Secure OpenReplay
Configure SSL
Rename (required) your private key to site.key
and your certificate to site.crt
then copy both files under openreplay/scripts/helmcharts/openreplay/files/
. Now, simply uncomment the below block in openreplay/scripts/helmcharts/vars.yaml
:
nginx-ingress:sslKey: site.keysslCert: site.crt
Note: If you don't have a certificate, generate one for your subdomain (the one provided during installation) using Let's Encrypt. Simply connect to OpenReplay instance, run
kubectl delete svc nginx-ingress -n app
then executebash openreplay/scripts/certbot.sh
and follow the steps.
If you wish to enable http to https redirection (recommended), then uncomment the below block, under the nginx-ingress
section, in openreplay/scripts/helmcharts/vars.yaml
:
nginx-ingress:customServerConfigs: |return 301 https://$host$request_uri;
Finally, reinstall OpenReplay NGINX:
cd openreplay/scripts/helmcharts && ./openreplay-cli -I
Set reCaptcha
OpenReplay supports reCaptcha (v2) for additional security. To enable this protection, edit openreplay/scripts/helmcharts/vars.yaml
then uncomment and update the below env variables in chalice
section:
captcha_server
: The URL to your reCaptcha service (e.g. https://www.google.com/recaptcha/api/siteverify)captcha_key
: You reCaptcha secret key
Now reinstall the web server for the changes to take effect:
cd openreplay/scripts/helmcharts && ./openreplay-cli -I
Then, edit env.js
in openreplay/frontend/
and substitute the CAPTCHA_SITE_KEY
variable with your reCaptcha site key. Finally, rebuild and deploy the frontend:
cd openreplay/frontendsudo bash build.shsudo cp -arl public frontendminio_pod=$(sudo kubectl get po -n db -l app.kubernetes.io/name=minio -n db --output custom-columns=name:.metadata.name | tail -n+2)sudo kubectl -n db cp frontend $minio_pod:/data/
Content Security Policy (CSP)
Here is an example of a policy (CSP) for allowing OpenReplay to record sessions. This has to be adapted depending on your domain and security requirements:
worker-src ‘self’ blob: https://openreplay.mycompany.com https://*.openreplay.com; script-src ‘self’ https://openreplay.mycompany.com https://*.openreplay.com;
To apply your CSP to NGINX, connect to your OpenReplay instance and follow the below steps:
- Open
openreplay/scripts/helmcharts/openreplay/charts/nginx-ingress/templates/configMap.yaml
and add your CSP in thelocation / {
block:
location / {add_header Content-Security-Policy "worker-src ‘self’ blob: https://openreplay.mycompany.com https://*.openreplay.com; script-src ‘self’ https://openreplay.mycompany.com https://*.openreplay.com;";...}
- Reinstall NGINX to apply your newly added CSP:
cd openreplay/scripts/helmcharts && ./openreplay-cli -I