"Hardening" Retool Self-Hosted

Self Hosted Retool
1

Hi,

Wondering if people have any tips on securing Retool.

We're only allowing access from inside our network for now but I still want to make sure we're configuring the system to be as secure as reasonably possible (without compromising the functionality or diverting away from the standard settings too much).

We've setup SSL and SSO and this is working fine :slight_smile:

I'd like to know if it's possible to remove the HTTP endpoint so it forces people to use HTTPS? If so, any tips on how would be great.

I've not yet looked at default permissions and security groups but I know I've some work to do there.

Anything else you kind folks can advise on as "best practice" in your experience.

Environment Deets:

  • Retool hosted on Ubuntu (VMWare) running Docker
  • Predominantly a Microsoft Windows/Azure hybrid environment

Thanks,
Dave

2

Hey there! It looks like you were able to work on this with @ugo.ago but I just want to summarize here for anyone who might stumble across this thread!

In general, you'll want some kind of server/proxy to communicate with the front end that forces SSL. You can read more about how that works here. Something like https-portal in a docker container should do so by default.

Let me know if you were able to get things working or if there's any information missing @dcsearle :slightly_smiling_face:

3

Thanks Kabirdas, and thanks @ugo.ago
The reverse proxy idea is one route, another is that we might look to black-hole http traffic destined for Retool's default port 3000 by using a load-balancer/firewall combination. I think either could work. Thanks for your advice.