[aerogear-dev] Security advice for UnifiedPush Server

Bruno Oliveira bruno at abstractj.org
Mon Nov 24 15:10:02 EST 2014 

Hi Andreas, file a Jira and assign to myself please
https://issues.jboss.org/browse/agpush. Feel free to describe what's
missing.

Thanks in advance.

On 2014-11-24, Andreas Røsdal wrote:
> Hi Karel!
>
> While reading the documentation for UnifiedPush Server I didn't get the
> impression that a custom proxy WAR is
> required to run it securely on the internet, so I would suggest you add
> some guidelines to the online documentation how to run it securely.
> Is it strictly required to setup ag-push behind a custom proxy WAR to run
> the UnifiedPush Server securely on a public network?
> How should I go about creating such a custom proxy WAR? I would much prefer
> a well-supported open source or commercial off-the-shelf solution
> than to develop a custom proxy WAR. So for me the most practical thing
> would be to secure the UnifiedPush Server by using
> firewall rules which block specific URLs, if it is possible to create a
> list of HTTP paths to block in the firewall.
> Would blocking /auth/ and /ag-push/rest/sender/ be sufficient? Which URLs
> does the iOS device token registration client use?
>
> Further, I have seen the chapter on "Brute Force Protection" which is
> described in the Security Defenses documentation,
> and this seems like a reasonable security feature that I will enable.
>
> I very much appreciate all the feedback on this question so far, and I hope
> you see that this question will be relevant for
> other users of the AeroGear UnifiedPush Server who want to run it securely.
>
> Regards,
> Andreas R.
>
>
> 2014-11-24 17:30 GMT+01:00 Karel Piwko <kpiwko at redhat.com>:
>
> > On Mon, 2014-11-24 at 13:27 +0100, Andreas Røsdal wrote:
> > > Hello!
> > >
> > > I would like to security advice for running the Aerogear UnifiedPush
> > Server
> > > for sending Push messages to an iPhone app. The app-server is Wildfly,
> > and
> > > HTTPS is enabled. It is important to prevent unauthorized push messages
> > > from being sent. Do you have any documentation or general advice for
> > > securing Aerogear UnifiedPush Server?
> > >
> > > I would like to setup firewall rules to prevent users on the internet to
> > > log in to the UnifiedPush Admin gui /ag-push/ while still allowing
> > > registration of iPhone app/device tokens though the same UnifiedPush
> > Admin
> > > server. What kind of URL pattern can I use to prevent admin logins
> > > externally?
> >
> > I'd say hide ag-push to be accessible only on a particular interface
> > available in your internal network and create a proxy WAR accessible on
> > public network that will "forward" sender and registration requests to
> > ag-push WAR.
> >
> >
> > >
> > >
> > > Regards,
> > > Andreas R.
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >

> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


--

abstractj
PGP: 0x84DC9914

More information about the aerogear-dev mailing list