Currently we are using a set of security groups:
| Security Group | Description | Ports | Details | Notes |
|---|---|---|---|---|
| CHF-Access-Web | CHF internal web access | 80, 443 | See list of internal addresses [[here]] | Includes Offsite access addresses for Jonathan |
Management-Access | worldwide ssh access | 22 | All machines MUST have this group to allow ssh access. Currently allows worldwide ssh access, we're using keys to lock things down. | |
Public-Access-Web | Public web access | 80, 443 | Open worldwide, to be applied to public web facing servers. App servers only. | |
Temp-Development | short term dev firewall rules | ?? | Please use this for short term access, rules in here may be cleared off | |
Temp-Production | short term production firewall rules | ?? | Please use this for short term access, rules in here may be cleared off | |
Temp-Staging | short term staging firewall rules | ?? | Please use this for short term access, rules in here may be cleared off | Andrew, for rebranding, has access. |
| internal-networking-production | Access between production machines | 8080, 8983, 6379, 5432, 19999 | All Samvera machines must be members of this group so they can communicate to share REST data, port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring. | Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups. |
| internal-networking-staging | Access between staging machines | 8080, 8983, 6379, 5432, 19999 | All Samvera machines must be members of this group so they can communicate to share REST data, port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring. | Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups. |
When a machine has multiple security groups, as long as any one of the groups allows access the connection will work through the firewall. Anything not covered will be rejected however.