Contact usRequest a demo

Hardening an Unblu installation

This article guides you through the hardening of an Unblu installation. It includes Unblu configurations as well as Reverse Proxy requirements and Kubernetes best practices.

Unblu configuration

  • Set an environment-specific AES encryption key: com.unblu.server.aes.encryptionKey

  • If you use JWT encryption, set an environment-specific RSA key: com.unblu.authentication.jwt.encryptionKey

    You can specify different encryption keys for the internal and public entry-path: com.unblu.authentication.jwt.internal.encryptionKey com.unblu.authentication.jwt.public.encryptionKey

  • If users' identifiers are sensitive, enable user identifier encryption: Set com.unblu.server.useridentifier.enableEncryption to true. (By default, user identifiers are random and therefore not sensitive.)

  • Use transport encryption between the application and the database. See the example for PostgreSQL.

  • Review the rate limiting thresholds and adjust them to suit your requirements.

    Listing 1. Rate Limit threshold configuration
    # Login Rate Limit (real limit has to be multiplied by pod)
    # Block after 3*replicas attempts in 300 seconds
    com.unblu.ratelimit.sessionLoginRateLimit=3
    com.unblu.ratelimit.sessionLoginRateLimitTTL=300
    
    # Block after 5*replicas attempts in 60 seconds
    com.unblu.ratelimit.redeemPinRateLimit=5
    com.unblu.ratelimit.redeemPinRateLimitTTL=60
  • Enable the Content Security Policy (CSP): Set com.unblu.contentsecuritypolicy.mode to ON.

  • Restrict which roles can make system changes.

    Listing 2. Roles allowed to make system changes
    # Modification of configurations
    com.unblu.permission.roleAllowed.modifyConfigurations=ADMIN
    # Modification of metadata
    com.unblu.permission.roleAllowed.modifyMetadata=ADMIN
    # Modification of texts
    com.unblu.permission.roleAllowed.modifyTexts=ADMIN
    # Modification of externally managed teams
    com.unblu.permission.roleAllowed.overrideTeamManagement=
    # Modification of externally managed users
    com.unblu.permission.roleAllowed.overrideUserManagement=
  • Set the session timeout (com.unblu.authentication.cloud.maxIdleSeconds) to a lower value, for example 43200 (12h). The value is in seconds, the default value is 7 days.

  • If your Unblu installation sends emails to users, set com.unblu.mail.smtp.global.startTlsEnable or com.unblu.mail.smtp.account.startTlsEnable to true.

User management

  • Remove the default superadmin created with the initial database setup.

  • All users should use strong passwords. You can define and enforce your password policy using com.unblu.password.policy.*.

HTTP & reverse proxy

  • Disallow all Unblu paths in /robots.txt.

    Listing 3. Disallow Unblu paths
    User-agent: *
    Disallow: /app
    Disallow: /unblu
  • All X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto headers must be sanitized, and untrusted clients must not be able to inject values into these headers.

  • When using ID propagation with HTTP headers, sanitize all related headers from all untrusted origins. The relevant Unblu configuration properties are:
    com.unblu.authentication.propagated.internal.*
    com.unblu.authentication.propagated.public.*

On-premises installations

The recommendations below only apply to on-premises installations.

  • Reject all requests using the INTERNAL entry path (by default /app) from non-company networks. Only employees will call those.

  • Reject all requests using the PUBLIC entry path (by default /unblu) from company networks. Only customers will call those.

  • Reject all requests using the SYSTEM entry path (by default /system) from all untrusted origins. This is handled automatically in all Kubernetes installations.

Kubernetes

  • Use Kubernetes secrets to store all sensitive Unblu configuration properties (passwords, encryption keys, …​).

  • Use the provided network policies to restrict connections between the pods (unblu-kubernetes-base/network-policy). Remove the default allow-same-namespace NetworkPolicy. (Kubernetes network policies are additive!)

COTURN

  • The TURN protocol allows clients to connect to any IP address reachable from the TURN server. Make sure that the TURN server does not have access to sensitive parts of your network.

  • You should either block the COTURN server from accessing sensitive resources, or adapt the COTURN configuration to do so (denied-peer-ip).

  • Install COTURN 4.5.2 or later (see Security Advisory).

  • Use an environment-specific static authentication secret to allow access to the TURN server (static-auth-secret).

  • Hide the COTURN version (no-software-attribute).

See also

Appendix

Generate encryption keys

Any random string can be used as a symmetric encryption key.

Listing 4. Generate 256 random bits base64 encoded
python3 -c 'import os,base64; print(base64.b64encode(os.urandom(32)).decode())'
Listing 5. Generate an RSA key pair
openssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in private.pem -out public.pem