Host/Port Configuration Help Needed

[Khuong Vu]

Hi ArchivesSpace Community Members,

 

Identify the Problem:

1. Campus IT's InfoSec unit currently challenges the statement: "The library's technology unit has no publicly exposed ports for the ArchivesSpace API."
2. Campus IT's InfoSec unit ran the command: sudo netstat -antelop | sed -n '2p; /8089/p' and noted the first line's Local Address of 0.0.0.0:8089. This indicates that the application will accept a connection from any host on the internet.

NOTE: 8089 is the port used by the ArchivesSpace API.

 

Describe the Outcome:

The netstat output shows the ArchivesSpace API binding to 0.0.0.0:8089.

 

Explore Possible Strategies:

We can configure MySQL, Apache, and ArchivesSpace to bind exclusively to the loopback address (127.0.0.1).

 

Anticipate Outcomes and Act:

We anticipated that configuring ArchivesSpace's config.rb file to bind to 127.0.0.1 would result in the following netstat output:

Proto	Recv-Q	Send-Q	Local Address	Foreign Address	State	User	Inode	PID/Program name	Timer
tcp	0	0	127.0.0.1:8089	127.0.0.1:*	LISTEN	0	10807013	1128186/java	off (0.00/0/0)

 

But We Get:

However, the command still returns:

Proto	Recv-Q	Send-Q	Local Address	Foreign Address	State	User	Inode	PID/Program name	Timer
tcp	0	0	0.0.0.0:8089	0.0.0.0:*	LISTEN	0	10807013	1128186/java	off (0.00/0/0)

 

Look and Learn:

How can we resolve this configuration issue to satisfy Campus IT (InfoSec unit) and definitively support the statement: "The library's technology unit has no publicly exposed ports for the ArchivesSpace API"?

 

 

 

Khuong Vu (Application Development Coordinator, [he|him|his])

University Library, California State University San Marcos

 

San Marcos, California, is on the traditional territory and homelands of the Luiseño/Payómkawichum people: Luiseño (Loo-sin-yo) and Payómkawichum (Pie-yom-ko-wi-shum)

 

[Will Martin]

Have you considered using a firewall rule to reject connections to port 8089 from anywhere except localhost?

[Joshua D. Shaw]

Seconding the firewall idea. We have rules that only allow a few select IPs to access 8089.

Joshua

---

From: archivesspac...@lyrasislists.org <archivesspac...@lyrasislists.org> on behalf of Will Martin <william....@und.edu>
Sent: Tuesday, November 4, 2025 2:19 PM
To: Archivesspace_Users_Group <archivesspac...@lyrasislists.org>
Subject: [ArchivesSpace Users Group] Re: Host/Port Configuration Help Needed

 

You don't often get email from william....@und.edu. Learn why this is important

--
You received this message because you are subscribed to the Google Groups "Archivesspace_Users_Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to Archivesspace_User...@lyrasislists.org.
To view this discussion visit https://groups.google.com/a/lyrasislists.org/d/msgid/Archivesspace_Users_Group/905e035f-f685-4a26-879c-880df3f75be6n%40lyrasislists.org.

[Schanz, Megan]

We've restricted access to the API through the Nginx configuration file.

The default configuration allows all traffic through and just acts as a proxy (non-docker method, Docker method).

We use the Docker installation method, but looking at our config you can get a general idea of how we do restrict the access:  we allow through Docker network traffic and our staff's IP ranges, then block everything else.

- Megan

---

From: archivesspac...@lyrasislists.org <archivesspac...@lyrasislists.org> on behalf of Joshua D. Shaw <Joshua...@dartmouth.edu>
Sent: Tuesday, November 4, 2025 2:26 PM
To: Archivesspace_Users_Group <archivesspac...@lyrasislists.org>
Subject: Re: [ArchivesSpace Users Group] Re: Host/Port Configuration Help Needed

 

To view this discussion visit https://groups.google.com/a/lyrasislists.org/d/msgid/Archivesspace_Users_Group/CH2PR03MB51768E350A5CA287D4BE1B48ABC4A%40CH2PR03MB5176.namprd03.prod.outlook.com.