[aerogear-dev] Security advice for UnifiedPush Server

Matthias Wessendorf matzew at apache.org
Tue Nov 25 03:37:57 EST 2014 

Hello Andreas!

here is an example of what you can do, with a simple gateway/proxy:
https://github.com/matzew/ups-proxy

For our mobile-quickstarts we needed an example to show how to run a
business backend behind the firewall, but since mobile devices, on the
internet, need to connect to those backends, we created a gateway/proxy
example, based on Fabric8.

The above is a simplified version of that, having one single rule:
https://github.com/matzew/ups-proxy/blob/master/src/main/webapp/WEB-INF/ups-proxy-config.json#L2

Now, you could block the entire access to /ag-push, from the public
interface, and just allow the "ups-proxy", or even run the UPS behind the
firewall. Your only public access-point could be the proxy servlet in the
above example.

Oh, btw. here is an overview of our RESTful APIs:
http://aerogear.org/docs/specs/aerogear-unifiedpush-rest/overview-index.html

-Matthias






On Mon, Nov 24, 2014 at 4:03 PM, Andreas Røsdal <andreas.rosdal at gmail.com>
wrote:

> >well, it's up to you :) if you have different remote systems, that need
> to contact the server -> you wanna expose the /sender part too. if not ->
> block it
>
> Yes, so I can block the following URL from external requests:
> /ag-push/rest/sender/
>
> Are there other similar URLS that I can block to secure the UnifiedPush
> Server?
>
> Regards,
> Andreas R.
>
>
>
> 2014-11-24 14:39 GMT+01:00 Matthias Wessendorf <matzew at apache.org>:
>
>> Hi Andreas,
>>
>> On Mon, Nov 24, 2014 at 2:23 PM, Andreas Røsdal <andreas.rosdal at gmail.com
>> > wrote:
>>
>>> Good morning!
>>>
>>> > I think what you're looking for is something like this[1], right?
>>>
>>> Maybe this could be secured using Netfilter on Linux, I would be
>>> interested in hearing more about this.
>>> Initially, I thought I would be looking for a F5 firewall iRule kind of
>>> like this:
>>> -Allow: /ag-push/(registration)
>>> -Deny: /ag-push/(admin-gui)  and /ag-push/(java-api-access)
>>>
>>> Is /ag-push/ is designed to be exposed to the public Internet?
>>>
>>
>> well, it's up to you :) if you have different remote systems, that need
>> to contact the server -> you wanna expose the /sender part too. if not ->
>> block it
>>
>> As you said earlier, the only one that really needs to be exposed to
>> public is the device registration.
>>
>>
>>
>>>
>>> >That's an interesting scenario. I think if we extracted the registration
>>> >module to a separated WAR file, would help to protect /ag-push
>>> >infrastructure. Not sure if the idea is interesting.
>>>
>>
>> That is an interesting point, and worth evaluating.
>> Internally of that "registration.war", we could simply act as a proxy to
>> the 'real' registration (on the ag-push.war), which is blocked by the
>> firewall.
>>
>>
>> -Matthias
>>
>>
>>>
>>> Yes, that would be interesting as a more long-term solution. I would
>>> like to start using
>>> the UnifiedPush Server very soon, so then I would prefer some quick
>>> firewall rule rather than waiting
>>> for a new release.
>>>
>>> Thanks for the help so far!
>>>
>>> Andreas
>>>
>>>
>>>
>>> 2014-11-24 13:57 GMT+01:00 Bruno Oliveira <bruno at abstractj.org>:
>>>
>>>> Good morning Andreas, I think what you're looking for is something like
>>>> this[1], right?
>>>>
>>>> That's an interesting scenario. I think if we extracted the registration
>>>> module to a separated WAR file, would help to protect /ag-push
>>>> infrastructure. Not sure if the idea is interesting.
>>>>
>>>> Thoughts anyone?
>>>>
>>>>
>>>> [1] -
>>>>
>>>> http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.18
>>>>
>>>> On 2014-11-24, Andreas Røsdal wrote:
>>>> > Hello!
>>>> >
>>>> > I would like to security advice for running the Aerogear UnifiedPush
>>>> Server
>>>> > for sending Push messages to an iPhone app. The app-server is
>>>> Wildfly, and
>>>> > HTTPS is enabled. It is important to prevent unauthorized push
>>>> messages
>>>> > from being sent. Do you have any documentation or general advice for
>>>> > securing Aerogear UnifiedPush Server?
>>>> >
>>>> > I would like to setup firewall rules to prevent users on the internet
>>>> to
>>>> > log in to the UnifiedPush Admin gui /ag-push/ while still allowing
>>>> > registration of iPhone app/device tokens though the same UnifiedPush
>>>> Admin
>>>> > server. What kind of URL pattern can I use to prevent admin logins
>>>> > externally?
>>>> >
>>>> >
>>>> > Regards,
>>>> > Andreas R.
>>>>
>>>> > _______________________________________________
>>>> > aerogear-dev mailing list
>>>> > aerogear-dev at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>>
>>>> --
>>>>
>>>> abstractj
>>>> PGP: 0x84DC9914
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>
>>
>>
>> --
>> Matthias Wessendorf
>>
>> blog: http://matthiaswessendorf.wordpress.com/
>> sessions: http://www.slideshare.net/mwessendorf
>> twitter: http://twitter.com/mwessendorf
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20141125/389a99e8/attachment.html

More information about the aerogear-dev mailing list