Secure OpenReplay

It’s highly recommended to only allow open ports 80/443 to the machine using security groups. There are some componenes litening to the address, to make networking easier, like k3s server api, flannel api etc.

If you’re bringing your own certificate, create an SSL secret using the following command: kubectl create secret tls openreplay-ssl -n app --key="private_key_file.pem" --cert="certificate.crt".

Note: If you don’t have a certificate, generate one, that auto-renews, for your subdomain (the one provided during installation) using Let’s Encrypt. Simply connect to OpenReplay instance, run cd openreplay/scripts/helmcharts && bash and follow the steps.

If you wish to enable http to https redirection (recommended) edit the configuration using openreplay -e, then uncomment the below block, under the ingress-nginx section:

ingress-nginx: &ingress-nginx
      ssl-redirect: true
      force-ssl-redirect: true

Note: Our ingress-nginx runs by default on ports 80|443, but this can be easily changed, if needed, in vars.yaml:

ingress-nginx: &ingress-nginx
        http: 80
        https: 443

Save and exit using :wq for the service to reload.

To indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> and avoid click-jacking attacks, set the X-Frame-Options response header by editing the configuration using openreplay -e:

ingress-nginx: &ingress-nginx
      X-Frame-Options: "SAMEORIGIN"

Then, save and exit using :wq for the service to reload.

OpenReplay supports reCaptcha (v2) for additional security. To enable this protection:

  1. Get a v2 reCaptcha key from Google, with invisible mode enabled, i.e. do not prompt for tick I am not a human.
  2. Open /var/lib/openreplay/vars.yaml then uncomment and update the below env variables in chalice section:
  1. Edit .env in openreplay/frontend/ (copy .env.sample if it does not exist) and substitute the CAPTCHA_SITE_KEY variable with your reCaptcha site key.
  2. Rebuild the frontend:
cd openreplay/frontend
IMAGE_TAG=my-custom-image PUSH_IMAGE=1 DOCKER_REPO=my-docker-user-name bash -x
  1. Open /var/lib/openreplay/vars.yaml and specify your newly built frontend image in the frontend block:
    repository: "my-docker-username/frontend"
    tag: "my-custom-image"
  1. Restart the frontend and web server services for the changes to take effect:
openreplay -R

Here is an example of a policy (CSP) for allowing OpenReplay to record sessions. This has to be adapted depending on your domain and security requirements:

worker-src ‘self’ blob: https://*; script-src ‘self’ https://*;

To apply your CSP to NGINX, connect to your OpenReplay instance and follow the below steps:

  1. Run openreplay -e and add your CSP in the frontend block. Make sure to update
    cspSnippet: |
      add_header Content-Security-Policy "worker-src 'self' blob: https://*; script-src 'self' https://*;";

Note: Make sure to replace occurences in the above CSP with your OpenReplay domain name. The value should be the same as DOMAIN_NAME in /var/lib/openreplay/vars.yaml file.

  1. Save and exit using :wq to apply your newly added CSP

Cross-domain requests are allowed, by default, from all origins (Access-Control-Allow-Origin: *). If you wish to restrict recordings from few domains only, then run openreplay -e and update the http block by adding the below annotations:

    annotations: POST Content-Type,Authorization,Content-Encoding,,https://* "true" "Content-Length"

Then save and exit using :wq to apply your newly added CSP.

If you have any questions about this process, feel free to reach out to us on our Slack or check out our Forum.