[aerogear-dev] Security advice for UnifiedPush Server

Andreas Røsdal andreas.rosdal at gmail.com
Mon Nov 24 08:23:08 EST 2014 

Good morning!

> I think what you're looking for is something like this[1], right?

Maybe this could be secured using Netfilter on Linux, I would be interested
in hearing more about this.
Initially, I thought I would be looking for a F5 firewall iRule kind of
like this:
-Allow: /ag-push/(registration)
-Deny: /ag-push/(admin-gui)  and /ag-push/(java-api-access)

Is /ag-push/ is designed to be exposed to the public Internet?

>That's an interesting scenario. I think if we extracted the registration
>module to a separated WAR file, would help to protect /ag-push
>infrastructure. Not sure if the idea is interesting.

Yes, that would be interesting as a more long-term solution. I would like
to start using
the UnifiedPush Server very soon, so then I would prefer some quick
firewall rule rather than waiting
for a new release.

Thanks for the help so far!

Andreas



2014-11-24 13:57 GMT+01:00 Bruno Oliveira <bruno at abstractj.org>:

> Good morning Andreas, I think what you're looking for is something like
> this[1], right?
>
> That's an interesting scenario. I think if we extracted the registration
> module to a separated WAR file, would help to protect /ag-push
> infrastructure. Not sure if the idea is interesting.
>
> Thoughts anyone?
>
>
> [1] -
>
> http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.18
>
> On 2014-11-24, Andreas Røsdal wrote:
> > Hello!
> >
> > I would like to security advice for running the Aerogear UnifiedPush
> Server
> > for sending Push messages to an iPhone app. The app-server is Wildfly,
> and
> > HTTPS is enabled. It is important to prevent unauthorized push messages
> > from being sent. Do you have any documentation or general advice for
> > securing Aerogear UnifiedPush Server?
> >
> > I would like to setup firewall rules to prevent users on the internet to
> > log in to the UnifiedPush Admin gui /ag-push/ while still allowing
> > registration of iPhone app/device tokens though the same UnifiedPush
> Admin
> > server. What kind of URL pattern can I use to prevent admin logins
> > externally?
> >
> >
> > Regards,
> > Andreas R.
>
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20141124/bc3802b6/attachment.html

More information about the aerogear-dev mailing list