Networking & Firewall Configuration
This guide explains ACT’s network architecture and the firewall configuration required for secure operation.
Required Ports
ACT requires only three ports to be open on your servers:
| Port | Protocol | Purpose | Required |
|---|---|---|---|
| 22 | TCP | SSH - Server management and deployments | Yes |
| 80 | TCP | HTTP - Web traffic (redirects to HTTPS) | Yes |
| 443 | TCP | HTTPS - Secure web traffic | Yes |
| 51820 | UDP | WireGuard - Private Mesh Networking | Yes |
Optional Ports
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 8080 | TCP | ACT API (if not reverse proxied) | Should be firewalled in production |
UFW Configuration
During server commissioning, ACT automatically configures UFW (Uncomplicated Firewall) with the following rules:
# ACT's automatic UFW configuration
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp # SSH
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS
ufw allow 51820/udp # WireGuard Mesh
ufw enable
Manual UFW Configuration
If you need to configure UFW manually:
# Reset to defaults
sudo ufw reset
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow required ports
sudo ufw allow 22/tcp comment 'SSH'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
sudo ufw allow 51820/udp comment 'WireGuard Mesh'
# Enable firewall
sudo ufw enable
# Verify rules
sudo ufw status verbose
Network Architecture
ACT Networks (act-net-<env_id>)
ACT implements strict network isolation between environments.
- Per-Environment Isolation: Each Environment (e.g., “Production”, “Staging”) gets its own dedicated Docker bridge network with a unique ID (e.g.,
act-net-a1b2c3d4). - Service Discovery: Services within the same environment can communicate using their service name as the hostname.
- Isolation: Services in Environment A cannot reach services in Environment B, preventing cross-contamination in case of a breach.
- Traefik Routing: The Traefik reverse proxy is connected to all environment networks to route external traffic to the correct containers.
Internal Service Communication
Services within the same ACT installation can communicate using internal DNS:
http://<service-name>:<internal-port>
Example:
# From your web app, connect to your database
DATABASE_URL=postgresql://user:pass@my-postgres:5432/mydb
External Traffic Flow
Internet
│
▼
[ Traefik Proxy ] <-- (Listening on 80/443)
│
├── Host: api.example.com ──┐
│ ▼
│ [ API Container ]
│ (Internal: 3000)
│
└── Host: app.example.com ──┐
▼
[ Web Container ]
(Internal: 80)
- External requests arrive at ports 80/443
- Traefik receives the request and checks the
Hostheader - Traefik routes to the appropriate container based on configured domains
- The container responds through the same path
Security Best Practices
1. API Port (8080)
The ACT API listens on port 8080 by default. In production, you should either:
Option A: Firewall the port (Recommended for single-server setups)
# Only allow localhost access to API
sudo ufw deny 8080/tcp
The embedded frontend accesses the API via the same origin, so external access is not required.
Option B: Reverse proxy the API (Required for external API access)
# Nginx example
server {
listen 443 ssl;
server_name api.yourdomain.com;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
2. SSH Access
- Use SSH keys only (password authentication is disabled during commissioning)
- Consider using a bastion host for additional security
- Rotate SSH keys periodically
3. Container Network Isolation
All containers share the act-network by default. For production environments with strict security requirements, consider:
- Running sensitive services (databases) on dedicated servers
- Using ACT’s per-environment network isolation (Enterprise feature)
- Using ACT’s per-environment network isolation (Enterprise feature)
- Implementing additional network policies at the infrastructure level
Advanced: Custom Traefik Configuration
For advanced use cases, you can inject custom Traefik Dynamic Configuration into your server. This allows you to add custom middlewares (e.g., Basic Auth, IP whitelisting), routers, or services that are not managed by ACT.
You can update the configuration via the API endpoint:
POST /api/v1/servers/{id}/reconfigure-proxy
Example Payload:
{
"traefik_custom_config": "http:\n middlewares:\n test-auth:\n basicAuth:\n users:\n - \"admin:$apr1$H6uskkkW$IgXLP6ew.ddDrCmdqosNt.\""
}
This configuration is merged with ACT’s generated configuration and hot-reloaded without restarting the proxy.
Troubleshooting
“Connection refused” errors
- Check UFW status:
sudo ufw status - Verify the port is allowed
- Check if the service is running:
sudo systemctl status act
“Host unreachable” from containers
- Check Docker network:
docker network inspect act-network - Verify container is connected:
docker inspect <container> | grep Networks
SSL certificate issues
- Ensure ports 80 and 443 are open
- Verify DNS is pointing to the correct IP
- Check Traefik logs:
docker logs traefik
Cloud Provider Firewalls
In addition to UFW, you may need to configure your cloud provider’s firewall:
AWS Security Groups
Inbound Rules:
- SSH (22) from your IP or bastion
- HTTP (80) from 0.0.0.0/0
- HTTPS (443) from 0.0.0.0/0
DigitalOcean Firewall
Inbound Rules:
- SSH: TCP 22
- HTTP: TCP 80
- HTTPS: TCP 443
Hetzner Cloud Firewall
Inbound Rules:
- Protocol: TCP, Port: 22 (SSH)
- Protocol: TCP, Port: 80 (HTTP)
- Protocol: TCP, Port: 443 (HTTPS)
Remember: ACT’s UFW configuration provides host-level protection, but cloud firewalls provide an additional layer of security at the network level. Configure both for defense in depth.