You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Mar 22, 2023. It is now read-only.
Copy file name to clipboardExpand all lines: _posts/2019-02-14-configure-firewall.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,20 +14,20 @@ If you are a developer setting up BigBlueButton on a local VM for testing, you c
14
14
15
15
# Overview
16
16
17
-
The easiest network configuration for installing BigBlueButton is on a server that has a single external IP address, the server is on the public Internet (and thus directly accessible by your users), and there is no firewall (virtual or physical) between users and the server. Here is an example of such a setup with the BigBlueButton server having a (fictional) IP address 203.0.113.1 with hostname `bigbluebutton.example.com`.
17
+
The easiest network configuration for installing BigBlueButton is on a server that has a single external IP address and the server is on the public Internet (and thus directly accessible by your users). Port-based access firewalling is implemented using [UFW](2.2/customize.html#secure-your-system--restrict-access-to-specific-ports). Here is an example of such a setup with the BigBlueButton server having a (fictional) IP address 203.0.113.1 with hostname `bigbluebutton.example.com`.
18
18
19
19
20
20
21
-
In this simple network configuration, BigBlueButton should work out-of-the-box after installation. This is because the packaging scripts automatically configure BigBlueButton using the first non-loopback IP address.
21
+
In this simple network configuration, BigBlueButton should work out-of-the-box after installation. This is because the packaging scripts automatically configure BigBlueButton using the first non-loopback IP address, whereas access to sensitive ports is blocked.
22
22
A variation of this setup occurs when the server has multiple network interfaces, but the external IP is still the first network interface (such as `eth0`) picked up by the installation scripts.
23
23
24
24
25
25
26
-
If your server has `eth0` pointing to the external IP address on the internet, and there is no other firewall in place, then the packaging scripts should detect this external IP address and configure BigBlueButton accordingly. You don't need to do any of the changes below.
26
+
If your server has `eth0` pointing to the external IP address on the internet, and there is no external firewall in place, then the packaging scripts should detect this external IP address and configure BigBlueButton accordingly. You don't need to do any of the changes below.
27
27
28
28
Don't worry if your server's IP address changes, BigBlueButton comes with a configuration utility called `bbb-conf` that lets you change all of BigBlueButton's configuration files to use any IP address or hostname.
29
29
30
-
If there is a firewall between your users and the BigBlueButton server, then you will need to first configure the firewall to forward specific TCP/UDP connections from external clients to the internal BigBlueButton server; otherwise, users will not be able to access BigBlueButton.
30
+
If there is an IPv4 Network Address Translation (NAT) between your users and the BigBlueButton server, then you will need to first configure the firewall to forward specific TCP/UDP connections from external clients to the internal BigBlueButton server; otherwise, users will not be able to access BigBlueButton.
31
31
32
32
The following diagram gives a typical setup with an external firewall (your setup will, of course, have different IP address and hostnames).
Copy file name to clipboardExpand all lines: _posts/2019-02-14-customize.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,11 +42,13 @@ swfSlidesRequired=false
42
42
43
43
The SWF files are not needed by the HTML5 client.
44
44
45
-
## Restrict access to specific ports
45
+
## Secure your system -- restrict access to specific ports
46
46
47
-
If your server is behind a firewall already -- such as running within your company or on an EC2 instance behind a Amazon Security Group -- and the firewall is enforcing the above restrictions, you don't a second firewall and can skip this section.
47
+
Configuring IP firewalling is *essential for securing your installation*. By default, many services are reachable across the network. This allows BigBlueButton operate in clusters and private data center networks -- but it creates a significant attack surface, if your BigBlueButton server is publicly available on the internet.
48
48
49
-
If your BigBlueButton server is publicly available on the internet, then, for increased security, you should restrict access only to the following needed ports:
49
+
If your server is behind a firewall already -- such as running within your company or on an EC2 instance behind a Amazon Security Group -- and the firewall is enforcing the above restrictions, you don't need a second firewall and can skip this section.
50
+
51
+
BigBlueButton comes with a [UFW](https://launchpad.net/ufw) based ruleset. It it can be applied on restart (c.f. [Automatically apply configuration changes on restart](#automatically-apply-configuration-changes-on-restart)) and restricts access only to the following needed ports:
50
52
51
53
* TCP/IP port 22 for SSH
52
54
* TCP/IP port 80 for HTTP
@@ -73,6 +75,8 @@ ufw --force enable
73
75
74
76
These `ufw` firewall rules will be automatically re-applied on server reboot.
75
77
78
+
Besides IP-based firewalling, web application firewalls such as [ModSecurity](https://modsecurity.org/) provide additional security by checking requests to various web-based components.
79
+
76
80
## Extract the shared secret
77
81
78
82
Any front-end to BigBlueButton needs two pieces of information: the hostname for the BigBlueButton server and its shared secret (for authenticating API calls). To print out the hostname and shared secret for you BigBlueButton server, enter the command `bbb-conf --secret`:
Copy file name to clipboardExpand all lines: _posts/2019-02-15-install.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -548,7 +548,7 @@ If this server is intended for production, you should
548
548
549
549
*[Assign the server a hostname](#assign-a-hostname)
550
550
*[Install a SSL certificate to support HTTPS](#configure-ssl-on-your-bigbluebutton-server)
551
-
*[Restrict access to specific ports](/2.2/customize.html#restrict-access-to-specific-ports)
551
+
*[Secure your system -- restrict access to specific ports](/2.2/customize.html#secure-your-system--restrict-access-to-specific-ports)
552
552
*[Configure the server to work behind a firewall](/2.2/configure-firewall) (if needed)
553
553
*[remove the API demos](/2.2/customize.html#remove-the-api-demos) (if you had them installed for testing)
554
554
*[Set up a TURN server](/2.2/setup-turn-server.html) (if your server is on the Internet and you have users accessing it from behind restrictive firewalls)
0 commit comments