evergreen-admin:security:firewall
This is an old revision of the document!
Security Considerations: Firewall
Note: this is from memory, and I'm sure I got some stuff messed up/missed some stuff. Pines Staff please verify/change as appropriate.
Generally, there are about 4 zones you should have for your Evergreen system. These are as follows:
- Localhost (stuff on the server, accessed only by the server)
- Jabber server: This is the base messaging system of the OpenSRF network. If you are using the recommended Jabber server (eJabberd), access requires an authenticated username / password combination and is considered secure. The built-in Jabber server, "chop chop", performs no authentication, is insecure by definition, and should not be used in a production system.
- Single-server scenario: For a single-server system which runs Jabber, PostgreSQL database, Apache web server, and the memcached server, there is no need for the Jabber server to listen to any services outside of
localhost
. - Multi-server scenario: For a multi-server system which runs Jabber and the OpenSRF Router on one of several servers, only the Apache web server and any OpenSRF application servers requires access to the Jabber server.
- Evergreen System Administrators (people who administer the bowels of the evergreen system)
- The big consideration here is the HTTP directory of the web server. This contains the config bootstrap script. Although damaging things can't really be done (IE: everything likely has attachments, so they can't be deleted), a user can create a dozen new libraries with a few clicks. Nobody other than the IT/Evergreen Administration Staff should have access to this directory.
- General Public (people who use the PAC)
- The general public will need access to the web server (port 80) for the OPAC.
- 443: SSL in the OPAC
- Library Staff (People who use the staff client)
- The staff client uses the same ports as the public interface, so ports 80 and 443 will need to be opened.
Outgoing ports:
- 25: SMTP-For E-mail notifications
- 80: Web traffic (Syndicated content, Book Jackets, etc)
- 210: Z3950 (OCLC, LC, etc). Note that while 210 is commonly used by Z39.50 servers, it's not the only one in use; for example, the LC Z39.50 server uses port 7090.
Again: this list is just a start, and by all means incomplete.
evergreen-admin/security/firewall.1291213030.txt.gz · Last modified: 2022/02/10 13:33 (external edit)