Security

Overview

We automatically setup all services with several layers of security activated by default.

This includes:

Each of these features are accessible from your Dashboard via the Security tab.

Managed Service Dashboard.png

Custom domain and automated encryption (SSL/TLS)

If you have activated the firewall on your service ensure port 80 is open or else certificate creation/renewal will fail

From the service dashboard, click on "Custom Domain Names"  in the overview tab then click on "Manage SSL Domains"

Screenshot 2022-09-29 163437.png

From there you can manage allowed domains for SSL. If you want to add a new domain, just type it and press enter to add it to the list of authorized domains. You will also need to create a DNS entry to point your domain to the IP address of your service.

You can either create an A record or CNAME record to point to your service. CNAME is preferred as it won't change even if your IP change (eg: this can happen if your clone/migrates your service to another provider.

Once added, you can verify if your DNS entry is propagated with a tool like https://dnschecker.org/

Once propagated SSL should work instantly on your service. The certificate will be automatically generated and renewed.


Cloudflare users

If you are using Cloudflare reverse proxy (orange cloud icon) please check detailed instructions about Cloudflare & Elestio here:

https://docs.elest.io/books/security/page/using-cloudflare


Troubleshooting SSL not generated

You can display the nginx log with this command in a terminal:

cd /opt/elestio/nginx;
docker-compose logs -f;

press ctrl+c to stop displaying the live logs


Reset SSL_DATA folder

In some cases, the /opt/elestio/nginx/ssl_data folder can become corrupted, if this happens, connect to a terminal and try this:

cd /opt/elestio/nginx/;
docker-compose down;
mv ./ssl_data/ ./ssl_data_old/;
mkdir ./ssl_data/;
chmod 777 ./ssl_data/;
docker-compose up -d

Once executed just open your custom website url again and your certificate should be generated and your site served over SSL/TLS.

Using Cloudflare

Cloudflare DNS:

If you wish to use Cloudflare for DNS ONLY, you can configure it just like any other DNS provider, and simply follow the steps for adding a custom domain as usual.

WARNING: Your domain DNS entry must have a GRAY cloud, not an ORANGE (proxied) cloud next to the entry.

image.pngUsing Cloudflare's proxy for your domain without additional configuration will cause all incoming connections to fail!

image.png This is the correct image shown for DNS-only entries.

Cloudflare Proxy

Even though Elest.io automatically provides SSL and has a firewall, there can be advantages to using Cloudflare for Proxying traffic, notably DDoS attacks and automatic filtering of scripted attacks.

Note: Cloudflare only proxies traffic on certain ports. If you want to use this hostname for SSH, FTP, or other services whose ports are not listed in the above link, you must configure Cloudflare to provide DNS only or use Cloudflare's Spectrum offer.

Because Elest.io already creates an SSL certificate for your website trusted by a root CA, the recommended configuration is to set Cloudflare to use Strict SSL verification when connecting to your server.

Before continuing, ensure you have already configured the domains as per the instructions on the previous page.

Option 1: To set up strict SSL verification for your whole domain:
  1. Navigate to the SSL/TLS section of your domain's dashboard.
  2. Select the "Full (strict)" option.
  3. Your changes will be saved automatically. You're done!


Screen Shot 2023-07-17 at 17.57.34.png

Option 2: To set up strict SSL verification for a specific subdomain:
  1. In your domain's dashboard, navigate to Rules > Configuration Rules and click Create Rule
  2. Name your rule, and configure the incoming request filters.  

     

    Screen Shot 2023-07-17 at 18.07.16.png

3. Configure the SSL to Strict

Screen Shot 2023-07-17 at 18.06.58.png

4. Click Save

Option 3: Manual configuration (Advanced)

If you need a custom implementation, you can disable the creation of an SSL certificate with the following steps.

Create a CNAME record for your Cloudflare entry and point to the CNAME provided for that service in the Elestio dashboard.

These changes can be overwritten in the future if you modify the list of domains via the Elest.io dashboard.

1) Connect to the VM with SSH and type this:
nano /opt/elestio/nginx/.env

there remove your domain from the first line and save with CTRL+X

then type this command:
cd /opt/elestio/nginx;
docker-compose down;
docker-compose up -d;

After that, nginx won't try again to obtain an SSL certificate for your domain.

Network Firewall

By default, we only open the ports necessary for the application you have deployed. 

How can I restrict access to my service by IP address?

From the Dashboard, select Security, then Show Settings on the Firewall row

Screenshot 2022-09-29 163646.png

From there you can modify, remove or add new rules to open a port from your service to the internet (or just to a specific target IP).

All services come preconfigured with firewall rules that match the software you are deploying.

You have to keep port 80 open to any ipv4/ipv6 or else Letsencrypt won't be able to generate an SSL certificate

IP rate limiter

From the Dashboard, click on Security then Rate Limiter > Show Options.

From here, you can easily modify and adjust your service's rate limiter configurations, by amount and per minute or second, per IP address.

By default, all services are preconfigured with a rate limiter of 150 requests per minute and per IP address.

Rate limiter is used only for web traffic.

Screenshot 2022-09-29 163748.png

Output Cache

From the Dashboard, navigate to the Security tab and select Show Options under Output Cache.

From here, you can modify your output cache configurations.

All GET requests are cached for 3 seconds, which is useful in preventing Denial of Service (DOS) attacks.

All services come preconfigured with Output cache by default.

Output cache is used for web traffic only.

Screenshot 2022-09-29 165938.png

Termination protection & grace period

You can enable or disable the Termination protection option from your Dashboard Overview, using the toggle on the right-hand side. This setting is disabled by default.

Screenshot 2022-09-29 170057.png

It's not possible to change software versions, delete, shut down, power off, reset or reboot your service when Termination protection is enabled. To make these changes, you must first disable Termination protection.

Our grace period for storing backups after the deletion of service is 7 days, making it easier for you to restore your service in this window of time for any reason.

Screenshot 2022-09-29 150044.png


Manage SSH Keys

From the Dashboard, navigate to the Security tab and select the Show Options button to Manage SSH Keys.
From here, you can add or remove SSH keys allowed on the server.

Add an SSH key
Click on the Add key. Simply give your key a title and save!

Deleting an SSH key
Select the 'trash' icon to the right of the key you wish to delete. We'll always double-check with you before making a deletion, just to be sure!