Restrict access to nodeSection titled Restrict access to node
It’s highly recommended to only allow open ports 80/443 to the machine using security groups. There are some componenes litening to the 0.0.0.0 address, to make networking easier, like k3s server api, flannel api etc.
Configure SSLSection titled Configure SSL
If you’re bringing your own certificate, create an SSL secret using the following command:
kubectl create secret tls openreplay-ssl -n app --key="private_key_file.pem" --cert="certificate.crt".
Note: If you don’t have a certificate, generate one, that auto-renews, for your subdomain (the one provided during installation) using Let’s Encrypt. Simply connect to OpenReplay instance, run
cd openreplay/scripts/helmcharts && bash certmanager.shand follow the steps.
If you wish to enable http to https redirection (recommended) edit the configuration using
openreplay -e, then uncomment the below block, under the
ingress-nginx: &ingress-nginx controller: config: ssl-redirect: true force-ssl-redirect: true
ingress-nginxruns by default on ports
80|443, but this can be easily changed, if needed, in
ingress-nginx: &ingress-nginx controller: service: ports: http: 80 https: 443
Save and exit using
:wq for the service to reload.
Harden X-Frame-OptionsSection titled Harden X-Frame-Options
To indicate whether or not a browser should be allowed to render a page in a
<frame>, <iframe>, <embed> or
<object> and avoid click-jacking attacks, set the
X-Frame-Options response header by editing the configuration using
ingress-nginx: &ingress-nginx controller: addHeaders: X-Frame-Options: "SAMEORIGIN"
Then, save and exit using
:wq for the service to reload.
Set reCaptchaSection titled Set reCaptcha
OpenReplay supports reCaptcha (v2) for additional security. To enable this protection:
/var/lib/openreplay/vars.yamlthen uncomment and update the below env variables in
captcha_server: The URL to your reCaptcha service (e.g. https://www.google.com/recaptcha/api/siteverify)
captcha_key: You reCaptcha secret key
openreplay/frontend/and substitute the
CAPTCHA_SITE_KEYvariable with your reCaptcha site key.
- Rebuild the frontend:
cd openreplay/frontend IMAGE_TAG=my-custom-image PUSH_IMAGE=1 DOCKER_REPO=my-docker-user-name bash -x build.sh
/var/lib/openreplay/vars.yamland specify your newly built frontend image in the
frontend: image: repository: "my-docker-username/frontend" tag: "my-custom-image"
- Restart the frontend and web server services for the changes to take effect:
Content Security Policy (CSP)Section titled Content Security Policy (CSP)
Here is an example of a policy (CSP) for allowing OpenReplay to record sessions. This has to be adapted depending on your domain and security requirements:
worker-src ‘self’ blob: https://openreplay.mycompany.com https://*.openreplay.com; script-src ‘self’ https://openreplay.mycompany.com https://*.openreplay.com;
To apply your CSP to NGINX, connect to your OpenReplay instance and follow the below steps:
openreplay -eand add your CSP in the
frontendblock. Make sure to update
frontend: ingress: cspSnippet: | add_header Content-Security-Policy "worker-src 'self' blob: https://openreplay.mycompany.com https://*.openreplay.com; script-src 'self' https://openreplay.mycompany.com https://*.openreplay.com;";
Note: Make sure to replace
https://openreplay.mycompany.comoccurences in the above CSP with your OpenReplay domain name. The value should be the same as
- Save and exit using
:wqto apply your newly added CSP
Enabling CORSSection titled Enabling CORS
Cross-domain requests are allowed, by default, from all origins (
Access-Control-Allow-Origin: *). If you wish to restrict recordings from few domains only, then run
openreplay -e and update the
http block by adding the below annotations:
http: ingress: annotations: nginx.ingress.kubernetes.io/cors-allow-methods: POST nginx.ingress.kubernetes.io/cors-allow-headers: Content-Type,Authorization,Content-Encoding nginx.ingress.kubernetes.io/cors-allow-origin: https://app1.mycompany.com,https://app2.mycompany.com,https://*.mycompany.com nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/cors-expose-headers: "Content-Length"
Then save and exit using
:wq to apply your newly added CSP.
Have questions?Section titled Have questions?
If you have any questions about this process, feel free to reach out to us on our Slack channel.