-M
On Tue, Nov 25, 2014 at 9:37 AM, Matthias Wessendorf <matzew(a)apache.org>
wrote:
Hello Andreas!
here is an example of what you can do, with a simple gateway/proxy:
https://github.com/matzew/ups-proxy
For our mobile-quickstarts we needed an example to show how to run a
business backend behind the firewall, but since mobile devices, on the
internet, need to connect to those backends, we created a gateway/proxy
example, based on Fabric8.
The above is a simplified version of that, having one single rule:
https://github.com/matzew/ups-proxy/blob/master/src/main/webapp/WEB-INF/u...
Now, you could block the entire access to /ag-push, from the public
interface, and just allow the "ups-proxy", or even run the UPS behind the
firewall. Your only public access-point could be the proxy servlet in the
above example.
Oh, btw. here is an overview of our RESTful APIs:
http://aerogear.org/docs/specs/aerogear-unifiedpush-rest/overview-index.html
-Matthias
On Mon, Nov 24, 2014 at 4:03 PM, Andreas Røsdal <andreas.rosdal(a)gmail.com>
wrote:
> >well, it's up to you :) if you have different remote systems, that need
> to contact the server -> you wanna expose the /sender part too. if not ->
> block it
>
> Yes, so I can block the following URL from external requests:
> /ag-push/rest/sender/
>
> Are there other similar URLS that I can block to secure the UnifiedPush
> Server?
>
> Regards,
> Andreas R.
>
>
>
> 2014-11-24 14:39 GMT+01:00 Matthias Wessendorf <matzew(a)apache.org>:
>
>> Hi Andreas,
>>
>> On Mon, Nov 24, 2014 at 2:23 PM, Andreas Røsdal <
>> andreas.rosdal(a)gmail.com> wrote:
>>
>>> Good morning!
>>>
>>> > I think what you're looking for is something like this[1], right?
>>>
>>> Maybe this could be secured using Netfilter on Linux, I would be
>>> interested in hearing more about this.
>>> Initially, I thought I would be looking for a F5 firewall iRule kind of
>>> like this:
>>> -Allow: /ag-push/(registration)
>>> -Deny: /ag-push/(admin-gui) and /ag-push/(java-api-access)
>>>
>>> Is /ag-push/ is designed to be exposed to the public Internet?
>>>
>>
>> well, it's up to you :) if you have different remote systems, that need
>> to contact the server -> you wanna expose the /sender part too. if not ->
>> block it
>>
>> As you said earlier, the only one that really needs to be exposed to
>> public is the device registration.
>>
>>
>>
>>>
>>> >That's an interesting scenario. I think if we extracted the
>>> registration
>>> >module to a separated WAR file, would help to protect /ag-push
>>> >infrastructure. Not sure if the idea is interesting.
>>>
>>
>> That is an interesting point, and worth evaluating.
>> Internally of that "registration.war", we could simply act as a proxy
to
>> the 'real' registration (on the ag-push.war), which is blocked by the
>> firewall.
>>
>>
>> -Matthias
>>
>>
>>>
>>> Yes, that would be interesting as a more long-term solution. I would
>>> like to start using
>>> the UnifiedPush Server very soon, so then I would prefer some quick
>>> firewall rule rather than waiting
>>> for a new release.
>>>
>>> Thanks for the help so far!
>>>
>>> Andreas
>>>
>>>
>>>
>>> 2014-11-24 13:57 GMT+01:00 Bruno Oliveira <bruno(a)abstractj.org>:
>>>
>>>> Good morning Andreas, I think what you're looking for is something
like
>>>> this[1], right?
>>>>
>>>> That's an interesting scenario. I think if we extracted the
>>>> registration
>>>> module to a separated WAR file, would help to protect /ag-push
>>>> infrastructure. Not sure if the idea is interesting.
>>>>
>>>> Thoughts anyone?
>>>>
>>>>
>>>> [1] -
>>>>
>>>>
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.h...
>>>>
>>>> On 2014-11-24, Andreas Røsdal wrote:
>>>> > Hello!
>>>> >
>>>> > I would like to security advice for running the Aerogear
UnifiedPush
>>>> Server
>>>> > for sending Push messages to an iPhone app. The app-server is
>>>> Wildfly, and
>>>> > HTTPS is enabled. It is important to prevent unauthorized push
>>>> messages
>>>> > from being sent. Do you have any documentation or general advice
for
>>>> > securing Aerogear UnifiedPush Server?
>>>> >
>>>> > I would like to setup firewall rules to prevent users on the
>>>> internet to
>>>> > log in to the UnifiedPush Admin gui /ag-push/ while still allowing
>>>> > registration of iPhone app/device tokens though the same
UnifiedPush
>>>> Admin
>>>> > server. What kind of URL pattern can I use to prevent admin logins
>>>> > externally?
>>>> >
>>>> >
>>>> > Regards,
>>>> > Andreas R.
>>>>
>>>> > _______________________________________________
>>>> > aerogear-dev mailing list
>>>> > aerogear-dev(a)lists.jboss.org
>>>> >
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>>
>>>> --
>>>>
>>>> abstractj
>>>> PGP: 0x84DC9914
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>
>>
>>
>> --
>> Matthias Wessendorf
>>
>> blog:
http://matthiaswessendorf.wordpress.com/
>> sessions:
http://www.slideshare.net/mwessendorf
>> twitter:
http://twitter.com/mwessendorf
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Matthias Wessendorf
blog:
http://matthiaswessendorf.wordpress.com/
sessions:
http://www.slideshare.net/mwessendorf
twitter:
http://twitter.com/mwessendorf