Hello Andreas!
here is an example of what you can do, with a simple gateway/proxy:
https://github.com/matzew/ups-proxy
For our mobile-quickstarts we needed an example to show how to run a
business backend behind the firewall, but since mobile devices, on the
internet, need to connect to those backends, we created a gateway/proxy
example, based on Fabric8.
The above is a simplified version of that, having one single rule:
https://github.com/matzew/ups-proxy/blob/master/src/main/webapp/WEB-INF/u...
Now, you could block the entire access to /ag-push, from the public
interface, and just allow the "ups-proxy", or even run the UPS behind the
firewall. Your only public access-point could be the proxy servlet in the
above example.
Oh, btw. here is an overview of our RESTful APIs:
http://aerogear.org/docs/specs/aerogear-unifiedpush-rest/overview-index.html
-Matthias
On Mon, Nov 24, 2014 at 4:03 PM, Andreas Røsdal <andreas.rosdal(a)gmail.com>
wrote:
>well, it's up to you :) if you have different remote systems,
that need
to contact the server -> you wanna expose the /sender part too. if not ->
block it
Yes, so I can block the following URL from external requests:
/ag-push/rest/sender/
Are there other similar URLS that I can block to secure the UnifiedPush
Server?
Regards,
Andreas R.
2014-11-24 14:39 GMT+01:00 Matthias Wessendorf <matzew(a)apache.org>:
> Hi Andreas,
>
> On Mon, Nov 24, 2014 at 2:23 PM, Andreas Røsdal <andreas.rosdal(a)gmail.com
> > wrote:
>
>> Good morning!
>>
>> > I think what you're looking for is something like this[1], right?
>>
>> Maybe this could be secured using Netfilter on Linux, I would be
>> interested in hearing more about this.
>> Initially, I thought I would be looking for a F5 firewall iRule kind of
>> like this:
>> -Allow: /ag-push/(registration)
>> -Deny: /ag-push/(admin-gui) and /ag-push/(java-api-access)
>>
>> Is /ag-push/ is designed to be exposed to the public Internet?
>>
>
> well, it's up to you :) if you have different remote systems, that need
> to contact the server -> you wanna expose the /sender part too. if not ->
> block it
>
> As you said earlier, the only one that really needs to be exposed to
> public is the device registration.
>
>
>
>>
>> >That's an interesting scenario. I think if we extracted the registration
>> >module to a separated WAR file, would help to protect /ag-push
>> >infrastructure. Not sure if the idea is interesting.
>>
>
> That is an interesting point, and worth evaluating.
> Internally of that "registration.war", we could simply act as a proxy to
> the 'real' registration (on the ag-push.war), which is blocked by the
> firewall.
>
>
> -Matthias
>
>
>>
>> Yes, that would be interesting as a more long-term solution. I would
>> like to start using
>> the UnifiedPush Server very soon, so then I would prefer some quick
>> firewall rule rather than waiting
>> for a new release.
>>
>> Thanks for the help so far!
>>
>> Andreas
>>
>>
>>
>> 2014-11-24 13:57 GMT+01:00 Bruno Oliveira <bruno(a)abstractj.org>:
>>
>>> Good morning Andreas, I think what you're looking for is something like
>>> this[1], right?
>>>
>>> That's an interesting scenario. I think if we extracted the registration
>>> module to a separated WAR file, would help to protect /ag-push
>>> infrastructure. Not sure if the idea is interesting.
>>>
>>> Thoughts anyone?
>>>
>>>
>>> [1] -
>>>
>>>
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.h...
>>>
>>> On 2014-11-24, Andreas Røsdal wrote:
>>> > Hello!
>>> >
>>> > I would like to security advice for running the Aerogear UnifiedPush
>>> Server
>>> > for sending Push messages to an iPhone app. The app-server is
>>> Wildfly, and
>>> > HTTPS is enabled. It is important to prevent unauthorized push
>>> messages
>>> > from being sent. Do you have any documentation or general advice for
>>> > securing Aerogear UnifiedPush Server?
>>> >
>>> > I would like to setup firewall rules to prevent users on the internet
>>> to
>>> > log in to the UnifiedPush Admin gui /ag-push/ while still allowing
>>> > registration of iPhone app/device tokens though the same UnifiedPush
>>> Admin
>>> > server. What kind of URL pattern can I use to prevent admin logins
>>> > externally?
>>> >
>>> >
>>> > Regards,
>>> > Andreas R.
>>>
>>> > _______________________________________________
>>> > aerogear-dev mailing list
>>> > aerogear-dev(a)lists.jboss.org
>>> >
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>> --
>>>
>>> abstractj
>>> PGP: 0x84DC9914
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Matthias Wessendorf
>
> blog:
http://matthiaswessendorf.wordpress.com/
> sessions:
http://www.slideshare.net/mwessendorf
> twitter:
http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Matthias Wessendorf
blog:
http://matthiaswessendorf.wordpress.com/
sessions:
http://www.slideshare.net/mwessendorf
twitter:
http://twitter.com/mwessendorf