>well, it's up to you :) if you have different remote systems, that need to contact the server -> you wanna expose the /sender part too. if not -> block it

Yes, so I can block the following URL from external requests:
/ag-push/rest/sender/

Are there other similar URLS that I can block to secure the UnifiedPush Server?

Regards,
Andreas R.



2014-11-24 14:39 GMT+01:00 Matthias Wessendorf <matzew@apache.org>:
Hi Andreas,

On Mon, Nov 24, 2014 at 2:23 PM, Andreas Røsdal <andreas.rosdal@gmail.com> wrote:
Good morning!

> I think what you're looking for is something like this[1], right?

Maybe this could be secured using Netfilter on Linux, I would be interested in hearing more about this.
Initially, I thought I would be looking for a F5 firewall iRule kind of like this:
-Allow: /ag-push/(registration)
-Deny: /ag-push/(admin-gui)  and /ag-push/(java-api-access)

Is /ag-push/ is designed to be exposed to the public Internet?

well, it's up to you :) if you have different remote systems, that need to contact the server -> you wanna expose the /sender part too. if not -> block it

As you said earlier, the only one that really needs to be exposed to public is the device registration.

 

>That's an interesting scenario. I think if we extracted the registration
>module to a separated WAR file, would help to protect /ag-push
>infrastructure. Not sure if the idea is interesting.

That is an interesting point, and worth evaluating.
Internally of that "registration.war", we could simply act as a proxy to the 'real' registration (on the ag-push.war), which is blocked by the firewall.


-Matthias
 

Yes, that would be interesting as a more long-term solution. I would like to start using
the UnifiedPush Server very soon, so then I would prefer some quick firewall rule rather than waiting
for a new release.

Thanks for the help so far!

Andreas



2014-11-24 13:57 GMT+01:00 Bruno Oliveira <bruno@abstractj.org>:
Good morning Andreas, I think what you're looking for is something like
this[1], right?

That's an interesting scenario. I think if we extracted the registration
module to a separated WAR file, would help to protect /ag-push
infrastructure. Not sure if the idea is interesting.

Thoughts anyone?


[1] -
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.18

On 2014-11-24, Andreas Røsdal wrote:
> Hello!
>
> I would like to security advice for running the Aerogear UnifiedPush Server
> for sending Push messages to an iPhone app. The app-server is Wildfly, and
> HTTPS is enabled. It is important to prevent unauthorized push messages
> from being sent. Do you have any documentation or general advice for
> securing Aerogear UnifiedPush Server?
>
> I would like to setup firewall rules to prevent users on the internet to
> log in to the UnifiedPush Admin gui /ag-push/ while still allowing
> registration of iPhone app/device tokens though the same UnifiedPush Admin
> server. What kind of URL pattern can I use to prevent admin logins
> externally?
>
>
> Regards,
> Andreas R.

> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


--

abstractj
PGP: 0x84DC9914
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev


_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev