github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
247633ed330af3283963ecffa5bdc4c2b657e4be
firezone/www/docs/deploy/security-considerations.mdx
Jamil 643330fcbe Merge blog site into docs, serve at subpaths (#1419) 
- [x] Move all docs to be served under `/docs` prefix
- [x] Merge blog articles and serve under `/blog` prefix
- [x] Remove docs side bar for blog content
- [x] Remake marketing site pages in markdown/react
- [x] Serve marketing site under root path
- [x] Update all old links and paths to use new prefixes
2023-02-15 16:52:16 -08:00

58 lines
3.0 KiB
Plaintext
Raw Blame History

---
title: Security Considerations
sidebar_position: 6
---
# Security considerations
**Disclaimer**: Firezone is still beta software. The codebase has not yet
received a formal security audit. For highly sensitive and mission-critical
production deployments, we recommend disabling local authentication as
detailed [below](#production-deployments).
## List of services and ports
Shown below is a table of default ports used by Firezone services.
<Tabs>
<TabItem label="Docker" value="docker" default>
| Service | Port | Listen address | Description |
| ---------- | ----------- | -------------- | ----------------------------------------------------------------------------- |
| Caddy | `443/tcp` | `all` | Public HTTPS port for administering Firezone and facilitating authentication. |
| Caddy | `80/tcp` | `all` | Public HTTP port used for ACME. Disabled when ACME is disabled. |
| WireGuard | `51820/udp` | `all` | Public WireGuard port used for VPN sessions. |
| Postgresql | `5432/tcp` | `-` | Containerized port used for bundled Postgresql server. |
| Phoenix | `13000/tcp` | `-` | Containerized port used by upstream elixir app server. |
</TabItem>
<TabItem label="Omnibus" value="omnibus">
| Service | Port | Listen address | Description |
| ---------- | ----------- | -------------- | ----------------------------------------------------------------------------- |
| Nginx | `443/tcp` | `all` | Public HTTPS port for administering Firezone and facilitating authentication. |
| Nginx | `80/tcp` | `all` | Public HTTP port used for ACME. Disabled when ACME is disabled. |
| WireGuard | `51820/udp` | `all` | Public WireGuard port used for VPN sessions. |
| Postgresql | `15432/tcp` | `127.0.0.1` | Local-only port used for bundled Postgresql server. |
| Phoenix | `13000/tcp` | `127.0.0.1` | Local-only port used by upstream elixir app server. |
</TabItem>
</Tabs>
## Production deployments
For production deployments of Firezone, we recommend you disable local authentication
altogether by setting `default['firezone']['authentication']['local']['enabled'] = false`
(Omnibus-based deployments) or `LOCAL_AUTH_ENABLED=false` (Docker-based deployments).
Local authentication can also be disabled on the `/settings/security` page.
:::caution
Ensure you've set up a working [OIDC](/docs/authenticate/oidc/) or [SAML](/docs/authenticate/saml/)-based
authentication provider before disabling the local authentication method.
:::
## Reporting security issues
To report any security-related bugs, see [our security bug reporting policy
](https://github.com/firezone/firezone/blob/master/SECURITY.md).
Reference in New Issue View Git Blame Copy Permalink