JAVA - Can we ignore SSL verification for local network - security

Can we ignore SSL verification for local network. My case is-
I have two applications deployed in a system. These two applications cannot communicate through internet, due to some security constraints. the two applications can communicate using their private IPs. But the certificate issued by CA is valid only for the public IP (accessible from internet), so when they tries to do a HTTP connection, it throws a Subject Alternative Name invalid exception.
I cannot use alternate certificate.
Please suggest if we can configure Java / JREs of the applications to ignore SSL validation?
Please suggest any alternate solution, if any.

It sounds to me like you might just be better off using HTTP on the local network.
If you need transport layer security on your LAN, you can probably use a VPN or SSH tunnel instead. And it sounds to me like you don't really need this, as you're OK with ignoring SSL handshake errors, which makes using SSL in the first place kind of moot.
You can set up your servers to listen on two ports, one for external requests over HTTPS, and one for internal requests on HTTP.
You can either set up your firewalls so that HTTP is only available from LAN IPs, or alternatively only listen on localhost and use a VPN or SSH tunnel to the target server and do the requests via the tunnel.

Related

How to host a website locally but with .com domain and accessible on internet

I've bought a .com domain from a provider on the internet. But, I want to host it locally.
I know that I can host a local web by using XAMPP or WAMP, but I want to make it accessible on the internet.
I also know that we could host a web to be accessible on the internet like ngrok, serveo, etc.
But, I want it with my .com domain that I bought. Could this possible? How to? Is there any references?
Thanks in advance ^_^
It seems to me you are asking 1. if it is possible to map a DNS entry such that traffic to the URL would be directed to a server in your personal network, and 2. if it is possible, how to do it.
The answer to the first question is yes, it is possible. The second question is difficult to answer because it depends on many factors such as your ISP, country, your web host provider's rules and services, etc.
First, you must determine two IP addresses:
The public IP address for your network (whatismyip.com)
The private IP address of the local machine which will host your website (typically (192.168.0.x)
Then, you must enable port forwarding in your router configuration, such that any requests to port 80 and/or port 443 on the external interface (public) will be forwarded to the internal port on which your website is hosted. If done properly, putting the public IP in your browser will take you to the website you are hosting locally.
Once you verify access via public IP, then you must go into your DNS entries on your domain host and create a CNAME record which points your root domain (www.yourwebsite.com) to your public IP address. That will route all traffic to your .com to your local server.
I do NOT recommend doing this however, and would caution against it, because it leaves your local server/network open to the public, and makes your domain vulnerable to things such as spoofing etc. To do it properly, you should obtain a security certificate for your domain through a Certificate Authority (CA) - generally, you can request a certificate via your domain hosting service. Once you have a certificate, you must upload the key to your server and configure your web application/hosting service to use the certificate, and then change your port forwarding to use 443 instead.
This is a very complex topic that takes time to learn, and your question is extremely non-specific. There is no good place to start really, and no shortage of information/resources available online. To start, you need to understand how your DNS works. For any local webhosting, port forwarding is important to learn. You should also determine if your ISP blocks the forwarding of certain external ports, which effectively disables any private webhosting.

HTTPS over wiregurad

I have a server that has a web server on it. I have setup wireguard vpn between me and server.
Do I need to serve my web server with https for security or wireguard is enough?
You should be fine as long as your web server is listening on the Wireguard interface only (i.e. it is bound to the IP address of the Wireguard interface) so that it is not reachable from outside the VPN. You do not technically need to wrap everything in another encryption layer such as HTTPS, as the only way to establish a connection to the web server is through the VPN, which already provides encryption and authentication.
Beware though that VPN + HTTP does not offer exactly the same security features that VPN + HTTPS does, there are some subtleties. For example, in case your private VPN key is leaked, it could be used to perform a Man-In-The-Middle attack on your connection, whereas using VPN + HTTPS a potential attacker would also need to break through HTTPS, which means either getting privileged access to your machine (since a new private key is generated by your browser on each TLS handshake) or a way to forge a valid CA-signed certificate for your web server's domain (generally not possible). Whether or not you care about this additional layer of security is up to you really.

Secure WebSocket Proxy for Unsecured WebSocket Server

I have a server (that I don't control, but on my network) that uses unsecured web sockets to communicate. Rather than allow communication directly with that server from outside the network, I'm wanting to set up a secure proxy that uses secured web sockets to receive the requests from outside the network, and then forward those on to the real server within the network. That way, the unsecure traffic never leaves the network and any communication with outside the network is done via the secured proxy.
What would be the best way of achieving this?
If you're talking about having the internal communication still over regular HTTP, but only have communication to the external world over HTTPS, then this is a common practice. HAProxy supports this, and the general term is called "Terminating SSL" or "Terminating TLS".
You can read more about it here: TLS termination proxy

How does a reverse proxy server improve your security?

I'm trying to learn about why reverse proxy servers are useful. I just read...
Security and anonymity – By intercepting requests headed for your backend servers, a reverse proxy server protects their identities and acts as an additional defense against security attacks. It also ensures that multiple servers can be accessed from a single record locator or URL regardless of the structure of your local area network.
https://www.nginx.com/resources/glossary/reverse-proxy-server/
Why is it helpful that the identity of your backend servers are hidden? Couldn't one just still attack them through the reverse proxy server like how any normal client visiting the app would access them?
You can fine-tune the access restrictions for every request, apply rate-limiting and load-balancing so a possible attack may not bring down your whole infrastructure. Especially the load-balancing aspect is key. Additionally, the only server visible to the internet is the reverse proxy, so it's not a trivial task to map your entire server structure as it would be if you exposed them all.
A common use-case is setting the reverse proxy up as the SSL gateway so you can communicate via HTTP behind the firewall. Failover for non-responding servers is also possible. Adding additional servers to the setup is trivial this way.
Apart from this, the immediate benefit is a centralized setup that you don't have to replicate for all the servers behind the firewall. Also, a reverse proxy enables you to expose only HTTP/HTTPS port for one external IP address but have multiple services running with local IPs you can route wherever you want.
Please note that this question likely belongs on Server Fault since it's related to network and server infrastructure.
“A reverse proxy can hide the topology and characteristics of your back-end servers by removing the need for direct internet access to them. You can place your reverse proxy in an internet facing DMZ, but hide your web servers inside a non-public subnet.” [ 1 ]
“By intercepting requests headed for your backend servers, a reverse proxy server protects their identities and acts as an additional defense against security attacks. It also ensures that multiple servers can be accessed from a single record locator or URL regardless of the structure of your local area network.” [ 2 ]
There is a question related to this topic here.
Hope it helps

IIS Central Cert Store - Outbound Traffic

I have an F5 load-balanced 4-server cluster environment that I'm building, so I'm looking to centralize our certificates to prevent needing to install them all on every server. Windows 2012 / IIS 8 seems to have centralized certificates, but that is only to secure my endpoint in IIS for inbound traffic.
What about for outbound traffic? They all will be initiating TLS transactions to external entities, so I need a way to store all these on a single server and have each of the IIS boxes "tap into" that cert store for the private and public keys that are necessary to send that TLS message.
Any suggestions?
You're looking for an HSM which the F5 will support and IIS also supports a few major vendors (Thales and Safe-Net both have IIS supported HSMs). They're not cheap from what I remember but that's exactly what you're looking for.
If you don't want to go that route, you can opt for the dirty solution of using the BIG-IP as your cert store and rely on self-signed certs on the IIS pool members.
Inbound: Incoming traffic terminates on BIG-IP using the valid CA-signed cert SSL Client profile. BIG-IP re-encrypts to IIS using a generic SSL server profile. Not pretty but it works.
Outbound: You would have to use the BIG-IP as the default gateway of the IIS server so you can direct the outbound TLS from BIG-IP instead of IIS directly.
Devcentral: SSL Acceleration - Can I encrypt outbound traffic
Hope this helps.
-Chase

Resources