Hello all! Yesterday I started hosting forgejo, and in order to clone repos outside my home network through ssh://, I seem to need to open a port for it in my router. Is that safe to do? I can’t use a vpn because I am sharing this with a friend. Here’s a sample docker compose file:

version: "3"

networks:
  forgejo:
    external: false

services:
  server:
    image: codeberg.org/forgejo/forgejo:7
    container_name: forgejo
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - FORGEJO__database__DB_TYPE=postgres
      - FORGEJO__database__HOST=db:5432
      - FORGEJO__database__NAME=forgejo
      - FORGEJO__database__USER=forgejo
      - FORGEJO__database__PASSWD=forgejo
    restart: always
    networks:
      - forgejo
    volumes:
      - ./forgejo:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "222:22" # <- port 222 is the one I'd open, in this case
    depends_on:
      - db

  db:
    image: postgres:14
    restart: always
    environment:
      - POSTGRES_USER=forgejo
      - POSTGRES_PASSWORD=forgejo
      - POSTGRES_DB=forgejo
    networks:
      - forgejo
    volumes:
      - ./postgres:/var/lib/postgresql/data

And to clone I’d do

git clone ssh://git@<my router ip>:<the port I opened, in this case 222>/path/to/repo

Is that safe?

EDIT: Thank you for your answers. I have come to the conclusion that, regardless of whether it is safe, it doesn’t make sense to increase the attack surface when I can just use https and tokens, so that’s what I am going to do.

  • gurapoku@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    6 months ago

    Yes, hosting the site seems much safer (at least in theory) since I am proxying it through cloudflare and I am planning on putting ngynx too on top of that this afternoon

    (And signup is disabled, so hopefully only trusted users can access it)

    • 486@kbin.social
      link
      fedilink
      arrow-up
      9
      arrow-down
      1
      ·
      edit-2
      6 months ago

      I am not sure where this idea comes from, but putting a service behind a reverse-proxy does not increase its security in any way, unless you’d do authentication right at the reverse-proxy.

      atzanteol is of course correct with the assessment that the web interface poses a much larger attack surface than the ssh interface.

      • Miaou@jlai.lu
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        6 months ago

        I spent my day today setting up nginx with mtls at work, and I actually think it’s a great approach for what op is trying

        • 486@kbin.social
          link
          fedilink
          arrow-up
          3
          ·
          6 months ago

          Oh, I didn’t want to suggest that there is no value in using a reverse-proxy, there certainly is. Just don’t expect it to do anything for you in terms of application security. The application behind it is just as exposed as it would be without a proxy. So if there was a security flaw in that application, the reverse-proxy does not help at all.