Infrastructure requirementsEdit on GitHub
This document describes the system infrastructure requirements that help mitigate security risks for Spryker Marketplace projects. When you host your Spryker application in SCCOS, these requirements are configured for you out of the box. If your system infrastructure (cloud PaaS or on-premise) is managed, you must ensure these security requirements are met.
Applications resources visibility
The following table illustrates the visibility of the resources in the network:
|SERVICE||RESOURCES AVAILABLE||EXPOSED TO WAN?|
|MerchantPortal||PrimaryDatabase, QueueBroker, MerchantPortalSessionStorage||yes|
|Backoffice||PrimaryDatabase, QueueBroker, BackofficeSessionStorage||no, accessed through VPN|
|Scheduler||PrimaryDatabase, QueueBroker, Storage, Search||no, accessed through a Bastion|
|Glue||Storage, Search, Gateway||yes|
|Yves||Storage, Search, Gateway||yes|
The following diagram shows how visibility of resources relates to private and public network relationships:
Merchant Portal endpoints allowlisting
Merchant Portal is exposed to WAN and MUST NOT provide any Gateway or Back Office facilities.
In the web server configuration (AWS WAF can also be used), only HTTP endpoints of the
MerchantPortalGui should be allowed. Their prefix is all the same—
/^[a-zA-Z-]+-merchant-portal-gui.*—use this pattern as a whitelist in Nginx or WAF configuration.
Merchant portal network
For the Merchant Portal to function properly, it should be in a dedicated public network, not the same network where Yves/Glue runs, with access to a network Database and QueueBroker. For details, see the diagram).
Firewall rules for the Merchant Portal (NACLs or Security groups)
To properly configure Merchant Portal firewall, use these rules:
|SG / NACLs||Merchant Portal||Redis(session):6379||Allow|
|SG / NACLs||Merchant Portal||RDS:3306||Allow|
|SG / NACLs||Merchant Portal||RabbitMQ:5672||Allow|
|SG / NACLs||Nginx||Merchant portal:900x||Allow|
|Default rule||any||Merchant Portal||Deny|
Note the following:
- Security groups and host-based firewalls must also implement “allow” rules for the Merchant Portal on Redis, RDS, Rabbit MQ, and Nginx sides.
- Depending on the monitoring system used, you need to implement the “allow” rules as well.
Each database user must have dedicated user credentials:
|USER||DATABASE USER RIGHTS|
|Scheduler||FULL ADMIN [Create schema, create tables, drop tables, create users, etc]|
|Gateway||CRUD for the tables|
|MerchantPortal||CRUD for the tables related to MerchantPortal. By default, the same as Gateway|
Storage and search
Each application must have the following user rights:
For submitting the form