[aerogear-dev] Security advice for UnifiedPush Server

Andreas Røsdal andreas.rosdal at gmail.com
Mon Nov 24 10:03:58 EST 2014 

>well, it's up to you :) if you have different remote systems, that need to
contact the server -> you wanna expose the /sender part too. if not ->
block it

Yes, so I can block the following URL from external requests:
/ag-push/rest/sender/

Are there other similar URLS that I can block to secure the UnifiedPush
Server?

Regards,
Andreas R.



2014-11-24 14:39 GMT+01:00 Matthias Wessendorf <matzew at apache.org>:

> Hi Andreas,
>
> On Mon, Nov 24, 2014 at 2:23 PM, Andreas Røsdal <andreas.rosdal at gmail.com>
> wrote:
>
>> Good morning!
>>
>> > I think what you're looking for is something like this[1], right?
>>
>> Maybe this could be secured using Netfilter on Linux, I would be
>> interested in hearing more about this.
>> Initially, I thought I would be looking for a F5 firewall iRule kind of
>> like this:
>> -Allow: /ag-push/(registration)
>> -Deny: /ag-push/(admin-gui)  and /ag-push/(java-api-access)
>>
>> Is /ag-push/ is designed to be exposed to the public Internet?
>>
>
> well, it's up to you :) if you have different remote systems, that need to
> contact the server -> you wanna expose the /sender part too. if not ->
> block it
>
> As you said earlier, the only one that really needs to be exposed to
> public is the device registration.
>
>
>
>>
>> >That's an interesting scenario. I think if we extracted the registration
>> >module to a separated WAR file, would help to protect /ag-push
>> >infrastructure. Not sure if the idea is interesting.
>>
>
> That is an interesting point, and worth evaluating.
> Internally of that "registration.war", we could simply act as a proxy to
> the 'real' registration (on the ag-push.war), which is blocked by the
> firewall.
>
>
> -Matthias
>
>
>>
>> Yes, that would be interesting as a more long-term solution. I would like
>> to start using
>> the UnifiedPush Server very soon, so then I would prefer some quick
>> firewall rule rather than waiting
>> for a new release.
>>
>> Thanks for the help so far!
>>
>> Andreas
>>
>>
>>
>> 2014-11-24 13:57 GMT+01:00 Bruno Oliveira <bruno at abstractj.org>:
>>
>>> Good morning Andreas, I think what you're looking for is something like
>>> this[1], right?
>>>
>>> That's an interesting scenario. I think if we extracted the registration
>>> module to a separated WAR file, would help to protect /ag-push
>>> infrastructure. Not sure if the idea is interesting.
>>>
>>> Thoughts anyone?
>>>
>>>
>>> [1] -
>>>
>>> http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.18
>>>
>>> On 2014-11-24, Andreas Røsdal wrote:
>>> > Hello!
>>> >
>>> > I would like to security advice for running the Aerogear UnifiedPush
>>> Server
>>> > for sending Push messages to an iPhone app. The app-server is Wildfly,
>>> and
>>> > HTTPS is enabled. It is important to prevent unauthorized push messages
>>> > from being sent. Do you have any documentation or general advice for
>>> > securing Aerogear UnifiedPush Server?
>>> >
>>> > I would like to setup firewall rules to prevent users on the internet
>>> to
>>> > log in to the UnifiedPush Admin gui /ag-push/ while still allowing
>>> > registration of iPhone app/device tokens though the same UnifiedPush
>>> Admin
>>> > server. What kind of URL pattern can I use to prevent admin logins
>>> > externally?
>>> >
>>> >
>>> > Regards,
>>> > Andreas R.
>>>
>>> > _______________________________________________
>>> > aerogear-dev mailing list
>>> > aerogear-dev at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>> --
>>>
>>> abstractj
>>> PGP: 0x84DC9914
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20141124/8b9505d2/attachment.html

More information about the aerogear-dev mailing list