scottk/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-03-22 04:42:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
963aca75cbfbd070c8693e4b4c564c6fc3bfb312
firezone/docs/docs/deploy/security-considerations.mdx
Jamil 963aca75cb Update recommendations for local authentication (#1252) 
Update the local auth docs to reflect current recommendations.
2022-12-29 17:13:18 -06:00

58 lines
3.0 KiB
Plaintext
Raw Blame History

---
title: Security Considerations
sidebar_position: 6
---
# Security considerations
**Disclaimer**: Firezone is still beta software. The codebase has not yet
received a formal security audit. For highly sensitive and mission-critical
production deployments, we recommend disabling local authentication as
detailed [below](#production-deployments).
## List of services and ports
Shown below is a table of default ports used by Firezone services.
<Tabs>
<TabItem label="Docker" value="docker" default>
| Service | Port | Listen address | Description |
| ------ | --------- | ------- | --------- |
| Caddy | `443/tcp` | `all` | Public HTTPS port for administering Firezone and facilitating authentication. |
| Caddy | `80/tcp` | `all` | Public HTTP port used for ACME. Disabled when ACME is disabled. |
| WireGuard | `51820/udp` | `all` | Public WireGuard port used for VPN sessions. |
| Postgresql | `5432/tcp` | `-` | Containerized port used for bundled Postgresql server. |
| Phoenix | `13000/tcp` | `-` | Containerized port used by upstream elixir app server. |
</TabItem>
<TabItem label="Omnibus" value="omnibus">
| Service | Port | Listen address | Description |
| ------ | --------- | ------- | --------- |
| Nginx | `443/tcp` | `all` | Public HTTPS port for administering Firezone and facilitating authentication. |
| Nginx | `80/tcp` | `all` | Public HTTP port used for ACME. Disabled when ACME is disabled. |
| WireGuard | `51820/udp` | `all` | Public WireGuard port used for VPN sessions. |
| Postgresql | `15432/tcp` | `127.0.0.1` | Local-only port used for bundled Postgresql server. |
| Phoenix | `13000/tcp` | `127.0.0.1` | Local-only port used by upstream elixir app server. |
</TabItem>
</Tabs>
## Production deployments
For production deployments of Firezone, we recommend you disable local authentication
altogether by setting `default['firezone']['authentication']['local']['enabled'] = false`
(Omnibus-based deployments) or `LOCAL_AUTH_ENABLED=false` (Docker-based deployments).
Local authentication can also be disabled on the `/settings/security` page.
:::caution
Ensure you've set up a working [OIDC](/authenticate/oidc/) or [SAML](/authenticate/saml/)-based
authentication provider before disabling the local authentication method.
:::
## Reporting Security Issues
To report any security-related bugs, see [our security bug reporting policy
](https://github.com/firezone/firezone/blob/master/SECURITY.md).
Reference in New Issue View Git Blame Copy Permalink