Security

Firewall

Each node is setup with iptables (can be disabled in the settings), only allowing traffic to needed ports/protocols. This includes services like SSH (22/TCP), ICMP (echo request/reply only), RabbitMQ and MySQL (if running as a service on the node).

The core OTH services which operates in the range 8000-9000/TCP only listening on the docker network locally on the application server. All traffic to the core OTH services are delegated by the traefik proxy (listening on port 80) running on the application server.

The load-balancer node allow only SSH, HTTP, HTTPS and ICMP (echo request/reply only).

Frontend

The frontend node(s), should be the only node(s) publicly reachable from the Internet - and only on port 80/443/TCP and optionally SSH from whitelisted IP’s. All HTTP requests are redirected to HTTPS by default.

The load-balancer node needs to be able to resolve the application node(s) hostname. This can be done either by setting it up on a customer controlled name-server as split horizon DNS or by adding it to the /etc/hosts. An example /etc/hosts file for the load-balancer could include following :

10.10.50.3 app01.prod.mytelehealth
10.10.50.4 app02.prod.mytelehealth

OTH Access (Optional)

OTH usually deploys a set of users to each node. These users are all part of the trusted technical staff at OTH. OTH users only logs on to a customers system to resolve issue like debugging or upgrading assistance that are agreed upon with the customers. All OTH users uses ssh-keys for access.

The customer can setup a VPN solution or a bastion SSH jump-station for a more granular control of access for the OTH staff, only allowing access on agreed upon time-frame.