Security
Infrastructure security
In terms of infrastructure security, we would propose:
- Disable Demo site via DOCREADER_ENABLE_DEMO_WEB_APP="false" Environment Variable to avoid unnecessary worker utilization for serving site content and possible security issues raised by frontend vulnerabilities
- Do not expose service if possible. Access to the backend should be provided only via private tired networking.
- Use HTTPS connection where possible.
- Use firewall and limit incoming connections to apps by Firewalls/SecurtyGroups/Rules for only verified and authorized consumers (VMs/services).
- Use Load Balancer in front. In that case security configuration would be much smoother and more advanced. While it's still possible to terminate ssl connection and configure security specific headers in docreader container, let the service do the job it was created for - process request. The rest should be processed by the load balancer.
- Implement authorization, for example via Nginx and a plugin.
HTTPS
Option 1. Recommended. Nginx as a reverse-proxy
Run nginx
as a frontend container for HTTPS processing and proxy service requests to the backend docreader container.
Here you can find the docker-compose.yml file and the Nginx default.conf file for a reference.
Run nginx
as a frontend service for HTTPS processing and proxy service requests to the backend docreader service.
Here you can find the Nginx default.conf file for a reference. The SSL certificates should be placed to the /etc/ssl/
folder.
Option 2. Docreader via HTTPS
To run the docreader service via HTTPS take the following steps:
- Add 644 permissions to certificates so the server is able to read certificates.
- Pass cert.crt & cert.key files to the container.
- Pass the DOCREADER_HTTPS environment variable.
- Forward the container port to 8443 host port:
chmod 644 ~/cert.crt ~/cert.key
docker run -it -p 8443:8080 -v ~/regula.license:/app/extBin/unix_x64/regula.license -v ~/cert.crt:/app/certs/tls.crt -v ~/cert.key:/app/certs/tls.key -e DOCREADER_HTTPS="true" regulaforensics/docreader
To run the docreader service via HTTPS take the following steps:
- Create the /opt/regula/document-reader-webapi/certs folder and copy certificates to it.
- Set HTTPS respective environment variables to /opt/regula/document-reader-webapi/.env file:
- DOCREADER_HTTPS=true
- DOCREADER_CERT_FILE=/opt/regula/document-reader-webapi/certs/tls.crt
- DOCREADER_KEY_FILE=/opt/regula/document-reader-webapi/certs/tls.key
- Restart the service.