security: have DSS listen on localhost interface only

JeToJedno
JeToJedno Registered Posts: 5 ✭✭✭✭

I have a new (trial) DSS install using the AWS AMI. Out of the box DSS is listening on all interfaces, not just localhost, although all requests to DSS should be routed through the NGINX as proxy.

How can I configure DSS to only listen on localhost?

Thanks

David

Answers

  • Clément_Stenac
    Clément_Stenac Dataiker, Dataiku DSS Core Designer, Registered Posts: 753 Dataiker

    Hi,

    It is not possible to configure this. You can setup security groups and/or iptables/firewalld rules to block access to internal ports. Please note however that this would prevent execution over Spark (including EMR) or Kubernetes, which need to connect-back to the DSS internal ports and more generally speaking to dynamically-open ports.

  • JeToJedno
    JeToJedno Registered Posts: 5 ✭✭✭✭

    Thanks. That's unexpected. I've not met a package before where the listening can't be controlled.

    It's simpler (and I think safer) to adjust this in the system config than in firewalls.

    I've already firewalled it, but that's a second best solution, and adds complexity.

  • Turribeach
    Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,166 Neuron

    I agree, it seems weird that this can't be done but also it's probably not a realistic use of Dataiku since users would always need to access it from outside.

  • JeToJedno
    JeToJedno Registered Posts: 5 ✭✭✭✭

    I prefer, for security simplicity reasons, to set up all access to the servers through SSL tunnels. That means that the applications don't listen on the external interface but only on the internal one (localhost).

    There's a reasonable alternative: give each user a browser certificate and require a valid certificate for establishing an https session (and block http). This is, I think, more complex to set up and manage than the SSH public key tunnels.

Setup Info
    Tags
      Help me…