Security

reCaptcha Support

HollaEx Kit provides Google reCaptcha support to protect the exchange from malicious access. You should issue your own reCaptcha key and apply it. By default, HollaEx Kit provides demo reCaptcha key, but you must get your own key before bringing up the exchange to production. Demo key is not safe.

Please follow this link to issue reCaptcha key.

Once you get a key, run hollaex setup --reconfigure and hollaex restart to apply the key to HollaEx Kit. For web client, you should run hollaex web --rebuild and hollaex web --restart to rebuild the web client image with reCaptcha key changes.

User provided reCaptcha keys will be stored at settings/configmap and settings/secret files.

Auto generated passwords

For certain values, HollaEx Kit automatically generates and provides it by default.

- HOLLAEX_SECRET_SUPERVISOR_PASSWORD
- HOLLAEX_SECRET_SUPPORT_PASSWORD
- HOLLAEX_SECRET_KYC_PASSWORD
- HOLLAEX_SECRET_QUICK_TRADE_SECRET
- HOLLAEX_SECRET_SECRET

Secrets will be generated during the hollaex setup process. You can see the generated values on settings/secret file later. These values should not be modified by user. Please keep them safe.

SSL for the exchange

SSL / HTTPS support is very important to keep the service safe and sound, especially for something related with finance. HollaEx Kit provides easy way to issue SSL certificate by using a single command below.

hollaex toolbox (-issue_ssl / --renew_ssl)

This command will both issue and renew SSL certificate by using Let's Encrypt and Certbot. By default, Certbot will use http-01 method to issue SSL. If you are not able to use http-01, please check the Certbot docs to find a perfect verification method for your environment.

SSL certificate issued by Let's Encrypt will expire after 3 months it get issued. Make sure to run hollaex toolbox --renew_ssl to renew your certificate before it get expired. We recommend you to set some sort of automation job by using crontab or similar tool. Adding --skip flag would prevent HollaEx CLI to ask your confirm so would be useful to use it with automated crontab.

Custom credentials for Databases

By default, credentials for the back-end and database components are using the default ones set at the HollaEx Kit.

This setup is okay for the demo, small production exchanges with a closed environment. But if you are looking for better security, setting up the custom credentials for back-end is important.

> Updating the values below may break up the exchange if you already set up the existing one. Modifying credentials are only allowed before running the hollaex setup.

Redis

You can set your credentials from your secret file in your HollaEx Kit/settings.

HOLLAEX_SECRET_REDIS_HOST=$ENVIRONMENT_EXCHANGE_NAME-redis
HOLLAEX_SECRET_REDIS_PORT=6379
HOLLAEX_SECRET_REDIS_PASSWORD=hollaex
HOLLAEX_SECRET_PUBSUB_HOST=$ENVIRONMENT_EXCHANGE_NAME-redis
HOLLAEX_SECRET_PUBSUB_PORT=6379
HOLLAEX_SECRET_PUBSUB_PASSWORD=hollaex

While on the exchange setup, HollaEx CLI will create a Redis container based on the provided values above.

PostgreSQL

You can set your credentials from your secret file in your HollaEx Kit/settings.

HOLLAEX_SECRET_DB_NAME=hollaex
HOLLAEX_SECRET_DB_USERNAME=hollaex
HOLLAEX_SECRET_DB_PASSWORD=hollaex
HOLLAEX_SECRET_DB_HOST=$ENVIRONMENT_EXCHANGE_NAME-db
HOLLAEX_SECRET_DB_PORT=5432

While on the exchange setup, HollaEx CLI will create a PostgreSQL container based on the provided values above.

InfluxDB

You can set your credentials from your secret file in your HollaEx Kit/settings.

HOLLAEX_SECRET_INFLUX_DB=hollaex
HOLLAEX_SECRET_INFLUX_HOST=$ENVIRONMENT_EXCHANGE_NAME-influxdb
HOLLAEX_SECRET_INFLUX_PORT=8086
HOLLAEX_SECRET_INFLUX_USER=hollaex
HOLLAEX_SECRET_INFLUX_PASSWORD=hollaex

While on the exchange setup, HollaEx CLI will create an InfluxDB container based on the provided values above.