Securing the console
Configuration is required to enable additional security around connections from the Diffusion™ console.
Allow the console to connect only on a specific connector
We strongly recommend that you only allow the console to connect to Diffusion through a single connector. The port this connector listens on can be blocked from connections from outside of your organization by your load balancer.
- In your etc/Connectors.xml configuration file, wherever the line
<web-server>default<web-server> appears in a connector that
receives external connections, replace it with a web server definition that contains
only a client-service definition. For example:
<web-server name="external"> <!-- This section enables HTTP-type clients for this Web Server --> <client-service name="client" debug="true"> <!-- This parameter is used to re-order out-of-order messages received over separate HTTP connections opened by client browsers. It is rarely necessary to set this to more than a few tens of seconds. If you attempt to set this value to more than one hour, a warning is logged and a timeout of one hour is used. --> <message-sequence-timeout>4s</message-sequence-timeout> <!-- This is used to control access from client web socket to diffusion. This is a REGEX pattern that will match the origin of the request (.*) matches anything so all requests are allowed --> <websocket-origin>.*</websocket-origin> <!-- This is used to control cross-origin resource sharing client connection to Diffusion This is a REGEX pattern that will match the origin of the request (.*) matches anything --> <cors-origin>.*</cors-origin> </client-service> </web-server>
- Create a new connector in your etc/Connectors.xml configuration
file that defines a specific port that you use for internal connections to the console.
In this connector, set the value of the web-server element to default.
- In your load balancer, prevent outside traffic from having access to the port specified in the new connector.
- If required, apply additional connection restrictions.
- You can use a connection validation policy. For more information, see ConnectionValidationPolicy.xml.
- You can set these restrictions in your load balancer.
Disable console features in the configuration (as required)
The actions that a user can perform using the console are controlled by roles and permissions. The principal that the user uses to log in to the console must have a role with the permissions required to perform an action in the console.
A principal with the ADMINISTRATOR or OPERATOR role can use all of the functions of the Diffusion console.
To restrict users to using a smaller set of console features, ensure they use a principal with a more restrictive set of roles and permissions. For more information, see Pre-defined roles.