Security of the Turbot Application

Request flow to Turbot

All requests to Turbot use HTTPS. HTTP is not supported.

Requests to Turbot flow through:

  1. HTTPS to an AWS Elastic Load Balancer (port 443). The ELB may be publicly available, but is often installed on private IP space only.

  2. HTTPS to EC2 instances running the Turbot AMI (port 443). Turbot EC2 instances are NOT publicly available.

  3. Turbot instances listen on port 443 with an nginx reverse proxy running in a docker container. Requests are forwarded via HTTPS to the Turbot application container on port 8443.

  4. The turbot application recieves HTTPS on port 8443 from the nginx reverse proxy.

All requests to Turbot are of two possible types:

  1. Static files - handled without authentication and returned immediately.

  2. API requests - using a centralized model for data validation, permission checks and auditing.

The Turbot AMI

New Turbot versions are generally released every 1-2 weeks. Each release is packaged as an AMI for simple and automatic upgrade of customer installations.

This regular release cycle, combined with fixed versions allows Turbot to test our releases carefully and eliminates software configuration drift in running clusters.

For each release, the Turbot AMI is configured as follows:

  1. The latest Ubuntu recommended AMI for AWS is used as a base.

  2. All security updates are applied.

  3. The latest version of docker is installed.

  4. The latest, standard docker containers are used for:
    • nginx
    • docker-gen
    • (redis - for standalone starter clusters)
  5. The Turbot application is built into a docker container.
Was this article helpful?
0 out of 0 found this helpful