Hardening an Unblu installation
This article guides you through the hardening of an Unblu installation. It includes Unblu configurations as well as Reverse Proxy requirements and Kubernetes best practices.
Unblu configuration
-
Set an environment-specific AES encryption key: com.unblu.server.aes.encryptionKey
-
If you use JWT encryption, set an environment-specific RSA key: com.unblu.authentication.jwt.encryptionKey
You can specify different encryption keys for the internal and public entry-path: com.unblu.authentication.jwt.internal.encryptionKey com.unblu.authentication.jwt.public.encryptionKey
-
If users' identifiers are sensitive, enable user identifier encryption: Set com.unblu.server.useridentifier.enableEncryption to
true.
(By default, user identifiers are random and therefore not sensitive.) -
Use transport encryption between the application and the database. See the example for PostgreSQL.
-
Review the rate limiting thresholds and adjust them to suit your requirements.
Listing 1. Rate Limit threshold configuration# Login Rate Limit (real limit has to be multiplied by pod) # Block after 3*replicas attempts in 300 seconds com.unblu.ratelimit.sessionLoginRateLimit=3 com.unblu.ratelimit.sessionLoginRateLimitTTL=300 # Block after 5*replicas attempts in 60 seconds com.unblu.ratelimit.redeemPinRateLimit=5 com.unblu.ratelimit.redeemPinRateLimitTTL=60
-
Enable the Content Security Policy (CSP): Set com.unblu.contentsecuritypolicy.mode to
ON
. -
Restrict which roles can make system changes.
Listing 2. Roles allowed to make system changes# Modification of configurations com.unblu.permission.roleAllowed.modifyConfigurations=ADMIN # Modification of metadata com.unblu.permission.roleAllowed.modifyMetadata=ADMIN # Modification of texts com.unblu.permission.roleAllowed.modifyTexts=ADMIN # Modification of externally managed teams com.unblu.permission.roleAllowed.overrideTeamManagement= # Modification of externally managed users com.unblu.permission.roleAllowed.overrideUserManagement=
-
Set the session timeout (com.unblu.authentication.cloud.maxIdleSeconds) to a lower value, for example
43200
(12h). The value is in seconds, the default value is 7 days. -
If your Unblu installation sends emails to users, set com.unblu.mail.smtp.global.startTlsEnable or com.unblu.mail.smtp.account.startTlsEnable to
true
.
HTTP & reverse proxy
-
Disallow all Unblu paths in
/robots.txt
.Listing 3. Disallow Unblu pathsUser-agent: * Disallow: /app Disallow: /unblu
-
All
X-Forwarded-For
,X-Forwarded-Host
, andX-Forwarded-Proto
headers must be sanitized, and untrusted clients must not be able to inject values into these headers. -
When using ID propagation with HTTP headers, sanitize all related headers from all untrusted origins. The relevant Unblu configuration properties are:
com.unblu.authentication.propagated.internal.*
com.unblu.authentication.propagated.public.*
On-premises installations
The recommendations below only apply to on-premises installations.
-
Reject all requests using the
INTERNAL
entry path (by default/app
) from non-company networks. Only employees will call those. -
Reject all requests using the
PUBLIC
entry path (by default/unblu
) from company networks. Only customers will call those. -
Reject all requests using the
SYSTEM
entry path (by default/system
) from all untrusted origins. This is handled automatically in all Kubernetes installations.
Kubernetes
-
Use Kubernetes secrets to store all sensitive Unblu configuration properties (passwords, encryption keys, …).
-
Use the provided network policies to restrict connections between the pods (
unblu-kubernetes-base/network-policy
). Remove the defaultallow-same-namespace
NetworkPolicy. (Kubernetes network policies are additive!)
COTURN
-
The TURN protocol allows clients to connect to any IP address reachable from the TURN server. Make sure that the TURN server does not have access to sensitive parts of your network.
-
You should either block the COTURN server from accessing sensitive resources, or adapt the COTURN configuration to do so (
denied-peer-ip
). -
Install COTURN 4.5.2 or later (see Security Advisory).
-
Use an environment-specific static authentication secret to allow access to the TURN server (
static-auth-secret
). -
Hide the COTURN version (
no-software-attribute
).
See also
-
For security information related to the Unblu Android mobile SDK, refer to Security-relevant configuration for Android.
-
For security information related to the Unblu iOS mobile SDK, refer to Security-relevant configuration for the iOS SDK.
Appendix
Generate encryption keys
Any random string can be used as a symmetric encryption key.
python3 -c 'import os,base64; print(base64.b64encode(os.urandom(32)).decode())'
openssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in private.pem -out public.pem