Locking Down Access to Scalr Web Interface

50125_69831I wanted to touch briefly on the security concerns for having Scalr accessible via the Internet. If you are running your own install of Scalr this is an important factor before even adding the first farm. For my own sake I will not getting into my exact setup, but instead talk about a few approaches to locking down access to Scalr.

Possibly the best approach is to limit access to Scalr interface to internal network requiring users to use OpenVPN or some other VPN solution to access internal resources which would include Scalr.  If you are hosting Scalr on an AWS instance be sure to set the security group to only allow the port you are running for VPN.  You can find a quick and dirty howto for OpenVPN on an EC2 instance at Google Books.

Another option is to use SSL and mod_access (Apache 1.3) or its renamed equivalent in Apache 2.2 mod_authz_host to limit those who have access to Scalr interface.  You should for sure at least use SSL to access Scalr.  You can also add a layer of authentication for good measure using Apache Basic Authentication.

Being that Scalr controls the rest of your AWS setup it is by far the one thing you want to lock down as much as possible.

One comment

  1. I’ve been thinking about this a little bit. It seems to me that Scalr + VPN-Cubed would be a very nice combination from a security and functionality standpoint.

    You’re scalr farms could be configured to connect via OpenVPN to the VPN-Cubed Managers in the respective Geography.

    I haven’t tested this personally, just been thinking about it for a particular solution I’ve been working on myself.

    Kent
    http://www.productionscale.com (play)
    http://www.nscaled.com (work)

Leave a Reply

Your email address will not be published. Required fields are marked *

10 − 3 =