• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: DirectConnect and Security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DirectConnect and Security

  • Subject: Re: DirectConnect and Security
  • From: Samuel Pelletier via Webobjects-dev <email@hidden>
  • Date: Mon, 12 Aug 2019 09:01:24 -0400
Hi Mark,

If you want to simulate a WOAdaotor environment and have the app generate
static file URL, configure your load balancer to add
"x-webobjects-adaptor-version" header like I do using apache reverse proxy:

RequestHeader set x-webobjects-adaptor-version "1"

Regards,

Samuel


> Le 12 août 2019 à 06:52, Mark Gowdy via Webobjects-dev
> <email@hidden> a écrit :
>
>
>
>> On 12 Aug 2019, at 10:03, Matthew Ness via Webobjects-dev
>> <email@hidden> wrote:
>>
>>
>>
>> On Sat, Aug 10, 2019, at 5:54 AM, Mark Gowdy via Webobjects-dev wrote:
>>> Hi.
>>>
>>> Is anyone aware of any security issues (or other considerations) with
>>> Direct Connect mode for a live deployment?
>>>
>>> This will be using the Amazon’s Application Load Balancer.
>>> And it _might_ mean that I can ditch Apache once and for all :-)
>>>
>>> Thanks,
>>>
>>> Mark
>>
>>
>> Hi Mark,
>>
>> If you are applying a cert to your ALB, then SSL effectively terminates at
>> that point and the request is forwarded on to your direct connect EC2
>> instances.
>> I'm not sure what kind of security issues you are envisioning. Your should
>> hold your EC2 instances security considerations to the same standard whether
>> using Apache over 443 or your app on, say, 55555.
>> To that end, there should be no accessibility outside the above mentioned
>> ALB connectivity and some administration bastion host for your terminal
>> access.
>>
>> Having said all that, if your application is completely session-less, then
>> you're good to go.
>>
>> If you have sessions in your app you still have some problems to overcome.
>> You can use session affinity (sticky sessions) in ALB/ELB (but not Network
>> LB), but be aware they require cookies on the client.
>> So, you have the sticky sessions working, great! As your load balancer
>> horizontally scales out, it's creating EC2 instances running your java app.
>> But when your ALB decides to scale _in_, it'll wipe one or more of your EC2
>> instances, which could still have active sessions.
>> So, unless you de-/serialise your Sessions at the start and end of the R-R
>> loop and store that somewhere else (db/redis/etc) which your EC2 instances
>> would have access to, it may annoy some users.
>> Because of proprietary classes in WO, Session serialisation is unsolved and
>> inflexible.
>
> Wow..
>
> Thanks for the info.
>
> My apps have session, and I was planning on using sticky sessions with the
> AWS’s ALB (Application Load Balancer).  I am aware of the cookie monster :-)
>
> I will be using the ALB with an explicit list of AppServers, so I don’t
> _think_ that will be a problem.  There will be no auto-scaling (for now).
> Basically, I plan to use ALB in the _similar_ way to Apache’s mod_proxy.
>
> I tried session serialisation (in the DB) a long time ago, and it wasn’t an
> ideal solution.. I would rather not go there.
>
> I am happy enough with any network security concerns (i.e. nothing within the
> VPC can be accessed externally).  The only way in is via the ALB (with SSL)
> with SSL redirection rules etc..
>
> My question was mainly around Direct Connect mode in the Application.
> e.g. I know it accesses the WebServer resources using a full system path in
> the URL.
> But I know in that case it can’t access any files outside of its scope, so
> that should be fine.
>
> I just wanted to check if anyone knew of any security ‘gotchas’ I was unaware
> when using DirectConnect.
>
> Thanks,
>
> Mark
>
>>
>>
>> Regards,
>>
>>
>> --
>> Matt
>> http://logicsquad.net
>> https://www.linkedin.com/company/logic-squad/
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list      (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: DirectConnect and Security
      • From: Samuel Pelletier via Webobjects-dev <email@hidden>
    • Re: DirectConnect and Security
      • From: Mark Gowdy via Webobjects-dev <email@hidden>
References: 
 >DirectConnect and Security (From: Mark Gowdy via Webobjects-dev <email@hidden>)
 >Re: DirectConnect and Security (From: Matthew Ness via Webobjects-dev <email@hidden>)
 >Re: DirectConnect and Security (From: Mark Gowdy via Webobjects-dev <email@hidden>)

  • Prev by Date: Re: DirectConnect and Security
  • Next by Date: Dump NSDictionary as JSON structure?
  • Previous by thread: Re: DirectConnect and Security
  • Next by thread: Re: DirectConnect and Security
  • Index(es):
    • Date
    • Thread