Securing Dreamfactory and Database question


#1

Hi everyone,
congratulations to the development team, this looks like a very good platform, so far so good.

A couple of questions:
1-Is there an article somewhere that explains how to best secure DreamFactory. What are the best practices ? … let me be more precise. After the installation of DF , it listens on the default port and accepts all incoming connections from the outside (I haven’t changed any firewall setting and it’s the default DF installation). I assume that is not a good practice, to have the DF server open on the internet and anyone can try and login to DF from the internet ? How would setup a typical DF architecture where mobile Apps are going to connect to DF APIs but how to hide the admin portal.

2-I’ve installed DF with MySQL. is it recommended to create my app data tables on a separate MySQL database or is it ok to create them on the same database as the DF schema?

thanks in advance


#2

I’m not on the development team, but I do run a secured DreamFactory installation in AWS.

  • It is only publicly accessible via an AWS load balancer and WAF
  • The ACL limits public access to the methods and endpoints I want to be publicly accessible
  • Bonus: free SSL certificate
  • Bonus: block IPs that do more than X requests
  • Added secure headers that were missing to the DreamFactory httpd config (see OWASP)
  • Bonus: AWS SSL implementation is pretty secure, if you know what you’re doing
  • Bonus: do actual load balancing, do upgrades without downtime etc.
  • For access to the full management console, I deployed an OpenVPN server that is allowed to bypass the WAF
  • Extensive use of security groups (firewall rules) to allow only what is needed

To do load balancing, you need to have a separate database server. AWS has RDS, works fine with DreamFactory.


#3

Many thanks JPS for the comprehensive answer.
A lot to consider indeed…

Perhaps as a suggestion to the DF development team. It would be good to add to the documentation a guide on how to accomplish that and secure a DF instance.
thanks again.