You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1.6 KiB
1.6 KiB
Security — Zammad
Terakhir Diperbarui: 2026-07-02
Prinsip
- Secret tidak masuk Git —
.env, token API, LDAP password, OSS secret hanya di server - Bucket private —
zammad-attachmentstanpa public ACL; akses via Zammad S3 credential saja - HTTPS wajib — UI/API publik lewat nginx + wildcard SSL
*.gisportal.id - LDAP bind — gunakan service account dedicated jika memungkinkan (bukan Administrator produksi)
- API token FE — scope minimal; rotasi jika bocor
Credential map
| Secret | Lokasi | Jangan commit |
|---|---|---|
Zammad .env |
/opt/stacks/zammad/.env |
✅ |
| OSS keys (reuse) | /opt/stacks/geonet-console/.env |
✅ |
| PostgreSQL password | .env Zammad + backup vault |
✅ |
| Zammad API token (FE) | Zammad admin + FE .env terpisah |
✅ |
Network
| Arah | Port | Catatan |
|---|---|---|
| Internet → nginx → Zammad | 443 | Hanya reverse proxy |
| Zammad → PostgreSQL | 5432 | Internal LAN 10.100.1.25 |
| Zammad → LDAP | 389 | AD 10.100.1.40 |
| Zammad → OSS | 8010 | HTTP internal (bukan publik) |
Hardening (post-install)
- Nonaktifkan signup publik (hanya LDAP)
- Rate limit nginx pada
/api/v1/ - Backup DB terenkripsi + retention policy
- Audit log Zammad untuk perubahan role/group