GeoNetAgent, LDAPWeb, server-audit, server-connection
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1.6 KiB

Security — Zammad

Terakhir Diperbarui: 2026-07-02


Prinsip

  1. Secret tidak masuk Git.env, token API, LDAP password, OSS secret hanya di server
  2. Bucket privatezammad-attachments tanpa public ACL; akses via Zammad S3 credential saja
  3. HTTPS wajib — UI/API publik lewat nginx + wildcard SSL *.gisportal.id
  4. LDAP bind — gunakan service account dedicated jika memungkinkan (bukan Administrator produksi)
  5. API token FE — scope minimal; rotasi jika bocor

Credential map

Secret Lokasi Jangan commit
Zammad .env /opt/stacks/zammad/.env
OSS keys (reuse) /opt/stacks/geonet-console/.env
PostgreSQL password .env Zammad + backup vault
Zammad API token (FE) Zammad admin + FE .env terpisah

Network

Arah Port Catatan
Internet → nginx → Zammad 443 Hanya reverse proxy
Zammad → PostgreSQL 5432 Internal LAN 10.100.1.25
Zammad → LDAP 389 AD 10.100.1.40
Zammad → OSS 8010 HTTP internal (bukan publik)

Hardening (post-install)

  • Nonaktifkan signup publik (hanya LDAP)
  • Rate limit nginx pada /api/v1/
  • Backup DB terenkripsi + retention policy
  • Audit log Zammad untuk perubahan role/group

Referensi