Re: [aerogear-dev] Security advice for UnifiedPush Server

well, it's up to you :) if you have different remote systems, that need to

Hi Andreas, On Mon, Nov 24, 2014 at 2:23 PM, Andreas Røsdal <andreas.rosdal(a)gmail.com&gt; wrote: > Good morning! > > > I think what you're looking for is something like this[1], right? > > Maybe this could be secured using Netfilter on Linux, I would be > interested in hearing more about this. > Initially, I thought I would be looking for a F5 firewall iRule kind of > like this: > -Allow: /ag-push/(registration) > -Deny: /ag-push/(admin-gui) and /ag-push/(java-api-access) > > Is /ag-push/ is designed to be exposed to the public Internet? > well, it's up to you :) if you have different remote systems, that need to contact the server -> you wanna expose the /sender part too. if not -> block it As you said earlier, the only one that really needs to be exposed to public is the device registration. > > >That's an interesting scenario. I think if we extracted the registration > >module to a separated WAR file, would help to protect /ag-push > >infrastructure. Not sure if the idea is interesting. > That is an interesting point, and worth evaluating. Internally of that "registration.war", we could simply act as a proxy to the 'real' registration (on the ag-push.war), which is blocked by the firewall. -Matthias > > Yes, that would be interesting as a more long-term solution. I would like > to start using > the UnifiedPush Server very soon, so then I would prefer some quick > firewall rule rather than waiting > for a new release. > > Thanks for the help so far! > > Andreas > > > > 2014-11-24 13:57 GMT+01:00 Bruno Oliveira <bruno(a)abstractj.org&gt;: > >> Good morning Andreas, I think what you're looking for is something like >> this[1], right? >> >> That's an interesting scenario. I think if we extracted the registration >> module to a separated WAR file, would help to protect /ag-push >> infrastructure. Not sure if the idea is interesting. >> >> Thoughts anyone? >> >> >> [1] - >> >> http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.h... >> >> On 2014-11-24, Andreas Røsdal wrote: >> > Hello! >> > >> > I would like to security advice for running the Aerogear UnifiedPush >> Server >> > for sending Push messages to an iPhone app. The app-server is Wildfly, >> and >> > HTTPS is enabled. It is important to prevent unauthorized push messages >> > from being sent. Do you have any documentation or general advice for >> > securing Aerogear UnifiedPush Server? >> > >> > I would like to setup firewall rules to prevent users on the internet >> to >> > log in to the UnifiedPush Admin gui /ag-push/ while still allowing >> > registration of iPhone app/device tokens though the same UnifiedPush >> Admin >> > server. What kind of URL pattern can I use to prevent admin logins >> > externally? >> > >> > >> > Regards, >> > Andreas R. >> >> > _______________________________________________ >> > aerogear-dev mailing list >> > aerogear-dev(a)lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/aerogear-dev >> >> >> -- >> >> abstractj >> PGP: 0x84DC9914 >> _______________________________________________ >> aerogear-dev mailing list >> aerogear-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/aerogear-dev > > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev > -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev