8f7b4b9aaa
docs: Modify security documentation to indicate Cerberus is enabled by default test: Adjust frontend feature flag tests to align with new Cerberus flag feat: Integrate feature flags into Layout component for conditional rendering test: Enhance Layout component tests for feature flag visibility feat: Implement Optional Features section in System Settings page test: Add tests for Optional Features toggles in System Settings fix: Remove unused Cerberus state from System Settings component
7.9 KiB
Security Features
Charon includes Cerberus, a security system that protects your websites. It's enabled by default so your sites are protected from the start.
You can disable it in System Settings → Optional Features if you don't need it, or configure it using this guide.
What Is Cerberus?
Think of Cerberus as a guard dog for your websites. It has three heads (in Greek mythology), and each head watches for different threats:
- CrowdSec — Blocks bad IP addresses
- WAF (Web Application Firewall) — Blocks bad requests
- Access Lists — You decide who gets in
Turn It On (The Safe Way)
Step 1: Start in "Monitor" Mode
This means Cerberus watches but doesn't block anyone yet.
Add this to your docker-compose.yml:
environment:
- CERBERUS_SECURITY_WAF_MODE=monitor
- CERBERUS_SECURITY_CROWDSEC_MODE=local
Restart Charon:
docker-compose restart
Step 2: Watch the Logs
Check "Security" in the sidebar. You'll see what would have been blocked. If it looks right, move to Step 3.
Step 3: Turn On Blocking
Change monitor to block:
environment:
- CERBERUS_SECURITY_WAF_MODE=block
Restart again. Now bad guys actually get blocked.
CrowdSec (Block Bad IPs)
What it does: Thousands of people share information about attackers. When someone tries to hack one of them, everyone else blocks that attacker too.
Why you care: If someone is attacking servers in France, you block them before they even get to your server in California.
How to Enable It
Local Mode (Runs inside Charon):
environment:
- CERBERUS_SECURITY_CROWDSEC_MODE=local
That's it. CrowdSec starts automatically and begins blocking bad IPs.
What you'll see: The "Security" page shows blocked IPs and why they were blocked.
WAF (Block Bad Behavior)
What it does: Looks at every request and checks if it's trying to do something nasty—like inject SQL code or run JavaScript attacks.
Why you care: Even if your app has a bug, the WAF might catch the attack first.
How to Enable It
environment:
- CERBERUS_SECURITY_WAF_MODE=block
Start with monitor first! This lets you see what would be blocked without actually blocking it.
Access Lists (You Decide Who Gets In)
Access lists let you block or allow specific countries, IP addresses, or networks.
Example 1: Block a Country
Scenario: You only need access from the US, so block everyone else.
- Go to Access Lists
- Click Add List
- Name it "US Only"
- Type: Geo Whitelist
- Countries: United States
- Assign to your proxy host
Now only US visitors can access that website. Everyone else sees "Access Denied."
Example 2: Private Network Only
Scenario: Your admin panel should only work from your home network.
- Create an access list
- Type: Local Network Only
- Assign it to your admin panel proxy
Now only devices on 192.168.x.x or 10.x.x.x can access it. The public internet can't.
Example 3: Block One Country
Scenario: You're getting attacked from one specific country.
- Create a list
- Type: Geo Blacklist
- Pick the country
- Assign to the targeted website
Certificate Management Security
What it protects: Certificate deletion is a destructive operation that requires proper authorization.
How it works:
- Certificates cannot be deleted while in use by proxy hosts (conflict error)
- Automatic backup is created before any certificate deletion
- Authentication required (when auth is implemented)
Backup & Recovery:
- Every certificate deletion triggers an automatic backup
- Find backups in the "Backups" page
- Restore from backup if you accidentally delete the wrong certificate
Best Practice:
- Review which proxy hosts use a certificate before deleting it
- When deleting proxy hosts, use the cleanup prompt to delete orphaned certificates
- Keep custom certificates you might reuse later
Don't Lock Yourself Out!
Problem: If you turn on security and misconfigure it, you might block yourself.
Solution: Add your IP to the "Admin Whitelist" first.
How to Add Your IP
- Go to Settings → Security
- Find "Admin Whitelist"
- Add your IP address (find it at ifconfig.me)
- Save
Now you can never accidentally block yourself.
Break-Glass Token (Emergency Exit)
If you do lock yourself out:
- Log into your server directly (SSH)
- Run this command:
docker exec charon charon break-glass
It generates a one-time token that lets you disable security and get back in.
Recommended Settings by Service Type
Internal Admin Panels (Router, Pi-hole, etc.)
Access List: Local Network Only
Blocks all public internet traffic.
Personal Blog or Portfolio
No access list
WAF: Enabled
CrowdSec: Enabled
Keep it open for visitors, but protect against attacks.
Password Manager (Vaultwarden, etc.)
Access List: IP Whitelist (your home IP)
Or: Geo Whitelist (your country only)
Most restrictive. Only you can access it.
Media Server (Plex, Jellyfin)
Access List: Geo Blacklist (high-risk countries)
CrowdSec: Enabled
Allows friends to access, blocks obvious threat countries.
Check If It's Working
- Go to Security → Decisions in the sidebar
- You'll see a list of recent blocks
- If you see activity, it's working!
Turn It Off
If security is causing problems:
Option 1: Via Web UI
- Go to Settings → Security
- Toggle "Enable Cerberus" off
Option 2: Via Environment Variable
Remove the security lines from docker-compose.yml and restart.
Common Questions
"Will this slow down my websites?"
No. The checks happen in milliseconds. Humans won't notice.
"Can I whitelist specific paths?"
Not yet, but it's planned. For now, access lists apply to entire websites.
"What if CrowdSec blocks a legitimate visitor?"
You can manually unblock IPs in the Security → Decisions page.
"Do I need all three security features?"
No. Use what you need:
- Just starting? CrowdSec only
- Public service? CrowdSec + WAF
- Private service? Access Lists only
Zero-Day Protection
What We Protect Against
Web Application Exploits:
- ✅ SQL Injection (SQLi) — even zero-days using SQL syntax
- ✅ Cross-Site Scripting (XSS) — new XSS vectors caught by pattern matching
- ✅ Remote Code Execution (RCE) — command injection patterns
- ✅ Path Traversal — attempts to read system files
- ⚠️ CrowdSec — protects hours/days after first exploitation (crowd-sourced)
How It Works
The WAF (Coraza) uses the OWASP Core Rule Set to detect attack patterns. Even if the exploit is brand new, the pattern is usually recognizable.
Example: A zero-day SQLi exploit discovered today:
https://yourapp.com/search?q=' OR '1'='1
- Pattern:
' OR '1'='1matches SQL injection signature - Action: WAF blocks request → attacker never reaches your database
What We DON'T Protect Against
- ❌ Zero-days in Charon itself (keep Charon updated)
- ❌ Zero-days in Docker, Linux kernel (keep OS updated)
- ❌ Logic bugs in your application code (need code reviews)
- ❌ Insider threats (need access controls + auditing)
- ❌ Social engineering (need user training)
Recommendation: Defense in Depth
-
Enable all Cerberus layers:
- CrowdSec (IP reputation)
- ACLs (restrict access by geography/IP)
- WAF (request inspection)
- Rate Limiting (slow down attacks)
-
Keep everything updated:
- Charon (watch GitHub releases)
- Docker images (rebuild regularly)
- Host OS (enable unattended-upgrades)
-
Monitor security logs:
- Check "Security → Decisions" weekly
- Set up alerts for high block rates
More Technical Details
Want the nitty-gritty? See Cerberus Technical Docs.