Network Security Architecture¶
Digital Rebar Provision exposes several network services required for provisioning. Understanding which ports are needed, why they exist, and how to restrict them is essential for secure deployments.
Port Exposure¶
DRP requires the following ports to be accessible. Firewall rules should restrict source addresses appropriately — machines being provisioned need access to provisioning ports; administrators need access to the API port.
| Port | Protocol | Service | Required |
|---|---|---|---|
| 53 | TCP/UDP | DNS | Optional (DNS plugin) |
| 67 | UDP | DHCP | Optional (can use external DHCP) |
| 69 | UDP | TFTP | Provisioning |
| 4011 | UDP | BINL/PXE | Optional (replaces PXE in some firmware) |
| 8080 | TCP | Prometheus Metrics | Optional |
| 8090 | TCP | HTTPS File Server | Provisioning |
| 8091 | TCP | HTTP File Server | Provisioning |
| 8092 | TCP | HTTPS API + UI | Always |
| 8093 | TCP | RAFT (HA) | HA deployments only |
Why Multiple File Server Ports?¶
- 8090 (HTTPS) — Dynamic file server with template expansion; used by machines during provisioning
- 8091 (HTTP) — Static file server; used for large ISO/image downloads where TLS overhead is undesirable
- Both are needed because some boot firmware cannot handle HTTPS, and TLS termination adds CPU load at scale
TLS¶
The API port (8092) and the HTTPS file server (8090) use TLS. DRP can be configured with custom certificates for both. By default, DRP generates a self-signed certificate at startup.
For machine-to-DRP communication during provisioning, machines receive the DRP CA certificate injected into their boot environment via template expansion, enabling certificate validation.
Network Segmentation Design¶
A typical secure deployment separates:
- Management network — Administrators access port 8092 (API/UI); DRP may access machines on port 22 (SSH) or 443 (HTTPS) for outbound integrations
- Provisioning network — Machines being provisioned access ports 53, 67, 69, 4011, 8090, 8091, 8092
- HA network — DRP nodes communicate on port 8093; can be on a dedicated management network
In air-gapped environments, all provisioning traffic stays on the provisioning network with no internet access required (DRP serves all content locally).
Guacamole Console Proxy¶
DRP can proxy SSH console access to provisioned machines through the API port (8092), eliminating the need for direct SSH access from operator workstations to machines:
Browser → RackN Portal → API (8092/ws) → DRP Endpoint → guacd (4822/local) → SSH to machine
This means only the DRP endpoint needs network access to machines on port 22 — operators connect through the DRP API. See Endpoint Architecture for the full connection path.
Machine Token Security¶
Machines receive short-lived tokens generated at template expansion time. These tokens are scoped to the minimum permissions needed:
- Discovery tokens — Can only create and get machines; used during initial Sledgehammer boot
- Operations tokens — Can modify only the specific machine they belong to; used by the runner during task execution
These tokens cannot be generated by API users — they are only created by DRP's internal template engine. See Token Mechanics for details.
See Also¶
- Endpoint Architecture — Full port table and firewall configuration examples (iptables, firewalld)
- Authentication & Authorization — RBAC model for API access control
- Secure Parameters — Protecting secrets at rest
- Administrator Guide — TLS certificate configuration and firewall setup