Update your Signal TLS Proxy (#71)

Signal TLS Proxy Signed-off-by: Tommy <contact@tommytran.io>
2024-11-17 03:51:35 -05:00 · 2022-10-15 17:12:30 -04:00 · 2022-10-15 17:12:30 -04:00 · 2d39ed39c3
commit 2d39ed39c3
parent 0cac42cb90
2 changed files with 20 additions and 0 deletions
--- a/content/apps/Update
+++ b/content/apps/Update
@ -0,0 +1,20 @@
+---
+title: "Update your Signal TLS Proxy"
+date: 2022-10-15
+tags: ['Applications', 'Linux', 'Container', 'Censorship Evasion']
+author: Tommy
+---
+
+![Signal](/images/plz-merge.jpg)
+
+Given the current censorship situation in Iran, I decided to have a look at the [Signal TLS Proxy](https://github.com/signalapp/Signal-TLS-Proxy).
+
+One thing immediately jumped out - the NGINX image has not been updated [for years](https://github.com/signalapp/Signal-TLS-Proxy/blob/ac94d6b869f942ec05d7ef76840287a1d1f487f9/nginx-relay/Dockerfile#L9). In fact, NGINX 1.18 is so old that it has gone end of life [a year and a half](https://endoflife.date/nginx) as of this writing.
+
+If you are thinking of deploying or maintaining a Signal TLS Proxy, I highly recommend that you use the upstream `nginx:alpine` image.
+
+My Docker Compose setup can be found [here](https://github.com/tommytran732/Signal-TLS-Proxy). I have also fixed the missing `:Z` flag for mountpoints and and dropped privileges to reduce the attack surface there. I made a couple of pull requests for these changes, but Signal is taking their time to review and merge them, so... yeah.
+
+- [Drop capabilities](https://github.com/signalapp/Signal-TLS-Proxy/pull/24)
+- [Use upstream NGINX image](https://github.com/signalapp/Signal-TLS-Proxy/pull/23)
+- [Add :Z for SELinux](https://github.com/signalapp/Signal-TLS-Proxy/pull/22)
--- a/static/images/plz-merge.jpg
+++ b/static/images/plz-merge.jpg