2022-11-18 - Sys Ops & Management SIG Agenda and Meeting notes

Date

18 Nov 2022

Topics

Possible protection mechanisms for webserver traffic

Attendees

- Ingolf Kuss Tod Olson Stewart Engart jpnelson Nils Olof Paulsson Steffen Köhler Florian Gleixner Carol Sterenberg

Time

Item

Who

Notes

5

Welcome

Ingolf

Tod Olson

nginx ingress control / webserver traffic protection mechanisms

Ingolf, Axel Dörrer

Best Practices for running FOLIO behind an nginx server. Ingress control.

This has been partially discussed in FOLIO Security Team
A ticket (spike) about this topic: [FOLIO-3615] Spike - possible protection mechanisms on web server or network traffic level - FOLIO Issue Tracker
A wiki page to collect ideas about Possible protection mechanisms on web server or network traffic level
Could be explored in a subgroup of SysOps
- Steffen, Axel, Ingolf, Nils
Ingolf: locally disallowing

Chicago: Review firewalling, Z39.50 is intentionally available to the public. External-facing edge modules (e.g. Z39.50, NCIP) deployed on bastion host.

At Stanford FOLIO is run inside the VPN. Available to staff members.

LUL & Bavaria will / have probably opened the system worldwide.

There is the possibility that people will work from home and are not in a VPN.

What are the access policies of the institutions? Chicago has to restrict access to VPN. That is a requirement of the university. The core of Okapi is a little more protected than the edge modules.

Ingolf: multi-tenant environments. You just have one Okapi for multiple tenants.

Nils: (Chicago setup) That will not prevent the problem. VPN limits the number of users that could cause the problem. But to avoid problems set up a firewall rule. No access to the other urls (url = Okapi end point). Dynamic access rules. Only the /login endpoint is open to anyone.

Topics for next meetings

Ingolf

Re-consult with the ARLEF group

Status of integration needs

See List of Integrations.

Some things need to be done quickly.

We want to invite Uwe (or someone from his group) for Discovery integration. This one part of what we want to review what the ARLEF group has collected in the Wiki.

Review the roadmap issues

Last time, when Kirstin checked in to our group, she drew our attention to the FOLIO Roadmap.

There are a number of issues under the umbrella [ROAD-80] Deployment and Operational needs - FOLIO Issue Tracker which have been collected by us in the late last year. In the Roadmap, these issues have not been appointed to some specific year, but just appointed to "in the future". We did not cycle back on those issues since late last year, so let us do that now.

I had picked up the documentation stuff, and Jeremy picked up two issues, but it is clear that he needs support to accomplish these goals.

We will take on [ROAD-87] Improve logging across the platform - FOLIO Issue Tracker . There has been a proposal.

Go in more detail for some of these issues. Look at it in more detail offline between the meetings and then pick up some issues which we think can take on. Start with the "improve logging" issue.

Action items

Type your task here, using "@" to assign to a user and "//" to select a due date