Introduction
This guide provides key practices—some essential, some strongly recommended—to help you keep your (Easy) Redmine server safe and resilient. While some suggestions may seem obvious, a good security checklist should always be comprehensive.
Target Audience
- Administrator
Prerequisites
To apply this guide, you should have:
- Administrator access to your Redmine server
- Access to your system’s web server (NGINX or Apache)
- Basic knowledge of Linux permissions and network settings
1. Use HTTPS Connection
- Set up a secure SSL certificate. You can use a self-signed certificate or purchase a trusted one. Instructions: Heroku SSL Guide
- Configure your web server to enforce HTTPS. Block ports 80 and 8080 or redirect them to 443. See
doc/INSTALLin your Easy8 installation for NGINX setup. - Update the protocol in Redmine settings:
Administration → Settings → General → Protocol = HTTPS - Test your SSL configuration: SSL Labs SSL Test
- Ensure external assets (logos, images) use HTTPS to avoid mixed content issues and browser warnings.
2. Check and Divide Permissions
- Do not run the application as root. Use a dedicated user for application and Ruby.
- Avoid using
777permissions. Recommended:- Directories:
755 - Files:
644
- Directories:
3. Keep Non-Used Ports Closed
Ask your hosting provider or sysadmin to close all unnecessary ports. Open ports only when needed for updates or maintenance.
4. Use Strong Passwords
- Use unique, complex passwords for:
- System root
- Database root
- Redmine admin account
- Integration users
- Passwords should be at least 15 characters, include numbers and special characters.
- Change passwords at least every 6 months.
- Consider passphrases: Example from xkcd.
5. Update Your Server and Application Regularly
Apply the latest patches to:
- Operating system
- Redmine core
- Plugins and extensions
- Ruby and rubygems
Outdated software increases vulnerability to exploits.
6. Be Careful with Uploaded Files
- Limit allowed file types:
Administration → Settings → Files - Restrict file extensions at the web server level: Ruby Forum Reference
- Consider scanning uploads with antivirus software like ClamAV.
Conclusion
These practices form the foundation of a secure Redmine server. Depending on your environment, you can implement more layers of protection, such as:
- Proxy or reverse proxy setup
- VPN access only
- IP allowlist filtering
A well-maintained and secure Redmine setup protects your data, your users, and your peace of mind.
Related Topics and Further Reading
- Easy8 Documentation
- Linux server hardening guides
- NGINX security best practices
