Dear all,
We were setting up the opal server (Datashiled 5) in our institute for data sharing. For security issue, the ports of the machine were only exposed for the use of opal server, and rest ports must be closed. Can I know what is minimum set of exposed ports that the opal need ? To my knowledge, only 8080 is used for connection (between server and client) during the analysis. So should we only keep 8080 open?
Regards, Hank
Hi,
8080 is the default HTTP port to opal and it is not recommended to expose it to the outside world as it is not an encrypted connection. Opal uses also 8443 for HTTPS. But it is even better, and we do recommend this, to use a reverse proxy such as Apache or Nginx, it will provide extra security. See Opal’s documentation about reverse proxy. With a reverse proxy, and a configuration that redirects connections to HTTP (80) to HTTPS (443), you only need to expose 80 and 443 ports (and probably 22 if you need to administrate the server using SSH). See also Let’s Encrypt for getting a (free) valid SSL certificate for your reverse proxy.
Best
Yannick
Hi Yannick,
Thanks for the reply. Could you specify why reverse proxy impeoved the security level? I mean if we redirect port 8080 to 80, we seem not change anything.
Regards, Hank
Hi,
With a reverse proxy you can control the SSL cipher suite and protocols (some of them have security breach sometime). Despite the internal web server of Opal (Jetty) is updated regularly, it is usually easier for sys admins to update these well maintained ones (Apache or Nginx). They also provide other convenient functionalities such as port redirection and integration with Let’s encrypt certificates. You can also redirect to multiple opal instances internally with the same reverse proxy.
Yannick
You should definitely not use port 80 or 8080 for a production server because this is normal HTTP. User passwords will be submitted without encryption and can be read by someone who listens on your connection.
Thanks, we will block it.
Hank