Google App Engine, http inside container considered a vulnerablity - node.js

We use Google App Engine and the provided load balancer to do SSL offloading for our API requests which are served by NodeJs. A third part is using Fortify to determine that even though it is https to the outside, because it is http inside the containers, it is considered a vulnerability.
Everything we read suggests setting the environment up this way.
Is this really a vulnerability and if so, how would we best mitigate against this without having to add paid certificates into our Node app.
Thanks in advance

Is this really a vulnerability and if so, how would we best mitigate
against this without having to add paid certificates into our Node
app.
Yes, the proxy of HTTPS to HTTP is a vulnerability as data is decrypted in transit. However, the connection between the frontend and your application is very hard to exploit outside the Google data center. I am not aware of a method to exploit this item.
In the cloud and on-premises data centers, proxying of HTTPS to HTTP is very popular. This offloads the CPU intensive process of encryption and decryption.
In security, there are almost always exceptions that need to be documented. This is one of them.
For the second part of your question, the proxy is HTTPS -> HTTP. This means that you cannot add your own SSL certificate to your backend code. If you did, you would have connection protocol errors.
If you must mitigate this problem, then you must select a different service and deploy your code with frontends/backends (web servers/proxies/load balancers) you configure and control.

Related

Using HTTPS with Azure functions running on Azure iot Edge

Background
I have a system running on Azure iot edge. The system is composed of multiple modules that expose REST interfaces. To make everything look tidy from the client's perspective (a browser on another machine in the same network) we use an Azure Function and its reverse proxy capabilities.
So, basically, the client makes a request to an endpoint of the function, if the route matches one in the "proxies" config, it is routed to the correct module using the docker network provided by the iot edge product.
Problem
Now, what I would like to accomplish is that the client would use an https connection to make the request to the function.
So the browser would make a request to https://:8000/Somemodule/Resource and this request would be routed by the af proxy to http://Somemodule:80/Resource .
So my question is, how do I enable https in a function running locally in a docker container, and can the reverse proxy work as described above?
Thanks for any help!
For HTTPS, you primarily need a SSL certificate and reverse proxy like nginx that can do SSL Termination since I believe Azure Functions doesn't support it as part of the runtime itself (which is what the docker container has).
Nginx is a popular and fairly common choice to use for SSL Termination. You would have to configure it for SSL with your domain information and setup your Azure Function as its upstream.
That being said, you could actually just use nginx as your proxy directly too, completely removing the need for Azure Functions, unless you are using it for Functions and Proxies. Your current proxy entries would just become an upstream definition for each module and separate locations (basically path) that would route the requests.

NodeJS: Possible to host an HTTPS server without a domain name (hobby project)

I'm making a hobby project and it involves a NodeJS http server that I access via a web browser (through GET and POST requests). The HTML/CSS/JS part of the webpage is local, not on the NodeJS server.
I understand I need to generate SSL certificates but those ask for things like domain names and stuff.
I simply want to enable HTTPS on my NodeJS server. Right now I'm manually encrypting all messages sent back and forth through AES, but I trust the https security more, I'm not a cryptographer.
Is there an easy way to get those certificates? My NodeJS server is accessible via the internet but only by IP address (port forwarded), and through the express module using HTTP requests.
Do I need to pay for them?
In this case you can take services from Digital Ocean, you can buy subscription as per your choice and deploy your Nodejs app with free SSL certificate.(let's encrypt)
However I recommend you to understand following concepts
Reverse proxy (nginx)
Process managements (pm2)
SSL certificates
I am sure, You would love to go though with starter tutorials from DigitalOcean
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-20-04
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04
As Its a hobby project, otherwise I would have recommended other options.

If I host my nodejs application on Heroku or other hosting platform can I ignore serving my app using HTTPS?

I have started creating my own nodejs app (for the first time) that I hope to deploy at some point, perhaps to Heroku or another platform.
I need for my app to encrypt traffic namely for user passwords and sessions (note there is no other obviously sensitive data).
I started looking into serving my app using HTTPS (SSL) however I am now wondering if I need this. If my app is to be hosted and deployed using Heroku/other platform won't all requests be trafficked through their servers presumably using HTTPS by default? I am guessing that the request will then be routed using HTTP to my application, although I am struggling to understand how this works. Ultimately I would like to know if I can ignore worrying about paying for SSL certification and such like when it will not matter in this hosting environment?
Help much appreciated. Matt.
If you are using heroku then you must be using paid dyno( hobby or professional) and heroku provides free SSL to all paid dynos. Furthermore if you think that at some point you can switch hosting then there is always freessl available via Let's encrypt.
Heroku serves all requests with and without SSL in default herokuapp url.
Use cloudflare free plan. Open a free account in cloudflare, Copy the DNS. Then set the DNS in your domain service provider (godaddy or sth), then change the Cname config for the website inside cloudflare. Now you have a free certificate.

Custom CouchDb SSL Certificate Verification

I'm trying to configure CouchDB to use SSL on IoT devices accessed via IP. I'm trying to avoid adding a webserver as a reverse proxy in an attempt to keep things as lightweight as possible and instead use CouchDb's builtin SSL functionality.
The problem I'm running into is that replication is going to fail Common Name certificate verification because we're accessing via IP. I'm hoping to use a custom verification function to check certificate thumbprint instead. It looks like verify_fun combined with someting like this ssl_verify_fingerprint function is probably what I'm looking for, but I can't figure out how to use it in the config file. How can I update this config line to use a custom function?
verify_fun = {Module, VerifyFun}
I am not sure I understand your question fully. By "nodes" do you mean a Node.js environment? You can configure CouchDb itself to use SSL, but normally you would serve your HTML from a web server and use CouchDb to provide information for the web pages. So users would not directly access CouchDb in that scenario.
The common solution is to configure Apache, Nginx or some other web server as a reverse proxy and SSL end point. You can then redirect incoming HTTPS requests to other services on your server such as Node.js. There are many guides on setting up a reverse proxy with SSL such as this one and this one. You can use "Let's Encrypt" for secure certificates. I hope this helps.

Configuring SSL certificate off-load when dealing with Azure web app behind Application Gateway

I have set up an application gateway(AG) to eventually protect my web app using this link but with the difference that the AG's public IP will forward the requests to my web app and I won't be using any jump box.
This diagram should give you a better idea.
Now on my web app, I have added couple of domains under the Custom domains and I don't have any SSL binding thinking that the AG will do the work. Basically I have added the SSL cert to the AG's Front End IP--->Listener. I also redirect the HTTP to HTTPs on AG using the listeners, and on the web app I am not forcing HTTPS.
My questions are:
Is this roughly the right way to protect a web app (Please note that in the future I intend to enable WAF and the DDOS protection on AG)?
Is having the AG do the encryption/decryption going to slow things down?
EDIT: I actually removed the two domains from the web app's custom domains and it seems to work fine without it but I still have the above two questions. :)
Yes, this is the way of doing it, if you want to can configure end-to-end ssl (a bit more secure)
Obviously it will, but negligible.

Resources