[aerogear-dev] Security advice for UnifiedPush Server

Matthias Wessendorf matzew at apache.org
Tue Nov 25 03:43:34 EST 2014 

Hi Andrea,

I added one more rule for the uninstall case:
https://github.com/matzew/ups-proxy/commit/7ba0f801712edd3fafa8f7065a11a1a50a54074e

-M

On Tue, Nov 25, 2014 at 9:37 AM, Matthias Wessendorf <matzew at apache.org>
wrote:

> Hello Andreas!
>
> here is an example of what you can do, with a simple gateway/proxy:
> https://github.com/matzew/ups-proxy
>
> For our mobile-quickstarts we needed an example to show how to run a
> business backend behind the firewall, but since mobile devices, on the
> internet, need to connect to those backends, we created a gateway/proxy
> example, based on Fabric8.
>
> The above is a simplified version of that, having one single rule:
>
> https://github.com/matzew/ups-proxy/blob/master/src/main/webapp/WEB-INF/ups-proxy-config.json#L2
>
> Now, you could block the entire access to /ag-push, from the public
> interface, and just allow the "ups-proxy", or even run the UPS behind the
> firewall. Your only public access-point could be the proxy servlet in the
> above example.
>
> Oh, btw. here is an overview of our RESTful APIs:
>
> http://aerogear.org/docs/specs/aerogear-unifiedpush-rest/overview-index.html
>
> -Matthias
>
>
>
>
>
>
> On Mon, Nov 24, 2014 at 4:03 PM, Andreas Røsdal <andreas.rosdal at gmail.com>
> wrote:
>
>> >well, it's up to you :) if you have different remote systems, that need
>> to contact the server -> you wanna expose the /sender part too. if not ->
>> block it
>>
>> Yes, so I can block the following URL from external requests:
>> /ag-push/rest/sender/
>>
>> Are there other similar URLS that I can block to secure the UnifiedPush
>> Server?
>>
>> Regards,
>> Andreas R.
>>
>>
>>
>> 2014-11-24 14:39 GMT+01:00 Matthias Wessendorf <matzew at apache.org>:
>>
>>> Hi Andreas,
>>>
>>> On Mon, Nov 24, 2014 at 2:23 PM, Andreas Røsdal <
>>> andreas.rosdal at gmail.com> wrote:
>>>
>>>> Good morning!
>>>>
>>>> > I think what you're looking for is something like this[1], right?
>>>>
>>>> Maybe this could be secured using Netfilter on Linux, I would be
>>>> interested in hearing more about this.
>>>> Initially, I thought I would be looking for a F5 firewall iRule kind of
>>>> like this:
>>>> -Allow: /ag-push/(registration)
>>>> -Deny: /ag-push/(admin-gui)  and /ag-push/(java-api-access)
>>>>
>>>> Is /ag-push/ is designed to be exposed to the public Internet?
>>>>
>>>
>>> well, it's up to you :) if you have different remote systems, that need
>>> to contact the server -> you wanna expose the /sender part too. if not ->
>>> block it
>>>
>>> As you said earlier, the only one that really needs to be exposed to
>>> public is the device registration.
>>>
>>>
>>>
>>>>
>>>> >That's an interesting scenario. I think if we extracted the
>>>> registration
>>>> >module to a separated WAR file, would help to protect /ag-push
>>>> >infrastructure. Not sure if the idea is interesting.
>>>>
>>>
>>> That is an interesting point, and worth evaluating.
>>> Internally of that "registration.war", we could simply act as a proxy to
>>> the 'real' registration (on the ag-push.war), which is blocked by the
>>> firewall.
>>>
>>>
>>> -Matthias
>>>
>>>
>>>>
>>>> Yes, that would be interesting as a more long-term solution. I would
>>>> like to start using
>>>> the UnifiedPush Server very soon, so then I would prefer some quick
>>>> firewall rule rather than waiting
>>>> for a new release.
>>>>
>>>> Thanks for the help so far!
>>>>
>>>> Andreas
>>>>
>>>>
>>>>
>>>> 2014-11-24 13:57 GMT+01:00 Bruno Oliveira <bruno at abstractj.org>:
>>>>
>>>>> Good morning Andreas, I think what you're looking for is something like
>>>>> this[1], right?
>>>>>
>>>>> That's an interesting scenario. I think if we extracted the
>>>>> registration
>>>>> module to a separated WAR file, would help to protect /ag-push
>>>>> infrastructure. Not sure if the idea is interesting.
>>>>>
>>>>> Thoughts anyone?
>>>>>
>>>>>
>>>>> [1] -
>>>>>
>>>>> http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.18
>>>>>
>>>>> On 2014-11-24, Andreas Røsdal wrote:
>>>>> > Hello!
>>>>> >
>>>>> > I would like to security advice for running the Aerogear UnifiedPush
>>>>> Server
>>>>> > for sending Push messages to an iPhone app. The app-server is
>>>>> Wildfly, and
>>>>> > HTTPS is enabled. It is important to prevent unauthorized push
>>>>> messages
>>>>> > from being sent. Do you have any documentation or general advice for
>>>>> > securing Aerogear UnifiedPush Server?
>>>>> >
>>>>> > I would like to setup firewall rules to prevent users on the
>>>>> internet to
>>>>> > log in to the UnifiedPush Admin gui /ag-push/ while still allowing
>>>>> > registration of iPhone app/device tokens though the same UnifiedPush
>>>>> Admin
>>>>> > server. What kind of URL pattern can I use to prevent admin logins
>>>>> > externally?
>>>>> >
>>>>> >
>>>>> > Regards,
>>>>> > Andreas R.
>>>>>
>>>>> > _______________________________________________
>>>>> > aerogear-dev mailing list
>>>>> > aerogear-dev at lists.jboss.org
>>>>> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> abstractj
>>>>> PGP: 0x84DC9914
>>>>> _______________________________________________
>>>>> aerogear-dev mailing list
>>>>> aerogear-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>
>>>
>>>
>>> --
>>> Matthias Wessendorf
>>>
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20141125/4202be6a/attachment-0001.html

More information about the aerogear-dev mailing list