Necessary ports for open balena?

Hello.

I was searching for information about balena ports. By default the haproxy service has 80, 443 and 3128. My questions are:

  1. What is port 80 used for and is it necessary to open it on haproxy service in the balena docker compose?
  2. Which services are using 443?

Hello @something, first of all welcome to balena community. And you have a funny nickname : )

HAproxy is used as a load balancer for the system, and it opens port 80, 443 and 3128. 80 is used for HTTP access to the API, registry, S3 and VPN services that listen on it. 443 is used for HTTPS access to all of these services.

HAproxy config is located here: https://github.com/balena-io/open-balena/blob/master/src/haproxy/haproxy.cfg

My teammates maintaining openBalena notes that 443 is absolutely core and fundamental to the operation of openBalena, and 3128 is for the HTTP CONNECT proxy built into the VPN and is used for things like the balena-cli tunnel command. You could drop 80 but be aware that the API is coded to reject non-HTTPS traffic.

Hope these help and we are happy to answer any follow-up question.

Hi @gelbal! Thanks for the answer.

I have a few follow ups, but then i thought that maybe i should first ask about the official documentation. I was looking at https://www.balena.io/docs/learn/welcome/security/ and it describes a lot of things that i’m a bit confused about, however i’m not sure how much of it applies to openbalena. I know that there is no dashboard in openbalena, however are some of the other things mentioned in that documentation also missing in openbalena (like two factor authentication etc.)?

Hey @something,

The docs at that particular location are for balenaCloud, which is our managed service, rather than openBalena. openBalena is essentially the core components that balenaCloud are built upon, and as you say, because of this there are parts that are not present in it, including multi-user (and the dashboard, MFA, etc. which are all balenaCloud services).

There’s a small section called ‘What’s the difference between openBalena and balenaCloud?’ on the openBalena page that explains this. openBalena itself is based on the core components, the API, VPN, registry, S3 store, database and redis cache. It is intended as a single-tenant, self-hosted system that allows a CLI driven approach to managing device fleets, and is intended for communities that do not require additional features.

Please let me know if there are any questions in particular about openBalena you’d like answering!

Best regards,

Heds

Hello @hedss, thanks for the swift answer.

I followed the “getting started” tutorial, watched the youtube video on deployment and managed to start the openbalena services locally (playing around with dns cnames). I now want to deploy it on a dedicated cloud server (fully understanding that openbalena is still in beta), however i’m not sure if i should follow the “getting started” tutorial for this also and what ports are safe to open. So:

  1. @gelbal mentioned that “80 is used for HTTP access to the API, registry, S3 and VPN services that listen on it”. If 443 already does the same, what is the differing purpose of port 80? The “getting started” tutorial showed balena generating a self signed certificate, is 443 not used by default for the device to server communication?

  2. I also saw in the youtube video, that port 80 was used for letsencrypt renewals. Is using the “-c” option the prefered way to the “getting started” tutorial where it creates a self signed certificate? And in this case is the port 80 only used for the letsencrypt updates?

Hi again @something,

I’ve spoken to one of the maintainers of openBalena, and you’re absolutely right. So, by default openBalena comes with port 80 open on the services so you can get up and running quickly without worrying about HTTPS. However, if you want to lock this down and ensure that only HTTPS is used, you can remove access by changing the src/haproxy/haproxy.cfg file and removing all the sections in the frontend-http definitions apart from the cert-provider backend, in effect that section will look like this:

frontend http-in
  mode http
  option forwardfor
  bind *:80
  reqadd X-Forwarded-Proto:\ http

  acl is_cert_validation path -i -m beg "/.well-known/acme-challenge/"
  use_backend cert-provider if is_cert_validation

Port 80 is required for the cert provider as you say, to allow LE to challenge the particular domain the certificate is being generated for.

Hope that helps!

Best regards,

Heds

Thank you, i will try this out.