Why forge is so unsecured ?

Posted 4 years ago by francois


I've tried to use forge. It was so exiting (even if my first droplet was an epic fail).

Using auto-deploy, webserver configuration in a browser, etc.

But, dinging hard deeper, I've seen that nginx is configured to be 'forge' user, and 'forge' group. And, this is exactly the same user:group as your default user.

I come from Apache, and I know that this kind of configuration on the couple Apache/Gnu-Linux is a big failure for your application's security.

I know that the final goal of Forge is not to remove all you sysadmin work, but this modification is done for Forge, and you have to change it to secure your application.

So there are 3 problems with that :

  1. loosing time if you care about securing.

  2. loosing your job if your company is hacked by this failure

  3. Not sure everything works fine (auto-deploy, adding new domain plugged to another existent repo, etc) if you restore default user/group for nginx.

So, am I wrong, or is there a really issue there ? How do you manage that ?


Please sign in or create an account to participate in this conversation.

Reply to

Use Markdown with GitHub-flavored code blocks.