Overview Comprehensive security guide for protecting your UltraBalancer deployment in production environments.
TLS/SSL HTTPS and certificate management
Access Control Authentication and authorization
Rate Limiting DDoS protection
Hardening System security hardening
TLS Termination UltraBalancer currently does not have built-in TLS support. Use a reverse proxy like Nginx or Caddy for TLS termination.
TLS with Nginx Place Nginx in front of UltraBalancer for HTTPS:
upstream ultrabalancer { server 127.0.0.1:8080; } server { listen 443 ssl http2; server_name example.com; ssl_certificate /etc/ssl/certs/server.crt; ssl_certificate_key /etc/ssl/private/server.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on ; location / { proxy_pass http://ultrabalancer; proxy_set_header Host $ host ; proxy_set_header X-Real-IP $ remote_addr ; proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto $ scheme ; } }
TLS with Caddy Caddy provides automatic HTTPS:
example.com { reverse_proxy localhost:8080 }
Caddy automatically obtains and renews Let’s Encrypt certificates.
Firewall Configuration UFW (Ubuntu) # Allow HTTPS only sudo ufw allow 443/tcp # Restrict metrics endpoint to monitoring subnet sudo ufw allow from 10.0.0.0/8 to any port 8080 # Enable firewall sudo ufw enable
iptables # Allow HTTPS sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Restrict metrics sudo iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 8080 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 8080 -j DROP # Save rules sudo iptables-save > /etc/iptables/rules.v4
Security Hardening Run as Non-Root User # Create dedicated user sudo useradd -r -s /bin/ false ultrabalancer # Set ownership sudo chown -R ultrabalancer:ultrabalancer /etc/ultrabalancer sudo chown -R ultrabalancer:ultrabalancer /var/log/ultrabalancer # Run as user sudo -u ultrabalancer ultrabalancer -c /etc/ultrabalancer/config.yaml
File Permissions # Restrict config file sudo chmod 600 /etc/ultrabalancer/config.yaml sudo chown root:ultrabalancer /etc/ultrabalancer/config.yaml # Restrict TLS private key sudo chmod 600 /etc/ssl/private/server.key sudo chown root:root /etc/ssl/private/server.key
Best Practices Security Checklist
✓ Use Nginx/Caddy for TLS termination
✓ Restrict metrics endpoints with firewall
✓ Run as non-root user
✓ Enable firewall rules
✓ Regular security updates
✓ Monitor access logs
✓ Configure rate limiting if needed
✓ Secure file permissions
