https://github.com/tam7t/haproxy-dockerfile

haproxy docker image built with binary hardening & libressl
https://github.com/tam7t/haproxy-dockerfile

Last synced: 3 months ago
JSON representation

haproxy docker image built with binary hardening & libressl

• Host: GitHub
• URL: https://github.com/tam7t/haproxy-dockerfile
• Owner: tam7t
• License: gpl-2.0
• Created: 2017-03-25T18:02:52.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2017-03-30T03:05:42.000Z (about 8 years ago)
• Last Synced: 2025-01-30T23:41:21.412Z (5 months ago)
• Language: Shell
• Size: 11.7 KB
• Stars: 1
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# haproxy-dockerfile

haproxy docker image built with binary hardening & libressl

# motivation

I noticed that the existing docker images were not compiling `haproxy` with

many (if any) exploit mitigations (as of 11 March 2017) when using Debian's `hardening-check`

|                                 |  Debian apt-get  | Docker (alpine)  | Docker (debian)  |

|---------------------------------|------------------|------------------|------------------|

| Position Independent Executable | no               | yes              | no               |

| Stack protected                 | yes              | yes              | no               |

| Fortify Source functions        | yes (some)       | no               | no               |

| Read-only relocations           | yes              | yes              | no               |

| Immediate binding               | no               | yes              | no               |

| OpenSSL                         | 1.0.1t           | 1.0.2k           | 1.0.1t           |

# protections

This docker image aims to be a drop in replacement for the offical `haproxy`

image but built with binary hardening flags and statically linked against

LibreSSL.

* `-fPIE -DPIE` - Position independent code to take advantage of ASLR

* `-D_FORTIFY_SOURCE=2` - Replaces functions commonly resulting in buffer overflows

* `-fstack-protector-strong` - Adds cookies to detect buffer overflows in the stack

* `-fvisibility=hidden -flto -fsanitize=cfi -fuse-ld=gold` - Control Flow Integrity to block unexpected jumps

* `-z relro -z now` - Read only Global Offset Table to prevent GOT overwrite attacks

# references

* http://blog.quarkslab.com/clang-hardening-cheat-sheet.html

* https://blog.trailofbits.com/2016/10/17/lets-talk-about-cfi-clang-edition/

* https://wiki.debian.org/Hardening