- Automated encryption (SSL/TLS)
- Network Firewall
- IP rate limiter
- Output Cache
- Termination protection & grace period
- Manage SSH Keys
- SMTP service
- Multi-factor authentication
We automatically setup all services with several layers of security activated by default.
- Automated SSL / TLS
- Network Firewall
- IP Rate Limiter
- Output Cache
- Accidental termination protection & Grace period
- Manage SSH Keys
Each of these features are accessible from your Dashboard via the Security tab.
Automated encryption (SSL/TLS)
If you have activated the firewall on your service ensure port 80 is open or else certificate creation/renewal will fail
From the service dashboard, click on "Custom Domain Names" in the overview tab then click on "Manage SSL Domains"
From there you can manage allowed domains for SSL. If you want to add a new domain, just type it and press enter to add it to the list of authorized domains. You will also need to create a DNS entry to point your domain to the IP address of your service.
You can either create an A record or CNAME record to point to your service. CNAME is preferred as it won't change even if your IP change (eg: this can happen if your clone/migrates your service to another provider.
Once added, you can verify if your DNS entry is propagated with a tool like https://dnschecker.org/
Once propagated SSL should work instantly on your service. The certificate will be automatically generated and renewed.
If you are using Cloudflare, you should not enable reverse proxy (orange cloud) on your DNS entries, or else it will prevent the SSL certificate creation/renewal process from Elestio with Letsencrypt.
If you still want to use Cloudflare with orange cloud, you should do this to disable elestio SSL for your custom domain:
1) Connect to the VM with SSH and type this:
there remove your domain from the first line and save with CTRL+X
then type this command:
docker-compose up -d;
after that nginx won't try again to obtain an SSL certificate for your domain and your site will use only the SSL from Cloudflare.
Troubleshooting SSL not generated
You can display the nginx log with this command in a terminal:
docker-compose logs -f;
press ctrl+c to stop displaying the live logs
Reset SSL_DATA folder
In some cases, the /opt/elestio/nginx/ssl_data folder can become corrupted, if this happens, connect to a terminal and try this:
mv ./ssl_data/ ./ssl_data_old/;
chmod 777 ./ssl_data/;
docker-compose up -d
Once executed just open your custom website url again and your certificate should be generated and your site served over SSL/TLS.
By default, we only open the ports necessary for the application you have deployed.
How can I restrict access to my service by IP address?
From the Dashboard, select Security, then Show Settings on the Firewall row
From there you can modify, remove or add new rules to open a port from your service to the internet (or just to a specific target IP).
All services come preconfigured with firewall rules that match the software you are deploying.
You have to keep port 80 open to any ipv4/ipv6 or else Letsencrypt won't be able to generate an SSL certificate
IP rate limiter
From the Dashboard, click on Security then Rate Limiter > Show Options.
From here, you can easily modify and adjust your service's rate limiter configurations, by amount and per minute or second, per IP address.
By default, all services are preconfigured with a rate limiter of 150 requests per minute and per IP address.
Rate limiter is used only for web traffic.
From the Dashboard, navigate to the Security tab and select Show Options under Output Cache.
From here, you can modify your output cache configurations.
All GET requests are cached for 3 seconds, which is useful in preventing Denial of Service (DOS) attacks.
All services come preconfigured with Output cache by default.
Output cache is used for web traffic only.
Termination protection & grace period
You can enable or disable the Termination protection option from your Dashboard Overview, using the toggle on the right-hand side. This setting is disabled by default.
It's not possible to change software versions, delete, shut down, power off, reset or reboot your service when Termination protection is enabled. To make these changes, you must first disable Termination protection.
Our grace period for storing backups after the deletion of service is 7 days, making it easier for you to restore your service in this window of time for any reason.
Manage SSH Keys
From the Dashboard, navigate to the Security tab and select the Show Options button to Manage SSH Keys.
From here, you can add or remove SSH keys allowed on the server.
Add an SSH key
Click on the Add key. Simply give your key a title and save!
Deleting an SSH key
Select the 'trash' icon to the right of the key you wish to delete. We'll always double-check with you before making a deletion, just to be sure!
All deployed services include a basic preconfigured SMTP service, useful for sending alerts and notifications from your service.
This is free, but comes with a few limitations:
- You can only send transactional emails. Marketing emails are not permitted.
Any violation of this will lead to a suspension or termination of your service.
- You can send up to 300 transactional emails per hour. That's up to 7200 emails per day!
- All emails must be sent from [domain]@vm.elestio.app where [domain] is the URL of your service.
Attempts at sending from any other email address will be rejected.
- The SMTP service is only available from the global private network IP of your VM.
Of course in several cases you will want to change the smtp configuration in the web UI of your software to use another smtp service. It's useful if you want to be able to configure another sender address or to overcome any limitations stated above.
Check out our list of recommended SMTP providers:
By default, Elestio uses Email-based MFA, each time you log in to Elestio we will send you an email with a one-time code to enter into our UI to be able to connect. This protection is in place to enforce security and avoid account hacking.
We also have TOTP-based MFA, this is more secure because it's based on an app installed on your phone to generate TOTP codes instead of us sending them by email. So even if your mailbox is compromised your Elestio account will still be safe.
We recommend all users use TOTP Generator, you can activate it in a few clicks from our dashboard > user profile > Security tab.