Hardening security

This section gives you information on hardening security for your Helix TeamHub instance.

In this section:

Enabling MongoDB authentication

By default, MongoDB only listens on localhost on Combo installations and does not use authentication. For added security, authentication can also be configured on Combo installations.

  1. Run the following command to create TeamHub MongoDB admin and user credentials:

     sudo su - hth
 create_mongodb_users.sh

  2. Update the TeamHub Configuration file at /var/opt/hth/shared/hth.json with the TeamHub MongoDB user credentials:

     "backend": {
   ...
   "db_username": "Enter username of Helix TeamHub MongoDB user",
   "db_password": "Enter password of Helix TeamHub MongoDB user"
   ...
 }
 ...
 "mongodb": {
   ...
   "username": "Enter username of Helix TeamHub MongoDB user",
   "password": "Enter password of Helix TeamHub MongoDB user"
   ...
 }

  3. Apply the changes by reconfiguring TeamHub:

     sudo hth-ctl reconfigure

Configuring HTTPS and SSL

HTTPS

By default, Helix TeamHub does not enforce HTTPS and SSL connections to your server instance. This may be acceptable for services running behind an organization's firewall, but enforcing HTTPS and SSL is recommended if the TeamHub instance is exposed to a public network.

To enforce HTTPS:

  1. Log in to the /admin URL of the TeamHub installation and navigate to Preferences.

  2. Under Security, select Enforce HTTPS.

    Configuring HTTPS and SSL

  3. Click Save preferences.

SSL services

If Enforce HTTPS is selected:

  • To configure the TeamHub services to use the SSL certificates uploaded to your server, select Enable SSL services.

  • If have TeamHub running in Cluster or High Availability mode with a load balancer, leave Enable SSL services unselected when SSL is offloaded to your load balancer. The SSL certificates must be setup on your load balancer.

To enable SSL services:

  1. Log in to the /admin URL of the TeamHub installation and navigate to Preferences.

  2. Under Security, select Enable SSL services.

    Configuring HTTPS and SSL

  3. Upload a valid x509 certificate and private key (RSA) in PEM format, with base64-encoded content between header and footer lines.

    Note

    Instructions for generating the certificate and private key depend on the provider. For security reasons, we recommend that you only use a self-signed certificate for testing.

    To generate a self-signed certificate and key, you can use OpenSSL: 

    openssl req -newkey rsa:2048 -new -x509 -days 730 -nodes -out hth.crt -keyout hth.key

  4. Click Save preferences.

    The certificate expiration date and the assigned domain are displayed.

Troubleshooting tips

Include all certificates to the PEM file.

A single PEM file can contain a number of certificates and a key. For example:

  • Public certificate
  • Intermediate Certificate
  • Root certificate
  • Private key

Include all of the certificates in the PEM file, but not the private key. Otherwise, Git clients may receive the following error messages when doing operations against repositories:

https://helixteamhub.com/hth/projects/platform/repositories/git/insufficient-ssl-cert/': SSL certificate problem: unable to get local issuer certificate

or

error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing.

Configuring password settings

The following password settings are configured using the backend configuration flags.

Password expiration

Configure passwords for built-in authentication to expire a certain number of days after the last password change using the password_expire_days configuration flag.

The default value is 0 (zero), passwords never expire.

When you enable the feature for the first time, the last changed timestamp is set for accounts and the expiration period starts. Changing the password resets the period for the account. If you do not change the password before the expiration period ends, you can use the forgot password feature to request a link to the account's email to reset the password. Password expiration only affects users and collaborators; passwords do not expire for bots.

Company admins can disable password expiration for an account in the Account Details view. This is recommended for service accounts that are used with integrations and whose passwords are managed separately.

Tip

TeamHub sends out an email notification and displays a notification in the UI when the password is close to expiration. To configure how far in advance TeamHub notifies users of the password expiration, set the password_expire_notify flag.

Preventing password reuse

Prevent password reuse for built-in authentication with the password_expire_count flag. Sets the number of different passwords the user must set before they are allowed to reuse a password. This setting only affects users and collaborators.

The default value is 0 (zero), password reuse is allowed.

Password expiration notification

Enables TeamHub to send out an email notification and display a notification in the UI when a password is close to expiration. Set the number of days warning user's get with the password_expire_notify flag.

The default value is 7 days.

Password entropy

The password_validation_entropy configuration flag defines the minimum password entropy level required related to the email, short_name, first_name, last_name field values using the Levenshtein algorithm.

  • 0 (zero): turns password entropy validation off. The default value is -1, password entropy validation off.

  • 0 (zero): TeamHub only rejects the password if it is an exact match to one or more of the fields above.

  • 0 (zero): defines the minimum threshold of similarity required for a password.

Password character requirements

The password_validation_format configuration flag defines the password format requirements for account password validation.

The default value is /(?=.*[[:upper:]])(?=.*[[:lower:]])(?=.*[[:digit:]]).*/, passwords must contain a minimum of one uppercase letter, one lowercase letter, and one digit.

To remove the requirement for a specific password validation format, set the password_validation_format configuration flag to /.*/

Password length requirements

The password_validation_range configuration flag defines the minimum and maximum length for account password validation.

The default value is 8..100, passwords must be a minimum or 8 and maximum of 100 characters.

Configuring nginx security

The following nginx security settings are configured using the nginx configuration flags.

Limiting access to the Admin UI by IP address

Limit access to the Admin user interface to specified IP addresses or CIDR (Classless Inter-Domain Routing) using the admin_allowed_ips configuration flag.

The default value is [], all IP addresses have access to TeamHub Admin.

Limiting access to specific hosts

Specify the hosts that can connect to TeamHub by adding them to the allowed_hosts configuration flag. This mitigates host header injection attacks.

  • [] All hosts can connect to TeamHub. This is the default value.

  • ["https://other1.com", "https://other2.com"] An array of specific hosts that can connect to TeamHub.

Configuring Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing controls the external domains that can be used with TeamHub. Set the cors_allowed_domains configuration flag to the external domains to use with TeamHub:

  • "*" An asterisk allows any domain. This is the default value.

  • "" An empty string disables CORS support.

  • ["https://other1.com", "https://other2.com"] An array of specific external domains to support for CORS.

For more information about CORS, see Cross-Origin Resource Sharing (CORS).

Specifying enabled ciphers

Specify the nginx ciphers you want enabled in the ssl_ciphers configuration flag in the format understood by the OpenSSL library

The default nginx ciphers are:

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

Enabling the SSL protocols to use

Specify the SSL protocols you want enabled using the ssl_protocols configuration flag.

The default value is TLSv1.2 TLSv1.3.

Enabling backups

Tip

For more information about managing backups and restoring backups, see Backups and restoration.

To enable backups, activate them by setting the configuration flags as shown below:

Combo

  1. Merge the following configuration to /var/opt/hth/shared/hth.json and make sure you add the backup settings under the existing keys if they already exist in the configuration.

    {
  "backend": {
    "backups": true
  },
  "mongodb": {
    "backups": true
  },
  "repos": {
    "backups": true
  },
  "docker_registry": {
    "backups": true
  }
}

  2. Apply the changes by reconfiguring TeamHub:

    3. sudo hth-ctl reconfigure

Cluster and High Availability

In Cluster and High Availability deployment, the TeamHub services are distributed across the server roles. To enable backups, activate the backup flags in /var/opt/hth/shared/hth.json on the appropriate servers. Make sure you add the backup settings under the existing keys if they already exist in the configuration.

Helix TeamHub DB

{
  "mongodb": {
    "backups": true
  }
}

By default, mailing is not configured for the DB node. To get notifications if failures occur during DB backups, you need to add the following:

  1. Configure the postfix section of hth.json to be identical with the one on your web node.

  2. Add the email that will receive the notifications to the app section of hth.json:

    {
  "app": {
    "email": "[email protected]"

  }
}

Helix TeamHub Web

{
  "backend": {
    "backups": true
  },
  "repos": {
    "backups": true
  },
  "docker_registry": {
	"backups": true
  }
}

Apply the changes by reconfiguring TeamHub on each server:

sudo hth-ctl reconfigure