b24d126b30
TLS for the services can be configure by setting the "OCIS_HTTP_TLS_ENABLED", "OCIS_HTTP_TLS_CERTIFICATE" and "OCIS_HTTP_TLS_KEY" environment variables. Currently the ocis proxy is this only service that directly accesses backend services. It determines whether to use TLS or not by looking a the new registry metadata "use_tls". As specific CA Cert for certificate verification can be set with the "PROXY_HTTPS_CACERT" environment variable.
Proxy Service
The proxy service is an API-Gateway for the ownCloud Infinite Scale microservices. Every HTTP request goes through this service. Authentication, logging and other preprocessing of requests also happens here. Mechanisms like request rate limitting or intrusion prevention are not included in the proxy service and must be setup in front like with an external reverse proxy.
The proxy service is the only service communicating to the outside and needs therefore usual protections against DDOS, Slow Loris or other attack vectors. All other services are not exposed to the outside, but also need protective measures when it comes to distributed setups like when using container orchestration over various physical servers.
Authentication
The following request authentication schemes are implemented:
- Basic Auth (Only use in development, never in production setups!)
- OpenID Connect
- Signed URL
- Public Share Token
Recommendations for Production Deployments
In a production deployment, you want to have basic authentication (PROXY_ENABLE_BASIC_AUTH) disabled which is the default state. You also want to setup a firewall to only allow requests to the proxy service or the reverse proxy if you have one. Requests to the other services should be blocked by the firewall.