Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions content/docs/advanced/security.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ OrcaCD is designed to be safe by default, but of course, there are always additi
- Disable password authentication for the Hub and use a secure OIDC provider instead, that enforces strong authentication methods, including secure multi-factor authentication (MFA).
- Always run the hub behind a secure reverse proxy and ensure that all communicationis encrypted using TLS.
- Make sure to configure the `TRUSTED_PROXIES` environment variable correctly to prevent IP spoofing attacks.
- Restrict the IPs that can access the hub by configuring the `ALLOWED_IPS` environment variable. This will prevent unauthorized access to the hub and does not apply to webhooks or the agent connections.
- Restrict the volumes that can be mounted to locations within the OrcaCD deployments directory by setting the `RESTRICT_VOLUMES_TO_DEPLOYMENTS_DIR` environment variable to `true`. This will prevent malicious applications from accessing sensitive files on the host system.

## Why is it safe by default?

Expand Down
26 changes: 14 additions & 12 deletions content/docs/configuration/env-variables.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -17,18 +17,20 @@ These environment variables can be used in both the agent and the hub.

## Hub

| Variable | Default Value | Recommended to change | Description |
| ---------------------- | ------------- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `APP_URL` | `-` | yes (required) | The URL of the OrcaCD instance |
| `APP_SECRET` | `-` | yes (required) | Secret used for authentication and encryption. Generate one with `openssl rand -base64 42` |
| `HOST` | `0.0.0.0` | no | Host address |
| `PORT` | `8080` | no | Container port |
| `DISABLE_LOCAL_AUTH` | `false` | no | Disable password authentication. Useful when using SSO with OIDC |
| `TRUSTED_PROXIES` | `-` | no | Recommended if using a reverse proxy. Comma seperated list of network origins |
| `ALLOWED_IPS` | `-` | no | Harden the hub by only allowing requests from certain IPs. Comma seperated list of CIDR ranges or single IPs. This does not apply to webhooks or the agent connections. |
| `DISABLE_UI` | `false` | no | Disable serving the frontend. Useful when using the hub only for API access. |
| `ALLOWED_INTERNAL_IPS` | `-` | no | Private IPs that should be ignored by the SSRF protection. Comma seperated list of CIDR ranges or single IPs |
| `DEMO` | `false` | no | This mode disables all functions except the login and additionally seeds some demo data in the database |
| Variable | Default Value | Recommended to change | Description |
| ------------------------------------- | ------------- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `APP_URL` | `-` | yes (required) | The URL of the OrcaCD instance |
| `APP_SECRET` | `-` | yes (required) | Secret used for authentication and encryption. Generate one with `openssl rand -base64 42` |
| `HOST` | `0.0.0.0` | no | Host address |
| `PORT` | `8080` | no | Container port |
| `DISABLE_LOCAL_AUTH` | `false` | no | Disable password authentication. Useful when using SSO with OIDC |
| `TRUSTED_PROXIES` | `-` | no | Recommended if using a reverse proxy. Comma seperated list of network origins |
| `ALLOWED_IPS` | `-` | no | Harden the hub by only allowing requests from certain IPs. Comma seperated list of CIDR ranges or single IPs. This does not apply to webhooks or the agent connections. |
| `RESTRICT_VOLUMES_TO_DEPLOYMENTS_DIR` | `false` | no | Restrict the volumes that can be mounted to locations within the OrcaCD deployments directory. This enhances security. |
| `ALLOWED_PRIVILEGED_APPS` | `-` | no | Comma seperated list of app id that are allowed to bypass certain restrictions enforced by OrcaCD |
| `DISABLE_UI` | `false` | no | Disable serving the frontend. Useful when using the hub only for API access. |
| `ALLOWED_INTERNAL_IPS` | `-` | no | Private IPs that should be ignored by the SSRF protection. Comma seperated list of CIDR ranges or single IPs |
| `DEMO` | `false` | no | This mode disables all functions except the login and additionally seeds some demo data in the database |

## Agent

Expand Down