docs: make egress hardening concrete with SPM v3.9.0 default-deny allowlist#312
Merged
Conversation
…owlist The egress-hardening section was written before Secure Proxy Manager shipped a destination allowlist, so it described the "allow what CertMate needs, deny the rest" choke point only in the abstract. SPM v3.9.0 added exactly that as a first-class default-deny egress allowlist, so make the guidance concrete: - docs/installation.md: describe the SPM "Default-deny egress" toggle and the Egress Allowlist (managed in Settings or via /api/egress-allowlist), with a representative starter allowlist for CertMate's real destinations (ACME CA host, DNS provider API, object storage, notification host, cloudflare-dns.com for DoH CNAME resolution). Note that HTTPS destination matching works on the CONNECT host without TLS interception. - README: under Network Security, add a short outbound-confinement pointer next to the existing inbound firewall rules, linking to the worked example. All claims verified against the SPM v3.9.0 source and the CertMate code. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follows up the perimeter-hardening docs (#311). That section described the "allow what CertMate needs, deny the rest" egress choke point in the abstract because, at the time, Secure Proxy Manager had no destination allowlist. SPM v3.9.0 just shipped exactly that (a first-class default-deny egress allowlist), so this makes the guidance concrete and actionable.
What changed
/api/egress-allowlistfor IaC), with a representative starter allowlist for CertMate's real destinations — ACME CA host, DNS provider API, object-storage endpoint, notification host, andcloudflare-dns.comfor DoH CNAME resolution. Clarifies that HTTPS destination matching works on theCONNECThost without TLS interception.Verification
Every factual claim was adversarially fact-checked against the live source in both repos:
egress_default_denysetting,/api/egress-allowlistroutes, dst/dstdomain ACL injection inproxy/startup.sh, cidr-vs-domain auto-classification — all confirmed.HTTP(S)_PROXY(requests/certbot/urllib/boto3), SMTP is the documented direct-TCP exception, DoH CNAME resolution againstcloudflare-dns.com, real ACME hosts, real notification channels and S3 backup — all confirmed.Docs-only; no code or behaviour change.
🤖 Generated with Claude Code