Network security & redirect settings
The Network interface allows you to configure and manage network access to your application including:
- Firewall: Controls access to your servers (based on IP addresses and ports)
- Traffic: Controls the flow of web traffic to your application servers
- Application Private Network: an encrypted VPN-like network between your servers
- Redirects: Sets server-level redirects for web traffic
Firewall
The Firewall tab allows you to configure and apply firewall rules per server for your application.
By default, Cloud 66 gateway servers (e.g. 54.84.166.97
) are the only servers allowed SSH (port 22) access to application servers. The default firewall rules include database and web ports appropriate for the application deployed but also includes ports 8080 and 8443 as alternative HTTP ports for WebSocket-based applications like Faye.
Editing and removing the default firewall rules is disabled to secure accessibility to the servers at all times.
Temporary SSH access
You can open your firewall temporarily in cases when you need access to your servers by clicking the icon at the top right of Firewall Rules panel.
This will automatically fill with your current IP address, and allow you to choose the duration of the opening and the server port you wish to access. Doing this avoids the dangers of leaving firewall ports open permanently unnecessarily.
Adding a firewall rule
To add your own rules, click Add a new firewall rule. You can input single IP addresses or ranges, and the drop-down allows you to choose servers by name (e.g. Rails servers).
Microsoft Azure notice
If you want to open a custom port to your server in Microsoft Azure, you must add an endpoint for that VM in your Azure management portal after adding the rule in your Cloud 66 dashboard.
Traffic settings
The Traffic tab allows you to configure five different sets of rules that govern web traffic flowing to your application:
- Traffic filters: Black and white listing traffic based on source IP and/or country of origin
- Web Application Firewall: an Nginx-based WAF powered by ModSecurity (may require an application update)
- OWASP rules: automated rules for the application WAF (may require an application update) - please read our separate guide for details.
- Surge protection: prevents DDOS attacks by rate-limiting based on IP addresses
- CORS: Rules for Cross-Origin Resource Sharing (CORS)
Traffic Filters
By default, all web traffic is allowed to visit your servers on your desired ports. For Rails applications this is 80
, 443
, 8080
and 8443
. For Maestro applications these ports are extracted from your exposed service configurations. The Traffic Filters tab allows you to set rules for access via these ports.
You can filter traffic based on:
- The source (IP address range) it originates from
- The country it originates from
Each of these filters has three (mutually exclusive) strategies:
- Allow traffic from any source and/or country (the default)
- Only allow traffic from certain sources and/or countries (“whitelisting”)
- Block traffic from specific sources and/or countries (“blacklisting”)
Source filtering
For the “allow” and “block” rules, you can use any combination of:
- Single IP addresses
- IP ranges (e.g.
23.12.123.54/16
) - A URL that lists IP addresses in either
.txt
orJSON
format.
Addresses in text format can be either comma separated or newline separated (but not a combination).
The JSON document can list IP addresses as an array:
[192.168.1.1, 192.168.1.2]
…or as a hash with a key where the key can be either “ips” or “ip_addresses”, or “addresses” pointing to array:
{ips:[192.168.1.1, 192.168.1.2, 192.168.2.2]}
Country filtering
To add a country as a filter condition, click on the dropdown and then select it from the list. You can also type in the name of the country to “search” the list.
Managing Traffic Filters
To implement or update Traffic Filters for your application:
- Log in to your Cloud 66 Dashboard and click on your application
- Click on Network in the right-hand column
- Click on the Traffic tab at the top of the main panel
- Click on the radio buttons of the rule types you want to implement
- Add your sources and/or countries as needed (multiple sources are supported for both block and allow)
- Click Review Changes
- Review the rules that will be applied and then click Apply Changes
Load Balancer Traffic
You can configure your application to only allow web traffic via your load balancers. This is useful for hardening your other servers against intrusions. However you may still want your own team to be able to query your other servers directly via the web. To allow this, you can specify a set of IP addresses that are exceptions to this rule.
To force all web traffic to flow via your load balancer:
- Log in to your Cloud 66 Dashboard and click on your application
- Click on Network in the right-hand column
- Click on the Traffic tab at the top of the main panel
- Scroll down to Load Balancer Traffic and check the box to enable it
- If needed check the “allow direct traffic to servers from these sources” box and then add your sources (multiple sources are supported)
- Click Review Changes
- Review the rules that will be applied and then click Apply Changes
Web Application Firewalls
Please read our separate guide for details on WAF.
OWASP Rules
Please read our separate guide for details on OWASP rules for WAF.
Application Surge Protection
To help prevent denial of service (DOS) attack, Cloud 66 automatically blocks any IP address that makes more than 1,500 requests per minute to your server(s). We call this Surge Protection. You can see if any IP addresses are currently being block by clicking on Active Protect in the right-hand column.
You can enable or disable Surge Protection as needed, and you can also add exclusions to prevent your own sources from being blocked. If you use CloudFlare and/or AWS CloudFront we allow you to automatically exclude their entire IP ranges.
To configure Surge Protection for your application:
- Log in to your Cloud 66 Dashboard and click on your application
- Click on Network in the right-hand column
- Click on the Traffic tab at the top of the main panel
- Click on the Surge Protection sub-tab
- Click on the checkbox to enable or disable Surge Protection
- Check the CloudFlare and AWS CloudFront boxes as needed
- Add custom exclusions as needed (multiple sources are supported)
- Click Review Changes
- Review the rules that will be applied and then click Apply Changes
CORS
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. This allows, for example, Ajax requests across domains. We strongly recommend learning about CORS before attempting to implement it.
If you have previously specified CORS settings in your Manifest file, we will use these settings in the interface described below.
To manage CORS settings for your application via the Dashboard:
- Log in to your Cloud 66 Dashboard and click on your application
- Click on Network in the right-hand column
- Click on the Traffic tab at the top of the main panel
- Click on the CORS sub-tab
- Click on the radio button to enable (or disable) CORS for your application
- If you have enabled CORS, you can also configure the Origin, Methods and Headers settings (see the link above for more info on what these mean)
- You can choose to share credentials by checking the box
- Once you are finished, click Review Changes
- Review the rules that will be applied and then click Apply Changes
As mentioned above, you can also managed these settings via your Manifest file.
Using network redirects
The Redirects tab helps you perform simple but frequently used network redirects. These include redirecting traffic from HTTP to HTTPS or adding or removing the www prefix from your domain.
Redirect HTTP to HTTPS
You use the Cloud 66 SSL Add-in to add a certificate to your application and serve your traffic securely via HTTPS. To ensure that all your visitors use HTTPS, you should redirect anyone using HTTP to HTTPS.
This works by reconfiguring your Nginx configuration, so any visitor that arrives at port 80 and HTTP will receive a permanent HTTP redirect (301) to the same address on HTTPS.
You can find it in Application Overview → Network → Redirects tab
WWW or non-WWW in your URL
Some sites serve traffic on www.domain.com
, while others use the bare domain.com
. By default, your servers will serve traffic for any DNS record pointing to their address. This setting allows your to redirect visits to www.domain.com
to domain.com
, and vice-versa. This works by changing your Nginx configuration to permanently redirect (HTTP 301) visitors to the desired address.
You can find it in Application Overview → Network → Redirects tab