jembi / openhim-core-js

The Open Health Information Mediator core component. OpenHIM Support: Post your query on OpenHIE Discourse using the #openhim tag https://discourse.ohie.org/
http://openhim.org
Mozilla Public License 2.0
69 stars 69 forks source link

How do I whitelist OpenHIM Channels within a Docker Swarm? #1168

Closed euanmillar closed 1 year ago

euanmillar commented 2 years ago

Hi Jembi,

Thanks again for all of your kind support with OpenHIM. I have a question regarding whitelisting.

I currently have a number of public OpenHIM channels and they are getting spammed in production by external applications because the openhim-api is publicly accessible and we have a passthrough channel setup using a catch-all regexp in the route. Screenshot 2022-10-11 at 11 46 12

I realised I needed to whitelist these channels, but I only have the option for IP or an OpenHIM client:

Screenshot 2022-10-11 at 12 40 43

I am running OpenHIM inside a Docker Swarm, where each Docker service that requires access to OpenHIM is running on an internal ip beginning with 10...*

Can you tell me, is it possible to configure the whitelisted IP input for an OpenHIM Channel to use a Netmask (subnet mask) to cover all possibilities of IPs beginning with 10?

If not, how should I secure the OpenHIM Channel only to other services in the Docker Swarm?

Many thanks,

Euan

rcrichton commented 2 years ago

Hi @euanmillar sorry it looks like this is possible currently. It only allows exact IP addresses. Maybe this is something you could solve through the reverse proxy. Are you still using traefik in from of the OpenHIM? Else a firewall like ufw on the host machines would also work. It might help to restrict the channel regex as well, so it isn't catch all. Rather making it accept a more specific pattern.

euanmillar commented 2 years ago

Hi @rcrichton thanks for getting back to me. :)

To answer your question, I am still using Traefik in front of the OpenHIM and it exposes "openhim-api" and "openhim". I will do some research to see how I could configure Traefik to only listen to "openhim-api" internally, however that would restrict interoperability to legitimate external clients I guess.

Perhaps ufw may be the way to go.

euanmillar commented 1 year ago

I used this Traefik middleware to whitelist the endpoint in case you are interested: https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/