Hi Karel!
While reading the documentation for UnifiedPush Server I didn't get the impression that a custom proxy WAR is
required to run it securely on the internet, so I would suggest you add some guidelines to the online documentation how to run it securely.
Is it strictly required to setup ag-push behind a custom proxy WAR to run the UnifiedPush Server securely on a public network? How should I go about creating such a custom proxy WAR? I would much prefer a well-supported open source or commercial off-the-shelf solution
than to develop a custom proxy WAR. So for me the most practical thing would be to secure the UnifiedPush Server by using
firewall rules which block specific URLs, if it is possible to create a list of HTTP paths to block in the firewall.
Would blocking /auth/ and /ag-push/rest/sender/ be sufficient? Which URLs does the iOS device token registration client use?
Further, I have seen the chapter on "Brute Force Protection" which is described in the Security Defenses documentation,
and this seems like a reasonable security feature that I will enable.
I very much appreciate all the feedback on this question so far, and I hope you see that this question will be relevant for
other users of the AeroGear UnifiedPush Server who want to run it securely.
Regards,
Andreas R.