Security information about our instances

HTTPs configuration

All Sourcegraph instances are exposed to the public via Cloudflare, using full SSL/TLS encryption, this includes encryption and trust between the origin servers and Cloudflare. External clients are presented with a certificate automatically managed and generated by Cloudflare.

To enable full SSL/TLS encryption:

  • Access the Cloudflare dashboard. (check 1Password for credentials)
  • Select the appropriate zone.
  • Ensure the Cloudflare zone has “SSL/TLS” set to “Full” in SSL/TLS -> Overview.
  • Ensure the external domain used for the instance has proxied enabled. This can be verified in infrastructure/dns by searching for the required Terraform cloudflare_record resource and ensuring its proxied attribute is set to true.
  • Configure the origin server to present a trusted certificate.

Origin configuration

Cloudflare full encryption mode requires origin servers to provider a generated “Origin Certificate” in order to trust the origin server and encrypt all traffic.

If you dont have a certificate, check generating an Origin Certificate before moving to the next steps.

Attaching an Origin Certificate to Kubernetes

Kubernetes services are exposed through an Ingress resource, which has to specify its certificate following the instructions provided in Configure TLS/SSL

Generating an Origin Certificate

Origin Certificates can be generated from the Cloudflare dashboard using the following steps:

  • Access the Cloudflare dashboard. (check 1Password for credentials)
  • Select the appropriate zone.
  • Access SSL/TLS -> Origin Server and click “Generate Certificate”.
  • Use the following options
    • Let Cloudflare generate a private key and CSR
    • List the hostnames: *.foo.bar,foo.bar
    • Certificate Validity: 15 years
  • Click Next
  • Save the Origin Certificate and Private key to 1Password, you wont be able to get the private key again.

Cloudflare

WAF

The Cloudflare WAF is enabled via terraform. To turn it on or off, update cloudflare_zone_settings_override in [sourcegraph/sgdev].tf, and set waf='[on/off]', then run terraform apply.

To configure the Cloudflare WAF, add or update WAF rules in [sourcegraph/sgdev]-waf.tf. For documentation on what configuration options exist, check the terraform registry. Note that the configuration options may be restricted by plan, as documented in the Cloudflare API documentation.

The Cloudflare WAF must be enabled for any instances containing customer data, including Cloud.

Rate Limiter

The Cloudflare rate limiter is configured via terraform. To change the behavior of existing rate limiting rules, or create new ones, edit [sourcegraph/sgdev]-waf.tf. For documentation on what configuration options exist, check the terraform registry. Note that the configuration options may be restricted by plan, as documented in the Cloudflare API documentation, as well as the rate limiting configuration guide. Also note that we are restricted to 10 rate limiting rules with our current plan, so be purposeful about using these.