Hello all! Yesterday I started hosting forgejo, and in order to clone repos outside my home network through ssh://, I seem to need to open a port for it in my router. Is that safe to do? I can’t use a vpn because I am sharing this with a friend. Here’s a sample docker compose file:

version: "3"

networks:
  forgejo:
    external: false

services:
  server:
    image: codeberg.org/forgejo/forgejo:7
    container_name: forgejo
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - FORGEJO__database__DB_TYPE=postgres
      - FORGEJO__database__HOST=db:5432
      - FORGEJO__database__NAME=forgejo
      - FORGEJO__database__USER=forgejo
      - FORGEJO__database__PASSWD=forgejo
    restart: always
    networks:
      - forgejo
    volumes:
      - ./forgejo:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "222:22" # <- port 222 is the one I'd open, in this case
    depends_on:
      - db

  db:
    image: postgres:14
    restart: always
    environment:
      - POSTGRES_USER=forgejo
      - POSTGRES_PASSWORD=forgejo
      - POSTGRES_DB=forgejo
    networks:
      - forgejo
    volumes:
      - ./postgres:/var/lib/postgresql/data

And to clone I’d do

git clone ssh://git@<my router ip>:<the port I opened, in this case 222>/path/to/repo

Is that safe?

EDIT: Thank you for your answers. I have come to the conclusion that, regardless of whether it is safe, it doesn’t make sense to increase the attack surface when I can just use https and tokens, so that’s what I am going to do.

  • atzanteol
    link
    fedilink
    English
    arrow-up
    6
    ·
    7 months ago

    I have come to the conclusion that, regardless of whether it is safe, it doesn’t make sense to increase the attack surface when I can just use https and tokens, so that’s what I am going to do.

    Are you already exposing HTTPS? Because if not you would still be “increasing your attack surface”.

      • atzanteol
        link
        fedilink
        English
        arrow-up
        7
        ·
        7 months ago

        Wait, so you have the full website exposed to the Internet and you’re concerned about enabling ssh access? Because of the two ssh would likely be the more secure.

        But either are probably “fine” so long as you have only trusted users using the site.

        • gurapoku@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          7 months ago

          Yes, hosting the site seems much safer (at least in theory) since I am proxying it through cloudflare and I am planning on putting ngynx too on top of that this afternoon

          (And signup is disabled, so hopefully only trusted users can access it)

          • 486@kbin.social
            link
            fedilink
            arrow-up
            9
            arrow-down
            1
            ·
            edit-2
            7 months ago

            I am not sure where this idea comes from, but putting a service behind a reverse-proxy does not increase its security in any way, unless you’d do authentication right at the reverse-proxy.

            atzanteol is of course correct with the assessment that the web interface poses a much larger attack surface than the ssh interface.

            • Miaou@jlai.lu
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              7 months ago

              I spent my day today setting up nginx with mtls at work, and I actually think it’s a great approach for what op is trying

              • 486@kbin.social
                link
                fedilink
                arrow-up
                3
                ·
                7 months ago

                Oh, I didn’t want to suggest that there is no value in using a reverse-proxy, there certainly is. Just don’t expect it to do anything for you in terms of application security. The application behind it is just as exposed as it would be without a proxy. So if there was a security flaw in that application, the reverse-proxy does not help at all.