The system will not use insecure TCP/UDP protocols

fjelltopp / zarr-ckan

The Government of Zambia Ministry of Finance and National Planning project to establish a Zambia Evaluation and Research Repository (ZaRR) based on CKAN (funded by UNICEF).

0 stars 0 forks source link

The system will not use insecure TCP/UDP protocols #104

Closed ChasNelson1990 closed 1 month ago

ChasNelson1990 commented 2 months ago

The system will not use insecure TCP/UDP protocols such as (but not limitied to) HTTP, FTP, Telnet or TFTP to transfer data over all wired and wireless networks. Only encrypted traffic is allowed.

Relates #1

A-Souhei commented 2 months ago

We need to:

configure the reverse proxy / load balancer to enforce HTTPS
verify / make sure that server firewall (ufw, iptables, security groups ...) block the ports for any insecure protocol
disable / uninstall the programs if needed

ChasNelson1990 commented 2 months ago

@tomeksabala how much of this happens in our default AWS infrastructure?

A-Souhei commented 2 months ago

CKAN has a feature called support for HTTPS that should be enabled.

ChasNelson1990 commented 1 month ago

We satisfy this through our archiecture.

We may like to set ckan.valid_url_schemes = https sftp as a general rule in our projects for only rendering outgoing links that satisfy this too.