> You only access Dokploy through https, removing a whole class of attacks
Words such as the above on the blog post send shivers through my spine each time I read them.
They are, for example, a common sight on websites description of their security. "we use https so everything is ok" says the fluffy website description, carefully omitting to mention any of the stuff that really matters. Instead they just stop abruptly at the mention of the magical https. Shrug.
Or another classic example is all those people who think a dumb pass-through nginx/caddy https proxy infront of their backend suddenly makes the backend secure !
Coming back to this specific wording, I'm not sure what "whole class of attacks" they are expecting to suddenly thwart just because they are running over https ? I would suggest its a bit of a bold statement, to put it kindly.
I assume they are referring to the low-hanging-fruit like MITM etc, but as everyone knows that's not really where the real security concerns are in 2025 ...
Not to mention situations where I specifically don't want security. Like:
> your password must be at least 20 characters long, contain mixed-case letters, digits, five kanji, and at least one byte that isn't a valid UTF-8 codepoint
> but I'm setting up a small VM on my private PC to run a script that scrapes porn
Recently I managed to register an account with a password that the login page rejects. I had to hack the frontend script just to log in. And it's my insurance company.
Weird though that their installation page says to navigate to http://IP:3000 (specifically noting http and not https). Perhaps part of the setup will create a cert for your chosen domain and then from then on have you use https://domain:3000 ?
Actually you have to manually remove port 3000 from container forwarding (which will also override whatever fierwall you have)
If you don't, it's going to be accessible via :3000 AND whatever domain you choose over https:// (provided it can use let's encrypt cert). So it's a bit of a gotcha.
Words such as the above on the blog post send shivers through my spine each time I read them.
They are, for example, a common sight on websites description of their security. "we use https so everything is ok" says the fluffy website description, carefully omitting to mention any of the stuff that really matters. Instead they just stop abruptly at the mention of the magical https. Shrug.
Or another classic example is all those people who think a dumb pass-through nginx/caddy https proxy infront of their backend suddenly makes the backend secure !
Coming back to this specific wording, I'm not sure what "whole class of attacks" they are expecting to suddenly thwart just because they are running over https ? I would suggest its a bit of a bold statement, to put it kindly.
I assume they are referring to the low-hanging-fruit like MITM etc, but as everyone knows that's not really where the real security concerns are in 2025 ...