Currently we are using a set of security groups:Our security groups are administered at https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroups: .
A security group allows certain IP addresses to connect a machine, once the machine has been added to the security group like this:
aws ec2 modify-instance-attribute --instance-id THE_MACHINE_S_INSTANCE_ID --groups LIST_OF_GROUPS --profile security
Security Group | Description | Ports | Details | Notes |
---|
| worldwide ssh access | 22 |
The production and staging ArchivesSpace servers need this group to allow developers to ssh |
to them. |
This allows worldwide ssh access |
; we're using SSH keys to |
control access. | |||
| Public web access | 80, 443 | Open worldwide, to |
allow public web access to the production and staging ArchivesSpace servers. | |
|
| short term |
production firewall rules |
8983 | Used for short |
Temp-Production
-term access to the SOLR configuration on ArchivesSpace production from developers' IP addresses. |
|
| short term staging firewall rules |
8983 | Used for short |
-term access to the SOLR configuration on ArchivesSpace production from developers' IP addresses. |
🚨 The following security groups are scheduled for removal subsequent to our move to Heroku:
Security Group | Description | Ports | Details | Notes |
---|---|---|---|---|
| CHF internal web access | 80, 443 |
Allows a list of employees to connect to 80 and 443. This is not being applied to any machines; both staging and production ASpace already allow access to those two ports via |
Temp-Development
Temp-Production
Temp-Staging
. | Includes Offsite access addresses for Jonathan | ||
| Access between production machines | 8080, 8983, 6379, 5432, 19999 | All Samvera machines |
needed to be members of this group so they can communicate to share REST data |
. Port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring. | Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups. | ||
| Access between staging machines | 8080, 8983, 6379, 5432, 19999 | All Samvera machines |
needed to be members of this group so they can communicate to share REST data |
. | Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups. |
When a machine has multiple security groups, as long as any one of the groups allows access the connection will work through the firewall. Anything not covered will be rejected however.