I have a WSS installation that's behind basic authentication/SSL (it's hosted at a public web host). I'm creating a sister site in ASP.NET, and am considering just running the credentials through and allowing users to log into the new system providing there is no 401 Not Authorized error returned.
Both are internet-facing applications that will be used by about 20-50 people.
What am I missing? I've never heard of this recommended before, but I don't see why it wouldn't work.
I can't see any major problems with that - you'll obviously want to make sure both servers are using SSL if you've got to send that over the Internet, but other then that it sounds like an elegant way to share credentials between applications.
Related
I'm hoping to get some kind of idea if what I have in mind is even possible or if I'm looking in the wrong place.
Basically, my company provides a website which users are able to access online with credentials we sell and provide them. We have another potential customer who would like to access this website. Sadly this customer is very stuck in the past, and they don't allow their users any internet access at all.
For a number of reasons, I don't want them to host their own version of this website. However, I considered that we might configure a web proxy on their network (which is given internet access) which reverse forwards connections to our website. Is this even possible? And should it be attempted? Or are there better ways to achieve this?
Yes it's possible, you can install on their intranet a simple proxy script for example
https://github.com/Athlon1600/php-proxy-app
and modify the index.php and allow from there only a single host to your website.
I don't know what technology you can use on their Intranet network but virtually for every web language, such software is available.
Here is some discussion related to the "Access the sites blocked over the network" that is just for Gmail but it will definitely help you too:
https://superuser.com/questions/453825/how-to-bypass-web-url-filtering-service-to-access-blocked-websites-proxy
For bypassing the firewall and getting access to the blocked sites:
http://www.makeuseof.com/tag/how-to-get-into-blocked-websites-in-school-with-freeproxy/
Is ngrok a safe tool to use? I was reading a tutorial which recommended to use ngrok test API responses that I make to outside services that need to connect to my endpoints also.
There is no source code available for Version 2.0, considering it started as an open source project in 2014. I am suspect of any code that opens a tunnel to my localhost from the cloud. Pretty scary stuff especially without source code!
It opens up a tunnel to your dev machine, which is partially secured by obscurity (a hard to guess subdomain), and can be further secured by requiring a password. But you're still opening yourself up to ngrok itself, and the company is completely opaque (no address, no employees, no business name, no LinkedIn presence; all I can find is that it has 1-10 employees and is private; not even sure what country its based in). On top of that the code is not open-sourced. No reason to think they're not legit, but not a lot of information available to build trust.
You may be able to use ngrok and other local tunnel services with more security by encrypting the traffic. See https://security.stackexchange.com/questions/177280/end-to-end-encryption-for-localtunnel-ngrok-setup/177357#177357 for more information.
I found good rating, but vacuous information here:
http://www.scamadviser.com/is-ngrok.com-a-fake-site.html
The kicker for me is
https://developer.atlassian.com/blog/2015/05/secure-localhost-tunnels-with-ngrok/
where the Atlassian folks recommend it highly.
I think I am going to use it.
If anyone is concerning compromising their development environment, you can use Docker. There are many ngrok/docker projects but here is the one I chose: https://github.com/gtriggiano/ngrok-tunnel
for macOS, use "TARGET_HOST=docker.for.mac.localhost"
They now offer a service where you locally run only ssh, no need to run any of their code on your machine.
You run something like ssh -R 80:localhost:8501 tunnel.us.ngrok.com http. This connects to one of their hosts and forwards connections they receive back to your machine and the service you run on localhost:8501.
This seems secure to me, the only thing is that you don't know what information they collect and who is connecting to your exposed service. They print all connections, but it's their binary that does this and someone might well listen in without you noticing. You can check connections on your end, but you cannot be sure who it is that connects.
Ngrok is a convenient and highly secure utility for creating tunnels to locally hosted applications via a reverse proxy. This is a utility for publishing locally hosted applications on the web. style="letter-spacing: 0px;">Simply put, any locally hosted application provides a publicly accessible web URL to the . H. Either a Spring Boot or Nodejs based web application, or a webhook for a chat application, etc.
So I have finished creating my first website that I will be hosting online. It have php, html, and javascript. Now I am looking for a way to host my website securely. I have looked at sites like godaddy and web hosting hub. I was wondering what the best hosting service would be for my needs.
My needs:
Able to run php
Have a actual name, like www.noahhuppert.com
Be able to obscure the code so people can not just copy it(This is because my website is for my website design company and I have examples of templates people can use, but I don't want people jsut stealing those templates with a simple right click + inspect element)
Run server side scripts(Like slowing down connections to users if they fail to login too many times, to prevent brute force cracking attempts)
Deny access to people reading files(I don't want people downloading my password hash files or anything like that)
Be able to host files on the services servers, I don't just want a dns pointing back to my computer.
This question is asking for an opinion. Basically any linux web host will provide most of what you're looking for. You're asking for an opinion about which hosting site is the best. I cannot answer that.
What I do want to warn you about is this:
From your question, you're concerned with:
- security
this is not a web host provider feature, but a feature of secure web code. See https://www.owasp.org/index.php/Top_10_2013 for great introduction to website security.
obscure code
You cannot prevent someone from stealing your css. They will not get to your raw templates (I'm assuming you're using templates) if you set your file permissions right on the web server.
if you're concerned with brute force protections, you'll need to code that up yourself. The web host provider would not (and should not) rate limit your connections.
What I want to build is an application that sits online and it's used by different groups that each have their own intranet. Now, because of a stupid security policy the data can't sit outside the intranet. How would you go about building an app that it's still online, so you can push updates to everyone at once, but has a DB on each intranet's server?
My initial plan is to use Node.js and MongoDB.
If your db really has to be onsite, and your app really has to be offsite, then probably your only option is to set up a secure connection from your app, to the onsite db, and pretend as if its hosted locally to the app. This may/may not violate the security policies. You could in theory lock it down pretty well, with a vpn between the two networks. But this is not for the faint of heart, performance will suffer, and it does have security issues. It also means a bit of work for every site.
If the only reason you're wanting it to be "online" is for pushing updates as you stated, then you'll do better installing the app on-premise, and getting it to poll into a central server for notifications about new versions, download updates to itself, and install them automatically. Once you've created this, a new installation requires no new work.
I'm facing a similar problem right now, so here's my take on it, not really mongo or node specifc.
Put a db and a simple restful server on each of client's intranets. Servers can be exactly the same.
Put a routing facade accesible from internet that redirects requests to apropriate server based on url, ie: http://facade/server/resource becomes a request to http://server/resouce.
Configure the facade so that a requests to http://facade/resource go to each server, retrieve results and return all of them in some aggregated form.
Obviously there are more details to take into account, like permissions (can everybody publish to each server? if not, who can?), but the general idea is there.
Heroku seems great, but most non-trivial applications require authentication, and conventional authentication schemes require an SSL connection, and it's impossible to get https://your_app_name.com (you can only get https://your_app_name.heroku.com).
So if you're using Heroku, is it that:
You don't mind directing users to
another domain (seems pretty
bad)
You don't mind foregoing
SSL for authentication (seems really
bad)
Your app doesn't require authentication
This is now a moot point. According to the documentation (http://docs.heroku.com/ssl, see http://addons.heroku.com/ for pricing), Heroku now allows custom domains to have SSL through their SSL Endpoint addon.
https://devcenter.heroku.com/articles/ssl-endpoint
Heroku also just announced support for SNI. This will allow them to attach SSL to any domain hosted on Heroku's service. It is still in beta but should get pushed to every one soon. Heroku continues to improve their security offerings.
Hey, it's James from Heroku. The inability to use SSL with a custom domain is a problem shared by all multi-tenant platforms, due to a fundamental issue with the SSL protocol. A solution is in the works, we'll post details as soon we've finalized the plan.
I'm using Twitter's OAuth for authentication on my apps (via twitter-auth).
Generic OpenID or even Facebook Connect would work just as well, as each of these handle the sensitive bits of authentication on somebody else's server.
Authlogic is an authentication gem that has has plugins for each of these methods.
However, SSL is now fully supported on Heroku, if you're willing to pay a price that reflects the difficulty in getting SSL to work in a multi-tenant environment.
You can use a custom domain name in Heroku. This is not included in the free account though. Also Heroku makes it dead simple to deploy Ruby on Rails apps. Deploying a Ruby on Rails application on a cheap hosting provider that only gives you limited if any shell access can be a nightmare. Not mention Heroku's server already preconfigured to optimize Ruby on Rails code, likewise scaling up is just a matter of sliding a scale on the user interface.
With Heroku you can use custom domain names (in the free version too).
Scaling is easy, very easy, and they are making it better and better (i'm testing memcached and work like a charm, delayed job, the backup system and the git integration are great too).
The only problem for me, as you wrote is the SSL...