Securing FusionAuth services

FusionAuth Search

If FusionAuth Search is running on the same system as the FusionAuth App service and you’re only running a single instance of FusionAuth App then no external ports should be allowed for FusionAuth Search. In this scenario, FusionAuth App will access the Elasticsearch service on port 9021 on the localhost address. The default configuration should cause FusionAuth Search to only bind to 127.0.0.1 or other localhost addresses. See fusionauth-search.hosts in the Configuration Reference.

If FusionAuth App is installed on multiple servers and those servers can communicate across a private network using a site local address then the default FusionAuth Search Configuration will not bind to any public IP addresses. In this scenario you will need to allow access to ports 9020 and 9021 on the site local IP address.

It is not recommended to expose FusionAuth Search to any public network. If this is a requirement, then a firewall should be used to limit traffic to the service based upon the source and destination IP address.

To protect FusionAuth Search with HTTP basic authentication as well as a firewall, provide the username and password in the URL, like so: search.servers=http://user:password@myelasticsearchcluster.com. Support for basic authentication was introduced in version 1.16.

The 9020 port is utilized by Elasticsearch for internal communication including clustering. The 9021 port is the HTTP port utilized by FusionAuth App to make requests to the search index.

FusionAuth App

To access the FusionAuth UI you’ll need to open port 9011. If you have more than one instance of FusionAuth installed you will need to ensure that each instance of FusionAuth Backend can communicate on port 9011.