Updating firewall rules - DigitalOcean deployment
Initial deployment of Helix Core on DigitalOcean does not include any firewall rules. Anyone with valid Helix Core credentials can connect to the Helix Core Server.
As a best practice, implement a layered security approach to limit access.
Username and password for each user
Provide each user with their own Helix Core username and password.
Create a firewall and rules
Create a DigitalOcean firewall and rules, which are available at no charge. For information about adding a firewall and rules to your droplet, see the DigitalOcean help.
Inbound rule for SSH connections
Create an inbound firewall rule to restrict IP addresses for SSH connections to the Helix Core Server. Typically, only admin users need to access the server using SSH. Use the following values for this rule:
| Field | Value |
|---|---|
| Type | Custom |
| Protocol | SSH |
| Port Range | 22 |
| Source | Admin's IP address. Go to whatismyipaddress.com and use the IPv4 value, or ask the admin user to do this from their computer and provide you with the value. |
Inbound rule for TCP/IP connections
Create a firewall with an inbound rule for TCP port 1666 that is open to all traffic. If you need extra security, you can add specific IP addresses. Allowing access from specific IP addresses restricts access to your Helix Core Server to only users from those IP addresses, which increases security, but is difficult to maintain. You will have to update the rules any time a user needs to connect from a different public IP address, so this may not be the best option to support users who do not have a static IP address, such as users working remotely.
Use the following values for this rule:
| Field | Value |
|---|---|
| Type | Custom |
| Protocol | TCP |
| Port Range | 1666 |
| Source | All IPv4 or create individual rules for each specific IP address to allow. |
