Securing FusionAuth services
Securing
If you’re installing FusionAuth on your own server, use the following guide as a baseline for securing the network services. If you need further assistance to secure FusionAuth, please ask a question in the FusionAuth forum or open an issue on Github. If you have a licensed edition you may open a support request from your account.
Required ports
See the Configuration Reference for more information on default port configuration. The documentation below assumes the default port configuration.
FusionAuth Search
If FusionAuth Search is running on the same system as the FusionAuth App service and you’re only running a single instance of FusionAuth
App then no external ports should be allowed for FusionAuth Search. In this scenario, FusionAuth App will access the Elasticsearch
service on port 9021
on the localhost
address. The default configuration should cause FusionAuth Search to only bind to 127.0.0.1
or other
localhost addresses. See fusionauth-search.hosts
in the Configuration Reference.
If FusionAuth App is installed on multiple servers and those servers can communicate across a private network using a site local address then
the default FusionAuth Search Configuration will not bind to any public IP addresses. In this scenario you will need to allow access to
ports 9020
and 9021
on the site local IP address.
It is not recommended to expose the FusionAuth Search service to any public network. If this is a requirement, then a firewall should be used to limit traffic based upon the source and destination IP address to the service.
The 9020
port is utilized by Elasticsearch for internal communication including clustering. The 9021
port is the HTTP port utilized by
FusionAuth App to make requests to the search index.
FusionAuth App
To access the FusionAuth UI you’ll need to open port 9011
. If you have more than one instance of FusionAuth installed you will need
to ensure that each instance of FusionAuth Backend can communicate on port 9011
.