mirror of
https://github.com/bigchaindb/bigchaindb.git
synced 2024-10-13 13:34:05 +00:00
102 lines
2.1 KiB
HCL
102 lines
2.1 KiB
HCL
# It might be better to:
|
|
# 1. start by only allowing SSH on port 22 (in the security group)
|
|
# 2. use SSH to set up a proper firewall on the (virtual) machine
|
|
# 3. add a second security group with more ports open
|
|
|
|
resource "aws_security_group" "node_sg1" {
|
|
name_prefix = "BigchainDB_"
|
|
description = "Single-machine BigchainDB node security group"
|
|
tags = {
|
|
Name = "BigchainDB_one-m"
|
|
}
|
|
|
|
# Allow all outbound traffic
|
|
egress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# SSH
|
|
ingress {
|
|
from_port = 22
|
|
to_port = 22
|
|
protocol = "tcp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# DNS
|
|
ingress {
|
|
from_port = 53
|
|
to_port = 53
|
|
protocol = "udp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# HTTP is used by some package managers
|
|
ingress {
|
|
from_port = 80
|
|
to_port = 80
|
|
protocol = "tcp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# NTP daemons use port 123 but the request will
|
|
# come from inside the firewall so a response is expected
|
|
|
|
# SNMP (e.g. for server monitoring)
|
|
ingress {
|
|
from_port = 161
|
|
to_port = 161
|
|
protocol = "udp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# HTTPS is used when installing RethinkDB
|
|
# and by some package managers
|
|
ingress {
|
|
from_port = 443
|
|
to_port = 443
|
|
protocol = "tcp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# StatsD
|
|
ingress {
|
|
from_port = 8125
|
|
to_port = 8125
|
|
protocol = "udp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# Future: Don't allow port 8080 for the RethinkDB web interface.
|
|
# Use a SOCKS proxy or reverse proxy instead.
|
|
|
|
ingress {
|
|
from_port = 8080
|
|
to_port = 8080
|
|
protocol = "tcp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# BigchainDB Client-Server REST API
|
|
ingress {
|
|
from_port = 9984
|
|
to_port = 9984
|
|
protocol = "tcp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# Port 28015 doesn't have to be open to the outside
|
|
# since the RethinkDB client and server are on localhost
|
|
|
|
# RethinkDB intracluster communications use port 29015
|
|
ingress {
|
|
from_port = 29015
|
|
to_port = 29015
|
|
protocol = "tcp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
}
|