Versions Compared

Old Version 5

changes.mady.by.user Dave Ryan

Saved on

compared with

New Version Current

changes.mady.by.user Dave Ryan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Canopy communicates over the following TCP ports:

Service GroupServicePort (Protocol)Publicly Accessible?SecurityNotes
Canopy application serverWeb Server443 (https)YesYes - hardened TLS configuration out of the box

This is a standard web service, running on nginx as standard (apache also supported). It is also the primary, and only, interface that needs to be accessible to users of the application. The Web Service acts as a reverse proxy to the Application Service, for both user access and API (RESTful) access.

A self-signed certificate is used by default, which should be replaced with a production ready certificate.

Canopy application serverApplication Service8000 (http)NoLocalhost configuration by default.The Application Service is built on top of django and is typically bound to localhost only. If network communication is required (e.g. for large scale deployments), this service is wrapped (reverse proxy) via another Web Server layer, which would use the default TLS hardened configuration.
Canopy application serverRabbitMQ server5672 (amqp)NoLocalhost configuration by default; default username/password.

RabbitMQ is a backend message queue for running asynchronous jobs via celery.

RabbitMQ can be configured to run over TLS, which may be a requirement under larger/enterprise deployments. Specific guidelines are available on the RabbiMQ site: https://www.rabbitmq.com/ssl.html

It is recommended that the default username/password be changed on install, even though the service is restricted to localhost.

Canopy database serverPostgreSQL (default)5432 (pgql)NoLocalhost configuration by default; default username/password accessible through a user-restricted admin script.

PostgreSQL is the primary database supported by Canopy. Oracle may also be used (REF).

Additional PostgreSQL hardening guidelines are provided at: REF.

Canopy report serverDocserver8181 (http)NoLocalhost configuration by default; no authentication required.

This service accepts a docx (template) and an XML (data source) and returns a generated docx file to the application server.

This service can be run on alternative server (for load distribution). In such a scenario, we recommend using nginx as a frontend proxy, which can be secured via TLS.

Canopy report serverPDF converter9016 (http)NoLocalhost configuration by default; no authentication required.

This service accepts a docx and returns a docx and PDF to the calling application.

This service can be run on alternative server (for load distribution). In such a scenario, we recommend using nginx as a frontend proxy, which can be secured via TLS.

OtherMail routing25 (smtp)NoOutbound only service, for mail routing.This is a dependency for sending mail-based notifications to users. Outbound firewall requirement.

Deployment scenarios

Single server

...