Skip to content

Security

Jump to bottom
Ronan LE MEILLAT edited this page Jun 16, 2024 · 6 revisions

Securing the API Server

The embedded web server in the hbbs component of Sctgdesk-server currently does not have built-in protections against DDoS attacks, nor does it handle TLS encryption. Here's how you can secure it:

Kubernetes Environment

If you're running the server in a Kubernetes environment, you're in luck! The environment provides an HAProxy, NGinx or other ingress, which takes care of these security concerns. In this case, no further action is needed.

Non-Kubernetes Environment

If you're running the server outside a Kubernetes environment, it's crucial to isolate hbbs from the internet for security reasons. Here are the steps to secure your server:

  1. Issue a Let's Encrypt Certificate: The first step is to issue a Let's Encrypt certificate for your server. This will enable HTTPS connections, providing a basic level of security. Store your certificate chain with the private key at /etc/haproxy/your-server-fqdn.pem

  2. Configure HAProxy: After obtaining your certificate, you can use HAProxy to add an additional layer of security. Edit the sample HAProxy configuration file as needed to suit your environment.
    Note that the 21116 tcp and udp ports are not controlled by this HAProxy ( HAProxy does not support udp )

# your-server-fqdn is 1.2.3.4
global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    log global
    retries 2
    timeout connect 3000ms
    timeout server 5000ms
    timeout client 5000ms

frontend hbbs_wss
    bind 1.2.3.4:21120 ssl crt /etc/haproxy/your-server-fqdn.pem
    default_backend hbbs_wss_backend

frontend hbbs_api_443
    mode http
    option forwardfor
    bind 1.2.3.4:443 ssl crt /etc/haproxy/your-server-fqdn.pem
    http-request set-header X-Forwarded-Proto https
    filter compression
    compression algo gzip
    compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json
    compression offload
    default_backend hbbs_api_backend

frontend hbbr_wss
    bind 0.0.0.0:21121 ssl crt /etc/haproxy/your-server-fqdn.pem
    default_backend hbbr_wss_backend

backend hbbs_api_backend
    mode http
    server srv_main 127.0.0.1:21114

backend hbbs_wss_backend
    server srv_main 127.0.0.1:21118

backend hbbr_wss_backend
    server srv_main 127.0.0.1:21119

With this configuration you can set https://your-server-fqdn as the api server in Rustdesk client Please note that enhancing the built-in security features of the hbbs component is not currently planned. Therefore, following these steps is highly recommended to ensure the security of your server.

© Ronan LE MEILLAT - SCTG Development

Clone this wiki locally