Table of Contents
Just a second...

Securing the console

Configuration is required to enable additional security around connections from the Diffusion™ console.

Allow the console to connect only on a specific connector

We strongly recommend that you only allow the console to connect to Diffusion through a single connector. The port this connector listens on can be blocked from connections from outside of your organization by your load balancer.

You can configure this in the following way:
  1. In your etc/Connectors.xml configuration file, wherever the line <web-server>default<web-server> appears in a connector that receives external connections, replace it with a web server definition that contains only a client-service definition. For example:
        <web-server name="external">
            <!-- This section enables HTTP-type clients for this Web Server -->
            <client-service name="client" debug="true">
                <!-- This parameter is used to re-order out-of-order messages received
                     over separate HTTP connections opened by client browsers. It is rarely
                     necessary to set this to more than a few tens of seconds.
                     If you attempt to set this value to more than one hour, a warning is logged
                     and a timeout of one hour is used. -->
                <message-sequence-timeout>4s</message-sequence-timeout>
                <!-- This is used to control access from client web socket to diffusion.
                    This is a REGEX pattern that will match the origin of the request (.*) matches
                    anything so all requests are allowed -->
                <websocket-origin>.*</websocket-origin>
                <!-- This is used to control cross-origin resource sharing client connection to Diffusion
                    This is a REGEX pattern that will match the origin of the request (.*) matches anything -->
                <cors-origin>.*</cors-origin>
                <!-- Enable compression for HTTP responses (Client and File). If the response
                    is bigger than threshold -->
                <compression-threshold>256</compression-threshold>
            </client-service>
        </web-server>
  2. Create a new connector in your etc/Connectors.xml configuration file that defines a specific port that you use for internal connections to the console.

    In this connector, set the value of the web-server element to default.

  3. In your load balancer, prevent outside traffic from having access to the port specified in the new connector.
  4. If required, apply additional connection restrictions.
    • You can use a connection validation policy. For more information, see ConnectionValidationPolicy.xml.
    • You can set these restrictions in your load balancer.

Disable console features in the configuration (as required)

The default configuration for the console allows users to stop and restart publishers as well as stop the Diffusion server itself.

This feature is configured using the properties console.control.server and console.control.publishers on the Diffusion publisher in the etc/Publishers.xml configuration file.