Securing the console
Configuration is required to enable additional security around connections from the Diffusion™ console.
Allow the console to connect only on a specific connector
We strongly recommend that you only allow the console to connect to Diffusion through a single connector. The port this connector listens on can be blocked from connections from outside of your organization by your load balancer.
- In your etc/Connectors.xml configuration file, wherever the line
<web-server>default<web-server> appears in a connector that
receives external connections, replace it with a web server definition that contains
only a client-service definition. For example:
<web-server name="external"> <!-- This section enables HTTP-type clients for this Web Server --> <client-service name="client" debug="true"> <!-- This parameter is used to re-order out-of-order messages received over separate HTTP connections opened by client browsers. It is rarely necessary to set this to more than a few tens of seconds. If you attempt to set this value to more than one hour, a warning is logged and a timeout of one hour is used. --> <message-sequence-timeout>4s</message-sequence-timeout> <!-- This is used to control access from client web socket to diffusion. This is a REGEX pattern that will match the origin of the request (.*) matches anything so all requests are allowed --> <websocket-origin>.*</websocket-origin> <!-- This is used to control cross-origin resource sharing client connection to Diffusion This is a REGEX pattern that will match the origin of the request (.*) matches anything --> <cors-origin>.*</cors-origin> <!-- Enable compression for HTTP responses (Client and File). If the response is bigger than threshold --> <compression-threshold>256</compression-threshold> </client-service> </web-server>
- Create a new connector in your etc/Connectors.xml configuration
file that defines a specific port that you use for internal connections to the console.
In this connector, set the value of the web-server element to default.
- In your load balancer, prevent outside traffic from having access to the port specified in the new connector.
- If required, apply additional connection restrictions.
- You can use a connection validation policy. For more information, see ConnectionValidationPolicy.xml.
- You can set these restrictions in your load balancer.
Disable console features in the configuration (as required)
The default configuration for the console allows users to stop and restart publishers as well as stop the Diffusion server itself.
This feature is configured using the properties console.control.server and console.control.publishers on the Diffusion publisher in the etc/Publishers.xml configuration file.