security: have DSS listen on localhost interface only

JeToJedno
Level 1
security: have DSS listen on localhost interface only

I have a new (trial) DSS install using the AWS AMI.  Out of the box DSS is listening on all interfaces, not just localhost, although all requests to DSS should be routed through the NGINX as proxy.

How can I configure DSS to only listen on localhost?

Thanks

David

0 Kudos
4 Replies
Clรฉment_Stenac

Hi,

It is not possible to configure this. You can setup security groups and/or iptables/firewalld rules to block access to internal ports. Please note however that this would prevent execution over Spark (including EMR) or Kubernetes, which need to connect-back to the DSS internal ports and more generally speaking to dynamically-open ports.

0 Kudos
JeToJedno
Level 1
Author

Thanks.  That's unexpected.  I've not met a package before where the listening can't be controlled.

It's simpler (and I think safer) to adjust this in the system config than in firewalls.

I've already firewalled it, but that's a second best solution, and adds complexity.

0 Kudos
Turribeach

I agree, it seems weird that this can't be done but also it's probably not a realistic use of Dataiku since users would always need to access it from outside.

0 Kudos
JeToJedno
Level 1
Author

I prefer, for security simplicity reasons, to set up all access to the servers through SSL tunnels.  That means that the applications don't listen on the external interface but only on the internal one (localhost).

There's a reasonable alternative: give each user a browser certificate and require a valid certificate for establishing an https session (and block http).  This is, I think, more complex to set up and manage than the SSH public key tunnels.

0 Kudos