Skip to main content

max / makenotwork

1.6 KB · 51 lines History Blame Raw
1 #!/bin/bash
2 # Firewall setup for Makenotwork production server (ufw).
3 #
4 # Rules:
5 # - Allow all traffic on Tailscale interface (tailscale0)
6 # - Allow SSH (port 22) from anywhere (needed for git SSH access)
7 # - Allow HTTP/HTTPS (80/443) from anywhere (custom domains need direct access)
8 # - Drop everything else
9 #
10 # HTTP/HTTPS is open to all because custom domains connect directly (on-demand
11 # Let's Encrypt TLS, not behind Cloudflare) and arrive from arbitrary client IPs,
12 # so 443 cannot be CIDR-locked to Cloudflare without breaking that paid feature.
13 # The IP-spoofing risk this would otherwise create is closed in Caddy instead:
14 # - makenot.work subdomains: Caddy mTLS (Authenticated Origin Pulls) rejects any
15 # request without a valid Cloudflare client cert before it reaches the app.
16 # - custom domains (:443 block): Caddy overwrites CF-Connecting-IP with the real
17 # TCP peer and strips X-Forwarded-For, so a client cannot forge the source IP
18 # the app uses for rate-limiting, lockouts, and audit logs.
19
20 set -e
21
22 if [ "$(id -u)" -ne 0 ]; then
23 echo "Error: Run as root"
24 exit 1
25 fi
26
27 # Reset to defaults
28 ufw --force reset
29
30 # Default policies
31 ufw default deny incoming
32 ufw default allow outgoing
33
34 # Tailscale — unrestricted
35 ufw allow in on tailscale0
36
37 # SSH — open from anywhere (git clone over SSH)
38 ufw allow 22/tcp
39
40 # HTTP/HTTPS — open to all (custom domains need direct access)
41 # makenot.work is still protected by Caddy mTLS (Authenticated Origin Pulls)
42 ufw allow 80/tcp
43 ufw allow 443/tcp
44
45 # Enable
46 ufw --force enable
47 ufw status verbose
48
49 echo ""
50 echo "Firewall configured. SSH, HTTP, HTTPS open. makenot.work protected by Caddy mTLS."
51