Background
I have a system running on Azure iot edge. The system is composed of multiple modules that expose REST interfaces. To make everything look tidy from the client's perspective (a browser on another machine in the same network) we use an Azure Function and its reverse proxy capabilities.
So, basically, the client makes a request to an endpoint of the function, if the route matches one in the "proxies" config, it is routed to the correct module using the docker network provided by the iot edge product.
Problem
Now, what I would like to accomplish is that the client would use an https connection to make the request to the function.
So the browser would make a request to https://:8000/Somemodule/Resource and this request would be routed by the af proxy to http://Somemodule:80/Resource .
So my question is, how do I enable https in a function running locally in a docker container, and can the reverse proxy work as described above?
Thanks for any help!
For HTTPS, you primarily need a SSL certificate and reverse proxy like nginx that can do SSL Termination since I believe Azure Functions doesn't support it as part of the runtime itself (which is what the docker container has).
Nginx is a popular and fairly common choice to use for SSL Termination. You would have to configure it for SSL with your domain information and setup your Azure Function as its upstream.
That being said, you could actually just use nginx as your proxy directly too, completely removing the need for Azure Functions, unless you are using it for Functions and Proxies. Your current proxy entries would just become an upstream definition for each module and separate locations (basically path) that would route the requests.
Related
I am working on an supply chain management application. I developed frontend of the application in ReactJS and backed in docker and nodeJS. My question is if i deploy my backend i.e NodeJS sdk on docker swarm. Can i access the deployed API's in different computer?
You can achieve service (backend) is reachable from the outside in primarily two ways:
eighter you expose the port of the service directly, and you can then connect straight to it (it is not recommended to do so on any actual deployments) by using ports configuration. By doing so the exposed port will be available to access the service from the outside world.
or you deploy another service which will act as a reverse proxy / API gateway. So the proxy (nginx, traefik, ...) will listen for all incoming requests, check SSL, ..., and then it will forward the request to the right service. This is the recommended way because you hide your actual service behind a proxy, and also put all of the auth/ssl details on the proxy itself, so you free your service from needing to know anything about that technical details.
I have deployed a Python Flask based app in AWS. It is running fine on http://<ip>. I need to convert this to https. I have sent request for admin to enable port 443 for https.
Will that automatically make my app to https or do I need to install or setup something else to make it happen?
You have multiple choices for this;
Use ACM (Easiest?!):
if you're using AWS loadbalancers, you can create a certificate using ACM service and assign it to your loadbalancer and modify your Target Groups in EC2 panel.
If you are using cloudfront, you can also configure your SSL/TLS there. (Not changing the loadbalancer and target groups). It will work as an upper layer.
Use other certificate providers excluding AWS ACM:
You can setup something like Lets Encrypt or use Cloudflare services.
Note: it really depends on how your cloud stack currently is, you maybe be only deploying on EC2 Server and having Nginx configured and having everything else done outside of AWS with other services or you can have Lets Encrypt certificate on your ALB.
This post just gives you some keywords, you can search and see exact instruction/tutorial for every solutions.
We use Google App Engine and the provided load balancer to do SSL offloading for our API requests which are served by NodeJs. A third part is using Fortify to determine that even though it is https to the outside, because it is http inside the containers, it is considered a vulnerability.
Everything we read suggests setting the environment up this way.
Is this really a vulnerability and if so, how would we best mitigate against this without having to add paid certificates into our Node app.
Thanks in advance
Is this really a vulnerability and if so, how would we best mitigate
against this without having to add paid certificates into our Node
app.
Yes, the proxy of HTTPS to HTTP is a vulnerability as data is decrypted in transit. However, the connection between the frontend and your application is very hard to exploit outside the Google data center. I am not aware of a method to exploit this item.
In the cloud and on-premises data centers, proxying of HTTPS to HTTP is very popular. This offloads the CPU intensive process of encryption and decryption.
In security, there are almost always exceptions that need to be documented. This is one of them.
For the second part of your question, the proxy is HTTPS -> HTTP. This means that you cannot add your own SSL certificate to your backend code. If you did, you would have connection protocol errors.
If you must mitigate this problem, then you must select a different service and deploy your code with frontends/backends (web servers/proxies/load balancers) you configure and control.
I have a Web app for docker currently running django with gunicorn as wsgi server and Nginx as reverse proxy. I am not serving any static assets via Nginx and the SSL is taken care by Azure.
So my question is, if I use Azure application gateway (with or without WAF) can I remove Nginx? I don't see any use for it, unless I want to use cache, which I don't. HTTP/2 is also provided by application gateway.
Both Nginx and Azure Application Gateway act as a reverse proxy with Layer 7 load‑balancing features plus a WAF to ensure strong protection against common web vulnerabilities and exploits.
Application Gateway supports autoscaling, SSL offloading, and end-to-end SSL, a web application firewall (WAF), cookie-based session affinity, URL path-based routing, multisite hosting, redirection, rewrite HTTP headers and other features. For a full list of supported features, see Introduction to Application Gateway. Also, you're aware of application gateway limits.
Whereas Nginx provides better URL rewriting and redirecting features than Application gateway. See the feedback. With Nginx, you can rewrite the URL of a request before passing it to a backend server. This means you can alter the location of files or request paths without modifying the URL advertised to clients. You can also redirect requests.
In my opinion, if you just want to simply use for load balancing without complex rewriting the URL, it's enough to use Azure Application Gateway. For complex use rewrite cases, you can plus Nginx. Read create Nginx rewrite rules and more details here.
Go for Azure Application gateway... and get rid of Nginx. When in cloud, it makes sense to use all PaaS platform features.
I'm trying to configure CouchDB to use SSL on IoT devices accessed via IP. I'm trying to avoid adding a webserver as a reverse proxy in an attempt to keep things as lightweight as possible and instead use CouchDb's builtin SSL functionality.
The problem I'm running into is that replication is going to fail Common Name certificate verification because we're accessing via IP. I'm hoping to use a custom verification function to check certificate thumbprint instead. It looks like verify_fun combined with someting like this ssl_verify_fingerprint function is probably what I'm looking for, but I can't figure out how to use it in the config file. How can I update this config line to use a custom function?
verify_fun = {Module, VerifyFun}
I am not sure I understand your question fully. By "nodes" do you mean a Node.js environment? You can configure CouchDb itself to use SSL, but normally you would serve your HTML from a web server and use CouchDb to provide information for the web pages. So users would not directly access CouchDb in that scenario.
The common solution is to configure Apache, Nginx or some other web server as a reverse proxy and SSL end point. You can then redirect incoming HTTPS requests to other services on your server such as Node.js. There are many guides on setting up a reverse proxy with SSL such as this one and this one. You can use "Let's Encrypt" for secure certificates. I hope this helps.