Required Firewall Rules

Question

Hi forum,

we're looking into hosting the LCA CS in our datacenter. Since we're highly restrictive with firewall permissions here I wanted to see if anybody knows which connection are required. Does the CS only need permissions to communicate with the clients? Or are there more paths we need to account for?

Thanks!

Answer 1

All requests are sent via http/https - and in case of messaging via ws/wss

It is recommended to use a reverse proxy instead of using tomcat directly. If you have the messaging feature enabled, you will also need to rewrite websocket connections when using reverse proxy, here is an example configuration for apache2:

<VirtualHost *:80>

    ServerName example.com

    Redirect permanent / https://example.com/

</VirtualHost>

<VirtualHost *:443>

    ServerName example.com

    ProxyRequests Off

    <Proxy *>

        Order deny,allow

        Allow from all

    </Proxy>

    <Location />

        RewriteEngine on

        RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]

        RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]

        RewriteRule .* ws://127.0.0.1:8080%{REQUEST_URI} [P,L]

        ProxyPass http://127.0.0.1:8080/

        ProxyPassReverse http://127.0.0.1:8080/

    </Location>

    SSLEngine on

    SSLProtocol all -SSLv2 -SSLv3

    SSLHonorCipherOrder On

    SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5

    SSLCertificateFile      /etc/letsencrypt/live/example.com/fullchain.pem

    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

</VirtualHost>