Versions Compared

Old Version 12

changes.mady.by.user Eddie Rubeiz

Saved on

compared with

New Version Current

changes.mady.by.user Eddie Rubeiz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

aws ec2 modify-instance-attribute --instance-id THE_MACHINE_S_INSTANCE_ID --groups LIST_OF_GROUPS --profile security

They’re added by Ansible to new servers using the AWS key pair security_access_key / security_secret_key

which are in the group_vars/vault file.

Security Group

Description

Ports

Details

Admin

Management-Access

worldwide ssh access

Aspace prod and staging, port 22

The production and staging ArchivesSpace servers need this group to allow developers to ssh to them. This allows worldwide ssh access; we're using SSH keys to control access

Allows SSH access by developers to the ArchivesSpace server.

admin

Public-Access-Web

Public web access

Aspace prod and staging, ports 80 and 443

Open worldwide, to allow

Allows public web access to the production and staging ArchivesSpace servers.

admin

Temp-Production

short term production firewall rules

Aspace prod, port 8983

Used

for short-term access to the SOLR configuration on ArchivesSpace production from developers' IP addresses

to allow developers and export code to access the ASpace API.

admin

Temp-Staging

short term staging firewall rules

Aspace staging, port 8983

Used for short-term access to the SOLR configuration on ArchivesSpace production from developers' IP addresses

See Temp-Production.

admin

...

Security Group

...

Description

...

Ports

...

Details

...

Admin

...

CHF-Access-Web

...

CHF internal web access

...

80, 443

...

Allows a list of employees to connect to 80 and 443. This is not being applied to any machines; both staging and production ASpace already allow access to those two ports via Public-Access-Web.

...

admin

...

internal-networking-production

...

Access between production machines

...

8080, 8983, 6379, 5432, 19999

...

All Samvera machines needed to be members of this group so they can communicate to share REST data.

Port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring.

...

admin

...

internal-networking-staging

...

Access between staging machines

...

8080, 8983, 6379, 5432, 19999

...

All Samvera machines needed to be members of this group so they can communicate to share REST data.
Port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring.

...

In addition there is a default security group that appears unused, but cannot be deleted.

When a machine has multiple security groups, as long as any one of the groups allows access the connection will work through the firewall. Anything not covered will be rejected however.

...