<div dir="ltr"><div><div>Hi Karel!</div><div><br></div><div>While reading the documentation for UnifiedPush Server I didn't get the impression that a custom proxy WAR is <br></div><div>required to run it securely on the internet, so I would suggest you add some guidelines to the online documentation how to run it securely.</div></div>Is it strictly required to setup ag-push behind a custom proxy WAR to run the UnifiedPush Server securely on a public network? <div>How should I go about creating such a custom proxy WAR? I would much prefer a well-supported open source or commercial off-the-shelf solution </div><div>than to develop a custom proxy WAR. So for me the most practical thing would be to secure the UnifiedPush Server by using</div><div>firewall rules which block specific URLs, if it is possible to create a list of HTTP paths to block in the firewall.</div><div>Would blocking /auth/ and /ag-push/rest/sender/ be sufficient? Which URLs does the iOS device token registration client use?</div><div><br></div><div>Further, I have seen the chapter on "Brute Force Protection" which is described in the Security Defenses documentation,</div><div>and this seems like a reasonable security feature that I will enable.<br><div><br></div><div>I very much appreciate all the feedback on this question so far, and I hope you see that this question will be relevant for </div><div>other users of the AeroGear UnifiedPush Server who want to run it securely.</div><div><br></div><div>Regards,</div><div>Andreas R.</div></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">2014-11-24 17:30 GMT+01:00 Karel Piwko <span dir="ltr"><<a href="mailto:kpiwko@redhat.com" target="_blank">kpiwko@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">On Mon, 2014-11-24 at 13:27 +0100, Andreas Røsdal wrote:<br>
> Hello!<br>
><br>
> I would like to security advice for running the Aerogear UnifiedPush Server<br>
> for sending Push messages to an iPhone app. The app-server is Wildfly, and<br>
> HTTPS is enabled. It is important to prevent unauthorized push messages<br>
> from being sent. Do you have any documentation or general advice for<br>
> securing Aerogear UnifiedPush Server?<br>
><br>
> I would like to setup firewall rules to prevent users on the internet to<br>
> log in to the UnifiedPush Admin gui /ag-push/ while still allowing<br>
> registration of iPhone app/device tokens though the same UnifiedPush Admin<br>
> server. What kind of URL pattern can I use to prevent admin logins<br>
> externally?<br>
<br>
</div></div>I'd say hide ag-push to be accessible only on a particular interface<br>
available in your internal network and create a proxy WAR accessible on<br>
public network that will "forward" sender and registration requests to<br>
ag-push WAR.<br>
<div class=""><div class="h5"><br>
<br>
><br>
><br>
> Regards,<br>
> Andreas R.<br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></div></div></blockquote></div><br></div></div>