Secure OpenReplay
Restrict access to node
Section titled Restrict access to nodeIt’s highly recommended to only allow open ports 80/443 to the machine using security groups. There are some componenes litening to the 0.0.0.0 address, to make networking easier, like k3s server api, flannel api etc.
Configure SSL
Section titled Configure SSLIf you’re bringing your own certificate, create an SSL secret using the following command: kubectl create secret tls openreplay-ssl -n app --key="private_key_file.pem" --cert="certificate.crt".
Note: If you don’t have a certificate, generate one, that auto-renews, for your subdomain (the one provided during installation) using Let’s Encrypt. Simply connect to OpenReplay instance, run
cd openreplay/scripts/helmcharts && bash certmanager.shand follow the steps.
If you wish to enable http to https redirection (recommended) edit the configuration using openreplay -e, then uncomment the below block, under the ingress-nginx section:
ingress-nginx: &ingress-nginx
controller:
config:
ssl-redirect: true
force-ssl-redirect: trueNote: Our
ingress-nginxruns by default on ports80|443, but this can be easily changed, if needed, invars.yaml:
ingress-nginx: &ingress-nginx
controller:
service:
ports:
http: 80
https: 443Save and exit using :wq for the service to reload.
Harden X-Frame-Options
Section titled Harden X-Frame-OptionsTo indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> and avoid click-jacking attacks, set the X-Frame-Options response header by editing the configuration using openreplay -e:
ingress-nginx: &ingress-nginx
controller:
addHeaders:
X-Frame-Options: "SAMEORIGIN"Then, save and exit using :wq for the service to reload.
Set reCaptcha
Section titled Set reCaptchaOpenReplay supports reCaptcha (v2) for additional security. To enable this protection:
- Get a v2 reCaptcha key from Google, with
invisiblemode enabled, i.e. do not prompt fortick I am not a human. - Open
/var/lib/openreplay/vars.yamlthen uncomment and update the below env variables inchalicesection:
captcha_server: The URL to your reCaptcha service (e.g. https://www.google.com/recaptcha/api/siteverify)captcha_key: You reCaptcha secret key
- Edit
.envinopenreplay/frontend/(copy.env.sampleif it does not exist) and substitute theCAPTCHA_SITE_KEYvariable with your reCaptcha site key. - Rebuild the frontend:
cd openreplay/frontend
IMAGE_TAG=my-custom-image PUSH_IMAGE=1 DOCKER_REPO=my-docker-user-name bash -x build.sh- Open
/var/lib/openreplay/vars.yamland specify your newly built frontend image in thefrontendblock:
frontend:
image:
repository: "my-docker-username/frontend"
tag: "my-custom-image"- Restart the frontend and web server services for the changes to take effect:
openreplay -RContent Security Policy (CSP)
Section titled Content Security Policy (CSP)Here is an example of a policy (CSP) for allowing OpenReplay to record sessions. This has to be adapted depending on your domain and security requirements:
worker-src ‘self’ blob: https://openreplay.mycompany.com https://*.openreplay.com; script-src ‘self’ https://openreplay.mycompany.com https://*.openreplay.com;To apply your CSP to NGINX, connect to your OpenReplay instance and follow the below steps:
- Run
openreplay -eand add your CSP in thefrontendblock. Make sure to update
frontend:
ingress:
cspSnippet: |
add_header Content-Security-Policy "worker-src 'self' blob: https://openreplay.mycompany.com https://*.openreplay.com; script-src 'self' https://openreplay.mycompany.com https://*.openreplay.com;";Note: Make sure to replace
https://openreplay.mycompany.comoccurences in the above CSP with your OpenReplay domain name. The value should be the same asDOMAIN_NAMEin/var/lib/openreplay/vars.yamlfile.
- Save and exit using
:wqto apply your newly added CSP
Enabling CORS
Section titled Enabling CORSCross-domain requests are allowed, by default, from all origins (Access-Control-Allow-Origin: *). If you wish to restrict recordings from few domains only, then run openreplay -e and update the http block by adding the below annotations:
http:
ingress:
annotations:
nginx.ingress.kubernetes.io/cors-allow-methods: POST
nginx.ingress.kubernetes.io/cors-allow-headers: Content-Type,Authorization,Content-Encoding
nginx.ingress.kubernetes.io/cors-allow-origin: https://app1.mycompany.com,https://app2.mycompany.com,https://*.mycompany.com
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-expose-headers: "Content-Length"Then save and exit using :wq to apply your newly added CSP.
Have questions?
Section titled Have questions?If you have any questions about this process, feel free to reach out to us on our Slack or check out our Forum.