How to Secure a Z2 Installation » History » Version 9
Henning Blohm, 18.08.2021 09:29
| 1 | 7 | Henning Blohm | h1. How to Secure a Z2 Installation |
|---|---|---|---|
| 2 | 2 | Henning Blohm | |
| 3 | 3 | Henning Blohm | This how to is looking into some very basic measures to implement to provide basic protection to a z2 installation. While we |
| 4 | 1 | Henning Blohm | |
| 5 | 3 | Henning Blohm | are considering z2 here, these suggestions apply to pretty much any Web application system. |
| 6 | |||
| 7 | 1 | Henning Blohm | h2. Run a Firewall to Block Port Access |
| 8 | 3 | Henning Blohm | |
| 9 | Java applications typically have more ports open than you think. This could be JMX related, debugging support etc. The same is true for your operating system. So in general make sure that only those ports are accessible that are required to run your application. On Linux this may well be just one port for SSH access (i.e. 22 by default) and one for Web application access. |
||
| 10 | |||
| 11 | There are some variations on the latter. In most cases your application is not the actual entry point for Web access but instead there will be some request routing happening before to make sure maintenance scenarios (and outages) and load-balancing can be dealt with and most importantly for SSL termination. |
||
| 12 | |||
| 13 | Instead of protecting every single server node of your installation, you may consider setting up a "Virtual LAN":https://en.wikipedia.org/wiki/Virtual_LAN setup where you can concentrate all access limitations and rules to securing a single gateway node. |
||
| 14 | |||
| 15 | The z2 Environment hasa not particular means for managing port-based access and indeed the reason for this section is to make you aware of this fact. |
||
| 16 | |||
| 17 | Typically the following ports will be used by default with z2: |
||
| 18 | |||
| 19 | |_. Port |_. Purpose |_. Configuration | |
||
| 20 | | 8080 | Web Container (Jetty) | @environment.base/webServer/jetty-http.xml@ | |
||
| 21 | | 5000 | Java debug port for home process | @$Z2_HOME/bin/launch.properties@ | |
||
| 22 | | 5100+x | Java debug port for web worker process | @environment.base/webWorker.properties@ | |
||
| 23 | | 7800+x | JMX port for web worker process | @environment.base/webWorker.properties@ | |
||
| 24 | |||
| 25 | However depending on your configuration other ports may be opened. Also note [[How_to_Remote_Manage]]. |
||
| 26 | 2 | Henning Blohm | |
| 27 | h2. Use Whitelisting for Web Applications |
||
| 28 | 4 | Henning Blohm | |
| 29 | In contrast to this, you may want to also limit access to specific Web applications. For example, you should make sure that access to development or management related Web applications should be tightly restricted to avoid any possibility of triggering unexpected changes on your production environment. |
||
| 30 | |||
| 31 | The simplest way of achieving that is by allowing access from any other host by localhost only for dedicated Web applications. |
||
| 32 | |||
| 33 | In short this means: |
||
| 34 | |||
| 35 | * Only outward facing Web application usage is available by default |
||
| 36 | * Any other access requires access from localhost. |
||
| 37 | |||
| 38 | The latter is a brilliant limitation as it means you can use lower level means such as SSH tunneling to secure limited access by the same policy you use to limit management access to execution environments. |
||
| 39 | 5 | Henning Blohm | |
| 40 | 8 | Henning Blohm | Starting with "Version 2.9":https://redmine.z2-environment.net/versions/48 ( #2098 ) the Jetty configuration of z2-base prohibits access to any built-in Web application from anywhere but locahost. |
| 41 | 5 | Henning Blohm | |
| 42 | 8 | Henning Blohm | The configuration is part of @environment/webServer@ (which links to @environment.base/webServer@ ). |
| 43 | 5 | Henning Blohm | |
| 44 | 8 | Henning Blohm | See also "z2-nonlocalhostwhitelist.xml":https://redmine.z2-environment.net/projects/z2-base/repository/base/revisions/07e76b8b1896667af722cfdd6cd4e8ca65ce6cb2/entry/environment.base/webServer/z2-nonlocalhostwhitelist.xml<notextile></notextile>. |
| 45 | 1 | Henning Blohm | |
| 46 | 8 | Henning Blohm | Given a Web application that uses the context path @/abc@ , you would enable access to it by adding the line |
| 47 | 1 | Henning Blohm | |
| 48 | 8 | Henning Blohm | <pre><code> |
| 49 | <Item>^/abc($|/.*)</Item> |
||
| 50 | 1 | Henning Blohm | </code></pre> |
| 51 | 8 | Henning Blohm | |
| 52 | h2. Built-in Web Users Realm for Built-In Web Apps |
||
| 53 | |||
| 54 | The z2-base distribution comes with a number of built-in Web application that are (by default) started upon attaining the system state *environment/webWorker* that is the target state of the default Web worker process defined in environment/webWorker (note: You can change all that). |
||
| 55 | |||
| 56 | 9 | Henning Blohm | These Web applications require basic authentication with the simple user realm defined in "environment/webUsers":https://redmine.z2-environment.net/projects/z2-base/repository/base/revisions/master/show/environment.base/webUsers that is configured with the default Jetty Web server configuration. |
| 57 | 1 | Henning Blohm | |
| 58 | 8 | Henning Blohm | |_. Web Application Component |_. Context Path |_. Purpose |_. Role requirement | |
| 59 | 9 | Henning Blohm | | com.zfabrik.admin/web | /adm | Simple Web Administration | admin | |
| 60 | 8 | Henning Blohm | | com.zfabrik.dev.eclipsoid.srv/web | /eclipsoid | Server side of Eclipsoid development support | eclipsoid | |
| 61 | | com.zfabrik.dev.javadoc/web | /javadoc | Javadoc access | <none> | |
||
| 62 | | com.zfabrik.dev.z2jupiter/web | /z2jupiter | JUnit 5 In-System testing | tester | |
||
| 63 | | com.zfabrik.dev.z2unit/web | /z2unit | JUnit 4 In-System testing | tester | |
||
| 64 | |||
| 65 | By default, the user realm defines the user “z*” with password “z” that has all required roles (and is used by default in JUnit clients – see [[How to Unit Test in Z2]]). |