Re: [aerogear-dev] Security advice for UnifiedPush Server

Hi Karel! While reading the documentation for UnifiedPush Server I didn't get the impression that a custom proxy WAR is required to run it securely on the internet, so I would suggest you add some guidelines to the online documentation how to run it securely. Is it strictly required to setup ag-push behind a custom proxy WAR to run the UnifiedPush Server securely on a public network? How should I go about creating such a custom proxy WAR? I would much prefer a well-supported open source or commercial off-the-shelf solution than to develop a custom proxy WAR. So for me the most practical thing would be to secure the UnifiedPush Server by using firewall rules which block specific URLs, if it is possible to create a list of HTTP paths to block in the firewall. Would blocking /auth/ and /ag-push/rest/sender/ be sufficient? Which URLs does the iOS device token registration client use? Further, I have seen the chapter on "Brute Force Protection" which is described in the Security Defenses documentation, and this seems like a reasonable security feature that I will enable. I very much appreciate all the feedback on this question so far, and I hope you see that this question will be relevant for other users of the AeroGear UnifiedPush Server who want to run it securely. Regards, Andreas R. 2014-11-24 17:30 GMT+01:00 Karel Piwko <kpiwko(a)redhat.com&gt;: > On Mon, 2014-11-24 at 13:27 +0100, Andreas Røsdal wrote: > > Hello! > > > > I would like to security advice for running the Aerogear UnifiedPush > Server > > for sending Push messages to an iPhone app. The app-server is Wildfly, > and > > HTTPS is enabled. It is important to prevent unauthorized push messages > > from being sent. Do you have any documentation or general advice for > > securing Aerogear UnifiedPush Server? > > > > I would like to setup firewall rules to prevent users on the internet to > > log in to the UnifiedPush Admin gui /ag-push/ while still allowing > > registration of iPhone app/device tokens though the same UnifiedPush > Admin > > server. What kind of URL pattern can I use to prevent admin logins > > externally? > > I'd say hide ag-push to be accessible only on a particular interface > available in your internal network and create a proxy WAR accessible on > public network that will "forward" sender and registration requests to > ag-push WAR. > > > > > > > > Regards, > > Andreas R. > > _______________________________________________ > > aerogear-dev mailing list > > aerogear-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/aerogear-dev > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev >

_______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev