Security Configuration

This page describes the security configurations recommended for safe operation of Fess in production environments.

Danger

Security is Critical

In production environments, it is strongly recommended to implement all security configurations described on this page. Failure to implement proper security configurations increases the risk of unauthorized access, data breaches, and system compromise.

Essential Security Configurations

Change Administrator Password

The default administrator password (admin / admin) must be changed.

Procedure:

  1. Log in to the admin screen: http://localhost:8080/admin

  2. Click “User” → “User”

  3. Select the admin user

  4. Set a strong password

  5. Click the “Update” button

Note

Once you have changed the password from admin, you cannot set it back to a simple value such as admin (a blacklist of administrator passwords is configured via password.invalid.admin.passwords). You can also change the initial password of the admin user before the first startup by setting index.user.initial_password in fess_config.properties.

Recommended Password Policy:

Fess provides a built-in feature that enforces the minimum/maximum password length and character-type requirements. Configure the following properties in fess_config.properties (defaults in parentheses):

  • password.min.length (default: 8): Minimum length. 12 or more is recommended.

  • password.max.length (default: 100): Maximum length.

  • password.require.uppercase (default: false): Require uppercase letters.

  • password.require.lowercase (default: false): Require lowercase letters.

  • password.require.digit (default: false): Require digits.

  • password.require.special.char (default: false): Require symbols.

Note

By default, the minimum length is 8 and all character-type requirements are disabled. To strengthen passwords, set the properties above explicitly. Note that Fess has no password expiration (forced periodic change) feature; if you want to enforce periodic password changes as an operational rule, do so manually.

Enable OpenSearch Security Plugin

Procedure:

  1. Remove or comment out the following line from opensearch.yml:

    # plugins.security.disabled: true
    
  2. Configure the security plugin:

    plugins.security.allow_default_init_securityindex: true
    plugins.security.authcz.admin_dn:
      - CN=admin,OU=SSL,O=Test,L=Test,C=DE
    
  3. Configure TLS/SSL certificates

  4. Restart OpenSearch

  5. Configure the connection to OpenSearch on the Fess side.

    Specify the connection URL with the SEARCH_ENGINE_HTTP_URL environment variable (edit bin/fess.in.sh or the service environment file; the default value comes from search_engine.http.url in fess_config.properties):

    SEARCH_ENGINE_HTTP_URL=https://opensearch:9200
    

    Specify the credentials with the following properties in fess_config.properties (there are no SEARCH_ENGINE_USERNAME / SEARCH_ENGINE_PASSWORD environment variables):

    search_engine.username=admin
    search_engine.password=<strong_password>
    

For details, refer to the OpenSearch Security Plugin.

Enable HTTPS

HTTP communication is not encrypted and poses risks of eavesdropping and tampering. Always use HTTPS in production environments.

Method 1: Using a Reverse Proxy (Recommended)

Deploy Nginx or Apache in front of Fess for HTTPS termination.

Nginx configuration example:

server {
    listen 443 ssl http2;
    server_name your-fess-domain.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Method 2: Configure HTTPS in Fess Itself

Add the following to tomcat_config.properties:

tomcat.secure=true
tomcat.scheme=https
tomcat.SSLEnabled=true
tomcat.certificateKeystoreFile=[path to keystore file]
tomcat.certificateKeystorePassword=[password specified when creating the keystore file]
tomcat.certificateKeyAlias=[certificate alias]
tomcat.sslProtocol=[SSL protocol (e.g., TLS)]
tomcat.enabledProtocols=list of enabled protocols (comma-separated) (e.g., TLSv1.2,TLSv1.1,TLSv1)

Data Protection

Encrypt Backups

Backup data may contain sensitive information. Store backup files encrypted.

Encrypted backup example:

$ tar czf fess-backup.tar.gz /var/lib/opensearch /etc/fess
$ gpg --symmetric --cipher-algo AES256 fess-backup.tar.gz

Security Best Practices

Principle of Least Privilege

  • Do not run Fess and OpenSearch as the root user

  • Run with a dedicated user account

  • Grant minimum necessary filesystem permissions

Network Isolation

  • Deploy OpenSearch in a private network

  • Use VPN or private networks for internal communication

  • Deploy only the Fess web interface in a DMZ

Regular Security Audits

  • Regularly review access logs

  • Detect abnormal access patterns

  • Conduct regular vulnerability scans

Security Header Configuration

Configure security headers in Nginx or Apache as needed:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'" always;

Security Checklist

Before deploying to production, verify the following checklist:

Basic Configuration

  • [ ] Administrator password changed

  • [ ] HTTPS enabled

  • [ ] Default port numbers changed (optional)

Network Security

  • [ ] Unnecessary ports closed with firewall

  • [ ] Admin screen access IP restricted (if possible)

  • [ ] OpenSearch access restricted to internal network only

Access Control

  • [ ] Configured roles and access permissions appropriately (grant the administrator role only to necessary users)

  • [ ] Unnecessary user accounts removed

  • [ ] Password policy configured

Monitoring and Logging

  • [ ] Confirmed that audit logging is enabled

  • [ ] Log retention period configured

  • [ ] Log monitoring mechanism established (if possible)

Backup and Recovery

  • [ ] Regular backup schedule configured

  • [ ] Backup data encrypted

  • [ ] Restore procedures validated

Updates and Patch Management

  • [ ] Security update notification mechanism established

  • [ ] Update procedures documented

  • [ ] Test environment established for update validation

Security Incident Response

Response procedure when a security incident occurs:

  1. Incident Detection

    • Log review

    • Abnormal access pattern detection

    • System behavior anomaly verification

  2. Initial Response

    • Identify scope of impact

    • Prevent damage escalation (stop relevant services, etc.)

    • Preserve evidence

  3. Investigation and Analysis

    • Detailed log analysis

    • Identify intrusion routes

    • Identify potentially leaked data

  4. Recovery

    • Fix vulnerabilities

    • Restore systems

    • Strengthen monitoring

  5. Post-Incident Response

    • Create incident report

    • Implement recurrence prevention measures

    • Report to stakeholders

Reference Information

For security questions or issues, please contact: