WAHA · Security Proposal

WAHA Security Hardening

For Riccardo · From Giuseppe · Droplet 206.189.197.6

TLDR

Want to harden the WAHA droplet: install Caddy for HTTPS, rotate the API key, install fail2ban. About 90 minutes of work with roughly 5 minutes of WAHA downtime. Need your green light before touching anything. Can we schedule it for tomorrow off-hours?

Why now

There are active news reports of public WAHA instances being exploited by scammers. They push spam from the connected number, then WhatsApp permanently bans the number. I audited our setup and found three real risks worth closing before it becomes our story.

The three risks

1
Port 3000 open to the entire internet, no firewall
Every scanner in the world can see a WAHA instance sitting on our IP. Right now the only wall between them and our session is the API key.
2
All traffic is plain HTTP, not HTTPS
The API key travels in cleartext every time Sophie or my CLI calls WAHA. Anyone sniffing a network hop in between captures it. Fixing this is the single highest-leverage change.
3
The current key has been rotating through many places
Container env on this droplet, Vercel, my Mac, a couple of .env files. Hygienically it is time to rotate. Cheaper than auditing every place it may have been seen.

What I propose

a
Install Caddy as a reverse proxy
Three-line config. Caddy automatically pulls a Let's Encrypt certificate and handles HTTPS. No manual renewal.
b
Point waha.signalstaff.ai to the droplet
All traffic goes through HTTPS via Caddy, then internally to localhost:3000. Port 3000 stops being exposed to the internet.
c
Rotate the WAHA API key
Generate a new one, update the container env on the droplet, update Sophie's Vercel env, update my local .env. Redeploy Sophie. Old key dies.
d
Install fail2ban
If anyone tries brute-force attempts (repeated 401s), their IP gets automatically banned for 24 hours. Defense in depth.

Impact on Sophie

Droplet RAM check

Free memory right now is around 350 MB. Caddy idles around 25 MB, fail2ban around 15 MB. Post-install we are looking at about 310 MB free. Works, but tight. Worth bumping the droplet to 2 GB at $12 per month at some point. Already noted in your TODO.

If the full option feels like too much

Minimum viable option
UFW firewall + key rotation + fail2ban
Skip HTTPS. Allow only ports 22 and 3000, rotate the key, install fail2ban. Closes roughly 80 percent of the risk in about 20 minutes. Traffic stays plaintext, which is the main thing I would prefer to fix, but it is still a meaningful jump from where we are now.
Green light for the full option tomorrow off-hours?
Or just say "minimal" and I will run the shorter path instead.
Prepared by Giuseppe ·