Hi Karel!

While reading the documentation for UnifiedPush Server I didn't get the impression that a custom proxy WAR is

required to run it securely on the internet, so I would suggest you add some guidelines to the online documentation how to run it securely.

Is it strictly required to setup ag-push behind a custom proxy WAR to run the UnifiedPush Server securely on a public network?

How should I go about creating such a custom proxy WAR? I would much prefer a well-supported open source or commercial off-the-shelf solution

than to develop a custom proxy WAR. So for me the most practical thing would be to secure the UnifiedPush Server by using

firewall rules which block specific URLs, if it is possible to create a list of HTTP paths to block in the firewall.

Would blocking /auth/ and /ag-push/rest/sender/ be sufficient? Which URLs does the iOS device token registration client use?

Further, I have seen the chapter on "Brute Force Protection" which is described in the Security Defenses documentation,

and this seems like a reasonable security feature that I will enable.

I very much appreciate all the feedback on this question so far, and I hope you see that this question will be relevant for

other users of the AeroGear UnifiedPush Server who want to run it securely.

Regards,

Andreas R.

2014-11-24 17:30 GMT+01:00 Karel Piwko <kpiwko@redhat.com>:

On Mon, 2014-11-24 at 13:27 +0100, Andreas Røsdal wrote:
> Hello!
>
> I would like to security advice for running the Aerogear UnifiedPush Server
> for sending Push messages to an iPhone app. The app-server is Wildfly, and
> HTTPS is enabled. It is important to prevent unauthorized push messages
> from being sent. Do you have any documentation or general advice for
> securing Aerogear UnifiedPush Server?
>
> I would like to setup firewall rules to prevent users on the internet to
> log in to the UnifiedPush Admin gui /ag-push/ while still allowing
> registration of iPhone app/device tokens though the same UnifiedPush Admin
> server. What kind of URL pattern can I use to prevent admin logins
> externally?

I'd say hide ag-push to be accessible only on a particular interface
available in your internal network and create a proxy WAR accessible on
public network that will "forward" sender and registration requests to
ag-push WAR.

>
>
> Regards,
> Andreas R.
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev