Yarkon Server – Network and Security

Before you can deploy Yarkon Server into a production environment, you need to ensure it is properly networked and protected – just as you would do for any web server in your organization.

To accomplish this, you’d need to handle two tasks:

  1. Assign a proper DNS name to the server – so that users can reach it based on its name.
  2. Allow only SSL (using HTTPS) traffic to reach the server – so that the communication is secure.

EC2 Server

The AWS recommended way to secure an EC2 instance is to place it behind a load balancer (either an ELB or an ALB). Doing it allows you to put the instance in your private network, and only allow outside traffic to it from the load balancer, thus limiting the attack vector. Another advantage of using a load balancer is it allows you to terminate SSL traffic at the load balancer, saving effort and complexity on the server.

Assign a proper URL

The process might be slightly different depending on the registrar you use for your domain names; in case you use AWS Route53 to manage your domains, as most AWS clients do, you will have to assign an A record for the load balancer url, for instance: yarkon.acme.com.

Secure access to the instance

Next you’d need to ensure only secure HTTP (HTTPS) traffic can access the Yarkon Application. For that you’d need an SSL certificate that matches the DNS name you created before, or a star (*) certificate that matches the domain.

From the AWS EC2 Dashboard, choose the elastic load balancer created for Yarkon. Add an HTTPS listener, allowing traffic from the internet through port 443 to port 80 on the EC2 instance (assuming that you have Yarkon Server listening on port 80), and set the certificate for this route to be the aforementioned.

If you had port 80 opened on the load balancer while you were setting up the cert (as can be seen in the image above), once you confirm that port 443 works, you can safely remove the route for port 80.

Non EC2 Server

If you have Yarkon Server running on a non EC2 server, you can secure it the same way you handle your other servers.

Assign a proper URL

The process might be slightly different depending on the registrar you use for your domain names; in case you use AWS Route53 to manage your domains, as most AWS clients do, you will have to assign an A record for the server IP or the reverse proxy you use in front of it, for instance: yarkon.acme.com.

Secure access to the instance

Next you’d need to ensure only secure HTTP (HTTPS) traffic can access the Yarkon Application. For that you’d need an SSL certificate that matches the DNS name you created before, or a star (*) certificate that matches the domain.

If you are using a reverse proxy in front of the server (very common), you should install the SSL cert on it as you do for any other server.

Yarkon Server itself does not support SSL termination at this time.

Next Step – Customize the look and feel
Go back to Getting Started