[aerogear-dev] Security advice for UnifiedPush Server

Matthias Wessendorf matzew at apache.org
Mon Nov 24 08:39:13 EST 2014 

Hi Andreas,

On Mon, Nov 24, 2014 at 2:23 PM, Andreas Røsdal <andreas.rosdal at gmail.com>
wrote:

> Good morning!
>
> > I think what you're looking for is something like this[1], right?
>
> Maybe this could be secured using Netfilter on Linux, I would be
> interested in hearing more about this.
> Initially, I thought I would be looking for a F5 firewall iRule kind of
> like this:
> -Allow: /ag-push/(registration)
> -Deny: /ag-push/(admin-gui)  and /ag-push/(java-api-access)
>
> Is /ag-push/ is designed to be exposed to the public Internet?
>

well, it's up to you :) if you have different remote systems, that need to
contact the server -> you wanna expose the /sender part too. if not ->
block it

As you said earlier, the only one that really needs to be exposed to public
is the device registration.



>
> >That's an interesting scenario. I think if we extracted the registration
> >module to a separated WAR file, would help to protect /ag-push
> >infrastructure. Not sure if the idea is interesting.
>

That is an interesting point, and worth evaluating.
Internally of that "registration.war", we could simply act as a proxy to
the 'real' registration (on the ag-push.war), which is blocked by the
firewall.


-Matthias


>
> Yes, that would be interesting as a more long-term solution. I would like
> to start using
> the UnifiedPush Server very soon, so then I would prefer some quick
> firewall rule rather than waiting
> for a new release.
>
> Thanks for the help so far!
>
> Andreas
>
>
>
> 2014-11-24 13:57 GMT+01:00 Bruno Oliveira <bruno at abstractj.org>:
>
>> Good morning Andreas, I think what you're looking for is something like
>> this[1], right?
>>
>> That's an interesting scenario. I think if we extracted the registration
>> module to a separated WAR file, would help to protect /ag-push
>> infrastructure. Not sure if the idea is interesting.
>>
>> Thoughts anyone?
>>
>>
>> [1] -
>>
>> http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.18
>>
>> On 2014-11-24, Andreas Røsdal wrote:
>> > Hello!
>> >
>> > I would like to security advice for running the Aerogear UnifiedPush
>> Server
>> > for sending Push messages to an iPhone app. The app-server is Wildfly,
>> and
>> > HTTPS is enabled. It is important to prevent unauthorized push messages
>> > from being sent. Do you have any documentation or general advice for
>> > securing Aerogear UnifiedPush Server?
>> >
>> > I would like to setup firewall rules to prevent users on the internet to
>> > log in to the UnifiedPush Admin gui /ag-push/ while still allowing
>> > registration of iPhone app/device tokens though the same UnifiedPush
>> Admin
>> > server. What kind of URL pattern can I use to prevent admin logins
>> > externally?
>> >
>> >
>> > Regards,
>> > Andreas R.
>>
>> > _______________________________________________
>> > aerogear-dev mailing list
>> > aerogear-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>> --
>>
>> abstractj
>> PGP: 0x84DC9914
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20141124/e8372f11/attachment.html

More information about the aerogear-dev mailing list