Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

Recognition

  • Give kudos
  • My kudos

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Crowd REST API security

We heavily use Amazon EC2 instances for our infrastructure but one of the big drawbacks is that the IP addresses of the servers can change if a server is rebooted.

One of the developers is proposing that instead of using specific IP addresses, we use a subnet mask of 10.0.0.0/8 which would, essentially, allow any EC2 instance to try to authenticate against Crowd.

I realise that there is an extra layer of security here, i.e. application name and password, but presumably the IP address restriction was put into Crowd for a reason so I'm trying to understand what potential downsides there are to widen the subnet allowed.

The flipside would be that, in theory, I can use Amazon security groups to restrict the traffic reaching the Crowd server, the benefit being that security groups don't specify the actual IP addresses, just the virtual servers in the group so Amazon take care of the rules implicitly. The downside to this approach, though, is that the REST API uses the same port as normal human interaction with Crowd.

Is there any way to move the REST API onto a separate port so that I could lock that down at the network level?

Any other suggestions or comments on keeping this server secure whilst trying to meet the challenges of shifting IP addresses?

Thanks.

1 answer

1 accepted

1 vote
Answer accepted

Hi Philip,

That's correct, the Remote Addresses tab within the Application settings in Crowd is used to basically enhance security.

Regarding REST API port, it's not possible to set a different port, but as you can see in this documentation, you can use host names (e.g. myhost.com), instead of range of IPs to restrict access to your Crowd instance.

I hope it helps.

Cheers

Thanks for the clarification.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Asked in Jira Service Desk

Calling all Insight users, we need your help!

Hello Insight users,  As part of our (Mindville's) acquisition by Atlassian, our training team is looking to build some new Insight training materials. It would really helpful if you can ...

162 views 1 1
View question

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you