Security Architecture

This document outlines the security architecture, measures, and best practices implemented across the system.

Security Measures

1. Network Security

Internet → Caddy (Port 80/443) → Frontend/API

         Internal Network (isolated)

    Database, Ollama, Docker Proxy

Network Isolation

  • Internal Network: Database, Ollama, and Docker proxy services run on an isolated internal network

  • External Network: Only frontend and API services are exposed to external traffic

  • Bridge Networks: Uses Docker bridge networks to segment services

Port Exposure

  • Minimal Exposure: Only necessary ports (80, 443) are exposed to the host

  • Internal Communication: Services communicate through internal networks only

  • Exposed Ports: Database (5432), API (5010), Ollama (11434) are only exposed internally

2. Container Security

User Isolation

  • Non-root Execution: API service runs with specific user/group IDs

  • Dedicated User: dataspace user (UID/GID 1007) for application execution

  • Sudo Access: Limited sudo access for maintenance operations

Image Security

  • Official Images: Uses official Docker images

  • Version Pinning: Specific image versions to prevent supply chain attacks

  • Private Registry: Images pulled from GitHub Container Registry (ghcr.io)

3. Data Security

Database Security

  • Password Protection: Database protected with strong passwords

  • Internal Access: Database only accessible from the internal network

  • Data Encryption: User secrets are encrypted using configurable encryption keys in the database

4. Access Control

Authentication & Authorization

  • OAuth Integration: Microsoft and Google OAuth support

  • 2FA Authentication: Two-factor authentication is available

  • Role & Resource Level Authorisation: The platform provides multiple levels of access rights. SeeUser Roles.

  • API Authentication: Secure API endpoints with proper authentication

Docker Socket Security

  • Proxy Service: Docker socket access through secure proxy

  • Limited Permissions: Only specific Docker operations allowed

  • Read-only Mount: Docker socket mounted as read-only

5. Web Security

HTTPS/TLS

  • Automatic HTTPS: Caddy provides automatic SSL certificate management

  • Let's Encrypt: Free SSL certificates from Let's Encrypt

IP Blocking

  • Blocked IPs: Configurable IP blocking through Caddy

  • Geographic Filtering: Can block specific IP ranges or countries

Security Configuration

Installation Security

Secure Installation Process

  1. User Creation: Dedicated dataspace user with specific UID/GID

  2. File Permissions: Proper file permissions set on configuration files

  3. Secret Management: GitHub keys stored with restricted permissions

Security Best Practices

1. Regular Updates

  • Image Updates: Regular updates of Docker images

  • Security Patches: Apply security patches promptly

  • Dependency Updates: Keep all dependencies updated

2. Monitoring & Logging

  • Access Logs: Caddy provides comprehensive access logging

  • Application Logs: API and frontend logging enabled

  • Audit Trails: Database operations logged

Conclusion

DataSpace implements multiple layers of security through network isolation, container security, data encryption, and access controls. Regular maintenance, updates, and monitoring are essential to maintain a security posture. Organizations should implement additional security measures based on their specific requirements and compliance needs.

PreviousService ArchitectureNextConfiguration

Last updated