Hello all! Yesterday I started hosting forgejo, and in order to clone repos outside my home network through ssh://, I seem to need to open a port for it in my router. Is that safe to do? I can’t use a vpn because I am sharing this with a friend. Here’s a sample docker compose file:

version: "3"

networks:
  forgejo:
    external: false

services:
  server:
    image: codeberg.org/forgejo/forgejo:7
    container_name: forgejo
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - FORGEJO__database__DB_TYPE=postgres
      - FORGEJO__database__HOST=db:5432
      - FORGEJO__database__NAME=forgejo
      - FORGEJO__database__USER=forgejo
      - FORGEJO__database__PASSWD=forgejo
    restart: always
    networks:
      - forgejo
    volumes:
      - ./forgejo:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "222:22" # <- port 222 is the one I'd open, in this case
    depends_on:
      - db

  db:
    image: postgres:14
    restart: always
    environment:
      - POSTGRES_USER=forgejo
      - POSTGRES_PASSWORD=forgejo
      - POSTGRES_DB=forgejo
    networks:
      - forgejo
    volumes:
      - ./postgres:/var/lib/postgresql/data

And to clone I’d do

git clone ssh://git@<my router ip>:<the port I opened, in this case 222>/path/to/repo

Is that safe?

EDIT: Thank you for your answers. I have come to the conclusion that, regardless of whether it is safe, it doesn’t make sense to increase the attack surface when I can just use https and tokens, so that’s what I am going to do.

  • gurapoku@lemmy.worldOPEnglish
    1·
    1 month ago

    Yes, hosting the site seems much safer (at least in theory) since I am proxying it through cloudflare and I am planning on putting ngynx too on top of that this afternoon

    (And signup is disabled, so hopefully only trusted users can access it)

    • 486@kbin.social
      81·
      1 month ago

      I am not sure where this idea comes from, but putting a service behind a reverse-proxy does not increase its security in any way, unless you’d do authentication right at the reverse-proxy.

      • Miaou@jlai.luEnglish
        2·
        1 month ago

        I spent my day today setting up nginx with mtls at work, and I actually think it’s a great approach for what op is trying

        • 486@kbin.social
          2·
          1 month ago

          Oh, I didn’t want to suggest that there is no value in using a reverse-proxy, there certainly is. Just don’t expect it to do anything for you in terms of application security. The application behind it is just as exposed as it would be without a proxy. So if there was a security flaw in that application, the reverse-proxy does not help at all.