Configuration is required to enable additional security around connections from the Diffusion™ console.
Allow the console to connect only on a specific connector
We strongly recommend that you only allow the console to connect to Diffusion through a single connector. The port this connector
listens on can be blocked from connections from outside of your organization by your load
You can configure this in the following way:
- In your etc/Connectors.xml configuration file, wherever the line
<web-server>default<web-server> appears in a connector that
receives external connections, replace it with a web server definition that contains
only a client-service definition. For example:
<!-- This section enables HTTP-type clients for this Web Server -->
<client-service name="client" debug="true">
<!-- This parameter is used to re-order out-of-order messages received
over separate HTTP connections opened by client browsers. It is rarely
necessary to set this to more than a few tens of seconds.
If you attempt to set this value to more than one hour, a warning is logged
and a timeout of one hour is used. -->
<!-- This is used to control access from client web socket to diffusion.
This is a REGEX pattern that will match the origin of the request (.*) matches
anything so all requests are allowed -->
<!-- This is used to control cross-origin resource sharing client connection to Diffusion
This is a REGEX pattern that will match the origin of the request (.*) matches anything -->
<!-- Enable compression for HTTP responses (Client and File). If the response
is bigger than threshold -->
- Create a new connector in your etc/Connectors.xml configuration
file that defines a specific port that you use for internal connections to the console.
In this connector, set the value of the web-server element to
- In your load balancer, prevent outside traffic from having access to the port
specified in the new connector.
- If required, apply additional connection restrictions.
- You can use a connection validation policy. For more information, see ConnectionValidationPolicy.xml.
- You can set these restrictions in your load balancer.
Disable console features in the configuration (as required)
The actions that a user can perform using the console are controlled by roles and
permissions. The principal that the user uses to log in to the console must have a role with
the permissions required to perform an action in the console.
A principal with the ADMINISTRATOR or OPERATOR role can use all of the functions of the Diffusion console.
To restrict users to using a smaller set of console features, ensure they use a principal
with a more restrictive set of roles and permissions. For more information, see Pre-defined roles.