranges or single IPs | +| `DEMO` | `false` | no | This mode disables all functions except the login and additionally seeds some demo data in the database | ## Agent