This chapter detail security configuration in Apyfal.
Apyfal configuration file¶
The Apyfal configuration file may contain some access keys. This file needs to be stored and exchanged with care to not compromises theses access keys.
Cloud hosts security configuration¶
By default, Apyfal configures some cloud instances settings to improves security.
SSH key pair¶
By default, Apyfal generates an SSH key pair to give user access to the instance
using SSH. The private key file is automatically added in PEM format to the
.ssh directory of your user home.
A custom key pair can be used using the
An example of SSH connexion is given in Getting Started
Security groups are like firewalls for cloud instance and are used to allow only a limited range of IP address to connect to the host using a limited range of ports.
By default, Apyfal creates a security group that allows only the machine used
to generate the host instance to access it using SSH and HTTP/HTTPS
A custom security group can be used using the
Before host instantiation, the range of ports can be modified in the
ALLOW_PORTS host class attribute.
Security groups rules can also be modified using the CSP console.
Host local storage¶
Apyfal allows to process file that are stored locally on host instance. By default, this is limited to an unique directory for security reason.
This behavior can be change with the
authorized_host_dirs parameter of
security section in the host side configuration file.
See Storage for more information.
The SSL/TLS certificate allows to access host over HTTPS instead of HTTP.
Certificate selection and generation¶
Apyfal allows to define a certificate to use, or to generates automatically a certificate.
- Using an user defined certificate:
- A certificate can to be passed to the host creation using
- Generating a self signed wildcard certificate:
ssl_cert_generateparameter can be used to generate a self signed certificate.
ssl_cert_generateis used without
ssl_cert_key, a generic certificate is generated in the
.sshdirectory of the user home. If the generic certificate exists, it is reused and not regenerated.
The certificate needs to be verified to provides security.
- Classical DNS host name based certificate
- This kind of certificate is verified as usual using a Certificate Authority.
- Self signed wildcard certificate
Certificate Authority cannot verify this kind of certificate., but Apyfal can verify the connexion against a specified certificate.
Once a client have the
ssl_cert_crtspecified or a generic certificate is found in the
.sshdirectory, connections are verified using this certificate.
Host name is not verified when using a wildcard certificate.
Disabling HTTPS and using HTTP¶
ssl_cert_crt is specified or if a generic certificate is found in the
.ssh directory, HTTPS is enabled.
ssl_cert_crt can be set to
False to disable HTTPS.
- Host has a DNS host name:
Use a Certificate Authority to generate a certificate for this DNS host name and define
ssl_cert_keyto this certificate files.
This is the most secure and recommended way, but it require to bind hosts IP address to an host name.
- Host has no DNS host name and is shared between its creator and other users:
- Creator generate a self signed certificate by defining
ssl_cert_generateand share the public certificate file with other users. Others user set
ssl_cert_crtto this certificate file to enable connection verification with it.
- Host has no DNS host name and is used only by its creator for a single session:
- Creator generate a generic self signed certificate by defining only
- Using HTTP to improve data transfer speed between client and host.
Falseto be sure using HTTP instead of HTTPS.
Note that with this option, transferred data and Accelize access keys are publicly visible to anyone on the network.
Host side configuration file¶
init_config parameter allows to pass Apyfal configuration file to host
instance, this can be used to configure some parameters on host.
On this parameter use, always transfer a cleaned up configuration file to your instance to avoid the risk of compromises your access keys.
CSP specific parameters¶
Some CSP provides more security options, refer to each host class for more information.
Cloud storage security configuration¶
Some CSP that provides both computes and storage services allows to configure host instance to access storage. By default, Apyfal allows access to all storage to accelerator cloud instance.
But, this can be modified, refers to each host class for more information.