Securing CleanSpeak services

Overview

If you’re installing CleanSpeak on your own server, use the following guide as a baseline for securing the services. Please contact support@cleanspeak.com if you have additional questions.

Required ports

See the Configuration Reference for more information on default port configuration. The documentation below assumes the default port configuration.

CleanSpeak Management Interface

To access CleanSpeak Management Interface you’ll need to open port 8011.

CleanSpeak Webservice

To access the CleanSpeak API you’ll need to open port 8001.

CleanSpeak Search Engine

Suppose CleanSpeak Search Engine is running on the same system as the CleanSpeak Management Interface or CleanSpeak Webservice. If you’re only running a single instance of CleanSpeak, then no external ports should be allowed for CleanSpeak Search Engine. In this scenario, CleanSpeak Management Interface and CleanSpeak Webservice will access the Elasticsearch service on port 8020 on the localhost address, and traffic to ports 8020 and 8021 can be blocked from any address with the exception of the localhost.

If CleanSpeak services are installed on multiple servers, and those servers can communicate across a private network using a site-local address, then in this scenario, you will need to allow access to ports 8020 and 8021 on the site-local IP address in addition to the localhost address.

It is not recommended to expose the CleanSpeak Search Engine service to any public network. If this is a requirement, then a firewall should be used to limit traffic based upon the source and destination IP address to the service.

The 8020 port is utilized by Elasticsearch for internal communication, including clustering. The 8021 port is the HTTP port exposed by Elasticsearch for API requests to the search index. Elasticsearch for API requests to the search index.