I am experimenting with using forgejo instead of GitHub for my personal projects. So far I like it, however I would like to make it available to the outside world at some point.
I was wondering what kind of traps I should avoid. The following things come to mind so far:
- Forgejo Actions seem like a massive potential security risk, however I do not intend to enable sign up for other
- OpenID appears to be a thing for forgejo, I do not know how it works and it seems like it would allow access to my instance even with registering disabled
- I would put the instance behind a nginx as reverse proxy, but how do you keep bot traffic to a minimum? Anubis?
I feel like there are a ton of things I have not thought of, which is why I am holding off on making anything available without a VPN so far.
If it’s just you, and you’re fine with the regular login… Just disable signup and don’t add more authentication mechanisms like oauth/openID.
I’m using nginx as a reverse proxy as well. For now, I added a lot of “deny” directives to ban all the address ranges from Tencent, Alibaba, OpenAI. It’s not a 100% solution, but works well enough for me. I’m mostly worried about AI crawlers causing too much load on my server. And it stopped since, so I don’t think I’m gonna need Anubis and all these extra things in front if my applications. If you like you can look into solutions like a web application firewall like Crowdsec.