Backend security - Implementers highlights



Modularized openIMIS backend is dedicated to be deployed in an isolated network.

A sample docker-compose configuration is provided to illustrate the setup. This document describes the sample configuration.

💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣

This is however not a production-ready configuration. The minimum changes that have to be performed are:

  • Gateway must accept the https (port 443) connections and redirect all http (port 80) connections to it. This requires certificates setups,...

  • Gateway must be configured to interact with the chosen SSO platform (in the sample configuration it implements a simple basic auth authentication mechanism).

  • Database must be deployed on a dedicated server: docker image is only provided for demo purpose.

💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣





The sample openIMIS-gateway is configured to restrict /api urls (rooted to backend server) to users authenticated by a simple basic auth. mechanism.

This mechanism is based on a .htpasswd file, located on the gateway itself. Please consult github project README file to add/remove/change a user to this authentication mechanism.



The openIMIS backend is dedicated to support 2 authentication mechanisms:

- a ‘remote user authentication’ mechanism (primary mechanism)

- the django default username/password authentication (fall back mechanism)



The openIMIS only exposes its http (8000) port to the internal (docker) openIMIS-net network.

The access to it must thus go thru the gateway which restrict access to authenticated (at gateway level) users only.

The gateway transmits the verified user identity to the backend via the ‘remote-user’ http header.

The backend layer checks that there is a corresponding valid (i.e. active) core.User for the provided identity and performs the django login (without password check at this level).

💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣



As a consequence, do never expose the backend 8000 port to the outside, or identity spoofing will be as simple as providing the username in the remote-user http header.



💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣💣

The default username/password authentication has been left active to allow straight access from within openIMIS-net network (without going through the gateway).

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk



This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/