-
Notifications
You must be signed in to change notification settings - Fork 25
How do I improve the security of my implementation?
This page details options to help to improve the security of your Qanary question answering system.
Enable Support for encrypted communication / Secure Sockets Layer SSL Support
The Qanary pipeline template and Qanary components can be started with SSL support. The required configurations are described below.
The necessary properties have to be set in the application.properties
file or passed
with the -switch -D
:
Property | Description |
---|---|
|
(boolean) enable SSL |
|
path to the key store that contains the SSL certificate |
|
password used to access the key store |
|
type of the key store (JKS or PKCS12) |
When using Docker containers, these settings should not be included in the image!
To enable SSL for a Qanary service running in a Docker container, use environment variables (they have the corresponding semantics as described earlier):
-
SERVER_SSL_ENABLED
-
SERVER_SSL_KEY-STORE
-
SERVER_SSL_KEY-STORE-PASSWORD
-
SERVER_SSL_KEY-STORE-TYPE
-
SERVER_HOST
(optional)
Make the key-store available within the container with the use of volumes.
Example:
-
if
-
SERVER_SSL_KEY-STORE
is set to/certificate/keystore.p12
(location inside the image), and -
the keystore file is located in
/home/user/local_certificate/
(location on your local machine),
-
-
then pass
-v /home/user/local_certificate/:/certificate/
when starting the container.
To enable SSL support for the currently implemented Python components (like Expected Answer Type classification component) the following environment variables need to be set:
-
SERVER_SSL_CERTIFICATE
- path to the certificate file (.cert) -
SERVER_SSL_KEY
- path to the key file (.key) -
SERVICE_HOST
- HTTPS host address of the component
Use a volume to keep the certificate private:
-v /home/user/local_certificate/:/certificate/
When implementing this functionality for your own component, you may need to change how you start the service, depending on the used framework.
For example, when using Flask in combination with Gunicon the arguments --certfile
and --keyfile
need to be passed in order to start a service with SSL enabled.
You can configure access to /configuration
and /applications
to be password-restricted - redirecting the user to a login form - or deny web access completely.
The necessary properties have to be set in the application.properties
file or passed
with the switch -D
:
Property | Description |
---|---|
|
|
|
(optional) username for allowed web access |
|
(optional) password for allowed web access |
You can configure access to /configuration
and /applications
to be password-restricted - redirecting the user to a login form - or deny web access completely.
The necessary properties have to be set in the application.properties
file or passed
with the switch -D
:
Property | Description |
---|---|
|
|
|
(optional) username for allowed web access |
|
(optional) password for allowed web access |
-
How to establish a Docker-based Qanary Question Answering system
-
How to implement a new Qanary component
... using Java?
... using Python (Qanary Helpers)?
... using Python (plain Flask service)?