GoAccess is often deployed as real-time HTML over WebSocket or static reports. Security is mostly about protecting log inputs, report endpoint access, and WebSocket exposure. With the introduction of WebSocket authentication in recent versions, security has been enhanced with JWT verification and token refresh mechanisms.
¶ 1) Protect report and WebSocket endpoints
- Serve real-time dashboard behind HTTPS and authentication.
- Do not expose WebSocket endpoint without reverse-proxy ACLs.
- Prefer private access for operational analytics dashboards.
- Set strict CSP and frame options for report pages.
- Implement proper authentication and authorization for real-time HTML reports.
- Use WebSocket authentication (available in v1.10.1+) with JWT tokens for enhanced security.
- Parse only logs from trusted web servers.
- Keep raw logs readable only by service account.
- Use immutable/append-only logging where possible.
- Monitor for malformed log-line spikes indicating poisoning attempts.
- Implement log validation to prevent injection attacks through log entries.
- Restrict config file permissions (
goaccess.conf) to owner read/write only (600).
- Disable features you do not use (geo lookups, noisy modules).
- Rotate reports and purge old artifacts.
- Run GoAccess process under non-root account.
- Limit memory usage to prevent resource exhaustion attacks.
- Bind WebSocket server to localhost if accessed via reverse proxy.
- Use firewall rules to restrict access to WebSocket port (typically 7890).
- Implement rate limiting to prevent abuse of the WebSocket endpoint.
- Use TLS/SSL for WebSocket connections (wss://) when exposed externally.
- Ensure log files have appropriate permissions (readable by GoAccess user only).
- Store generated reports in secure directories with restricted access.
- Use separate user accounts for GoAccess processes.
- Implement proper log rotation with secure permissions.
- Run containers with minimal privileges (non-root user).
- Mount log files as read-only volumes.
- Limit container resources (CPU, memory) to prevent resource exhaustion.
- Use official GoAccess images from trusted sources.
- Pin to specific image versions to avoid unexpected updates.
¶ Verification commands
# Check configuration file permissions
ls -la /etc/goaccess/goaccess.conf
# Verify WebSocket and HTTP ports
sudo ss -tulpn | grep -E ':7890|:80|:443'
# Check log file permissions
ls -la /var/log/nginx /var/log/apache2 2>/dev/null | head
# Verify running processes
ps aux | grep goaccess
# Check for recent GoAccess version with security features
goaccess --version
- Enable WebSocket authentication with JWT tokens for real-time reports
- Use city-level geolocation features with updated GeoLite2 databases
- Implement the refreshed HTML dashboard security features
- Leverage improved multi-threaded stability for better resource management
- GoAccess documentation: https://goaccess.io/man
- GoAccess source and issues: https://github.com/allinurl/goaccess
- WebSocket security best practices: https://www.rfc-editor.org/rfc/rfc6455