Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #17316: Document that Rudder servers should not be exposed on the Internet #713

Merged
merged 1 commit into from
May 4, 2020
Merged

Fixes #17316: Document that Rudder servers should not be exposed on the Internet #713

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 10 additions & 0 deletions src/reference/modules/installation/pages/requirements.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,16 @@ Please bear in mind that a central Rudder server, called root server, requires n
Note: The policy server is the server configured to manage the node, and can be
either a root server or a relay server.

=== Security

Your Rudder server and relays should generally not be exposed on the Internet. If you manage
nodes on remote networks, the usage of a VPN for Rudder communications is recommended.

By default, nodes listen on port 5309 to allow remote agent trigger. On nodes having public interfaces
it is recommended to only allow connection to this port from the server through firewall configuration.
You can also totally disable the service on simple nodes (but not server or relayd) if you don't want to use remote run with
`systemctl disable rudder-cf-serverd && systemctl restart rudder-agent` (or an equivalent Rudder policy).

=== DNS - Name resolution

If you want to be able to remotely trigger agent runs on nodes from the Root Server (without
Expand Down