security: have DSS listen on localhost interface only
I have a new (trial) DSS install using the AWS AMI. Out of the box DSS is listening on all interfaces, not just localhost, although all requests to DSS should be routed through the NGINX as proxy.
How can I configure DSS to only listen on localhost?
Thanks
David
Answers
-
Hi,
It is not possible to configure this. You can setup security groups and/or iptables/firewalld rules to block access to internal ports. Please note however that this would prevent execution over Spark (including EMR) or Kubernetes, which need to connect-back to the DSS internal ports and more generally speaking to dynamically-open ports.
-
Thanks. That's unexpected. I've not met a package before where the listening can't be controlled.
It's simpler (and I think safer) to adjust this in the system config than in firewalls.
I've already firewalled it, but that's a second best solution, and adds complexity.
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,166 Neuron
I agree, it seems weird that this can't be done but also it's probably not a realistic use of Dataiku since users would always need to access it from outside.
-
I prefer, for security simplicity reasons, to set up all access to the servers through SSL tunnels. That means that the applications don't listen on the external interface but only on the internal one (localhost).
There's a reasonable alternative: give each user a browser certificate and require a valid certificate for establishing an https session (and block http). This is, I think, more complex to set up and manage than the SSH public key tunnels.