SwiftStack Controller Security

The SwiftStack controller is a web UI endpoint that is used to manage the SwiftStack Environment. Cluster administrators can interact with the controller either via an HTTPS web interface or via an HTTPS API.

The information in this document applies both to the hosted controller at SwiftStack Controller As-a-Service as well as SwiftStack Controller On-Premises installations.

Controller Application

The controller web application provides an interface for configuring and interacting with your SwiftStack clusters. The application maintains information about your clusters including:

  • Controller administrative users
  • SwiftStack Auth users
  • Ring file configuration
  • Metrics and alerts

Controller Security Measures

All interaction to the controller must be performed over HTTPS by a user who is logged into the controller or via a HTTPS request using an API key.

All resources necessary for the controller are loaded from the same HTTPS endpoint, including all graphics and logos, JavaScript libraries, and AJAX requests.

Additionally, the controller application uses CSRF tokens to protect against forged requests or cross-site-scripting vulnerabilities.

Firewall Security

A few firewall rules are required to facilitate proper traffic control from the nodes to the controller, and optionally between the primary controller and a recovery controller.

  • ACCEPT UDP traffic on port 1194 (openvpn).
  • ACCEPT UDP traffic on port 1184 (openvpn) if a secondary disaster recovery/failover controller is in use.
  • ACCEPT traffic over the node VPN (tun0) destined for TCP ports 9914, 9915, and 6050.
  • ACCEPT traffic over the controller-recovery VPN (tun1) destined for TCP port 6040 if recovery/failover controller is in use.
  • REJECT traffic over both VPNs (tun0 and tun1) destined for ports 443, 80, and 22.
  • ACCEPT TCP traffic on non-VPN ports 22, 80, and 443.

If your controller has the firewalld or iptables-services RPMs installed, then the SwiftStack Controller On-Premises will ensure these required rules are in place. Otherwise you will need to configure them yourself.

SSL Endpoint Security

The controller is secured via an SSL terminated endpoint. All traffic to the controller goes through this endpoint and there is no option for a non-SSL-terminated connection. Port 80 provides a redirect to HTTPS on port 443 as a convenience. All HTTPS requests made by SwiftStack code perform full server certificate validation.

The SSL termination is performed by the nginx web server, using the following SSL cipherlist:

HIGH:!aNULL:!MD5

This cipher list allows for only 128 bit or higher TLSv1, TLSv1.1, and TLSv1.2 ciphers.

The nginx web server runs as a different, unprivileged user (ss-nginx) than the controller web application. The ss-nginx user cannot access the database or other sensitive data.

Database Security

Persistent data about the controller is saved in a PostgreSQL database located on the controller. This database stores information about the nodes and users having access to the SwiftStack Controller On-Premises. SwiftStack controller passwords are securely stored with the PBKDF2 algorithm using a unique salt and the SHA256 hash.

The database "superuser" user account, ss-postgres, has no password and may only be accessed by the root superuser. The database listens for TCP connections only on localhost.

The database password is set randomly during SwiftStack controller post-installation setup and is accessible only to the ss-service unprivileged service user and the root superuser.