Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@tmberthold
tmberthold authored Feb 1, 2024
1 parent a88b073 commit 5a3e522
Showing 1 changed file with 5 additions and 11 deletions.
16 changes: 5 additions & 11 deletions docs/deployment-guide/goals/production/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,10 @@ proxy (at least the protocol endpoint needs to be).
- Exposing to the internet:
- The Protocol API must be reachable via the internet. The required endpoints can be found in
this [public-endpoints.yaml](public-endpoints.yaml)
- Exposing the UI or the Management Endpoint to the internet requires an intermediate auth proxy.
- Exposing the UI or the Management Endpoint to the internet requires an intermediate auth proxy, we recommend restricting the access to the Management Endpoint to your internal network.
- Security:
- Limit the header size in the proxy so that only a certain number of API Keys can be tested with one API-request (e.g. limit to 8kb).
- Limit the access rate to the API endpoints and monitor access for attacks like brute force attacks.

## EDC UI Configuration

Expand Down Expand Up @@ -121,6 +124,7 @@ MY_EDC_JDBC_USER: edc
MY_EDC_JDBC_PASSWORD: edc

# Management API Key
# high entropy recommended when configuring the value (length, complexity, e.g. [a-zA-Z0-9+special chars]{32+ chars})
EDC_API_AUTH_KEY: ApiKeyDefaultValue

# Connector Maintainer
Expand All @@ -140,16 +144,6 @@ EDC_OAUTH_CERTIFICATE_ALIAS: 1
EDC_OAUTH_PRIVATE_KEY_ALIAS: 1
```
## Security
Since an API Key must be set for the Management-API and is considered to be a security relevant setting, here are a few tips on what should be taken into account when setting a value or the configuration of the infrastructure:
- Restrict access to the Management-API to your internal network
- Use an API Key with high entropy (length, complexity) when configuring the value (e.g. [a-zA-Z0-9+special chars]{32+ chars}).
- Limit the header size in the reverse proxy so that only a certain number of API Keys can be tested with one API-request (e.g. limit to 8kb).
- Limit the access rate to the API endpoints and monitor access for attacks like brute force attacks.
If configured insufficiently, this security relevant Management-API could be exploited to attack the EDC's database, thereby attacking the surrounding network.
## FAQ
### What should the client ID entry look like?
Expand Down

0 comments on commit 5a3e522

Please sign in to comment.