Hi Andreas,
please see comments inline.
Karel
On Mon, 2014-11-24 at 18:49 +0100, Andreas Røsdal wrote:
Hi Karel!
While reading the documentation for UnifiedPush Server I didn't get the
impression that a custom proxy WAR is
required to run it securely on the internet, so I would suggest you add
some guidelines to the online documentation how to run it securely.
Is it strictly required to setup ag-push behind a custom proxy WAR to run
the UnifiedPush Server securely on a public network?
No. This is definitely not required but gateway/proxy model is a pattern
you can follow if you want to hide particular functionality from public
network for any application.
How should I go about creating such a custom proxy WAR? I would much
prefer
a well-supported open source or commercial off-the-shelf solution
than to develop a custom proxy
I guess that you can use proxy created by Matthias at
https://github.com/matzew/ups-proxy mentioned in the thread.
WAR. So for me the most practical thing
would be to secure the UnifiedPush Server by using
firewall rules which block specific URLs, if it is possible to create a
list of HTTP paths to block in the firewall.
I'm not a firewall expect here but I expect this is something you can do
with almost any proxy/firewall combination, for instance with Apache
httpd -
http://httpd.apache.org/docs/2.4/mod/mod_authz_host.html.
Would blocking /auth/ and /ag-push/rest/sender/ be sufficient? Which
URLs
does the iOS device token registration client use?
iOS registration uses ag-push/rest/registry/device as well as other
devices type.
Further, I have seen the chapter on "Brute Force Protection" which is
described in the Security Defenses documentation,
and this seems like a reasonable security feature that I will enable.
Definitely.
I very much appreciate all the feedback on this question so far, and I hope
you see that this question will be relevant for
other users of the AeroGear UnifiedPush Server who want to run it securely.
Regards,
Andreas R.
2014-11-24 17:30 GMT+01:00 Karel Piwko <kpiwko(a)redhat.com>:
> On Mon, 2014-11-24 at 13:27 +0100, Andreas Røsdal wrote:
> > Hello!
> >
> > I would like to security advice for running the Aerogear UnifiedPush
> Server
> > for sending Push messages to an iPhone app. The app-server is Wildfly,
> and
> > HTTPS is enabled. It is important to prevent unauthorized push messages
> > from being sent. Do you have any documentation or general advice for
> > securing Aerogear UnifiedPush Server?
> >
> > I would like to setup firewall rules to prevent users on the internet to
> > log in to the UnifiedPush Admin gui /ag-push/ while still allowing
> > registration of iPhone app/device tokens though the same UnifiedPush
> Admin
> > server. What kind of URL pattern can I use to prevent admin logins
> > externally?
>
> I'd say hide ag-push to be accessible only on a particular interface
> available in your internal network and create a proxy WAR accessible on
> public network that will "forward" sender and registration requests to
> ag-push WAR.
>
>
> >
> >
> > Regards,
> > Andreas R.
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev