My MongoDB Atlas (hosted in AWS) is only access by my AWS Lambda functions. There are no other applications that access my MongoDB.
I have been told I must use a reverse proxy but not why I must use a reverse proxy.
I understand that a reverse proxy adds security by preventing someone from accessing my MongoDB directly. But that is not possible because all connections come from my Lambdas.
For my situation, what reasons are there for me to require the use of a reverse proxy to access my MongoDB? What benefits are available if I use a reverse proxy?
Related
I have a nodeJS web application with Express running on a Digital Ocean droplet.The nodeJs application provides back-end API's. I have two react front-ends that utilise the API's with different domains. The front-ends can be hosted on the same server, but my developer tells me I should use another server to host the front-ends, such as cloudflare.
I have read that nginX can enable hosting multiple sites on the same server (i.e. host my front-ends on same server) but unsure if this is good practice as I then may not be able to use cloudflare.
In terms of security could someone tell me If I need nginx, and my options please?
Thanks
This is a way too open-ended question but I will try to answer it:
In terms of security could someone tell me If I need nginx, and my
options please?
You will need Nginx (or Apache) on any scenario. With one server or multiple. Using Express or not. Express is only an application framework to build routes. But you still need a service that will respond to network requests. This is what Nginx and Apache do. You could avoid using Nginx but then your users would have to make the request directly to the port where you started Express. For example: http://my-site.com:3000/welcome. In terms of security you would better hide the port number and use a Nginx's reverse proxy so that your users will only need to go to http://my-site.com/welcome.
my developer tells me I should use another server to host the
front-ends, such as cloudflare
Cloudflare does not offer hosting services as far as I know. It does offer CDN to host a few files but not a full site. You would need another Digial Ocean instance to do so. In a Cloudflare's forum post I found: "Cloudflare is not a host. Cloudflare’s basic service is a DNS provider, where you simply point to your existing host.".
I have read that nginX can enable hosting multiple sites on the same
server
Yes, Nginx (and Apache too) can host multiple sites. With different names or the same. As domains (www.my-backend.com, www.my-frontend.com) or subdomains (www.backend.my-site.com, www.my-site.com) in the same server.
... but unsure if this is good practice
Besides if it is a good or bad practice, I think it is very common. A few valid reasons to keep them in separated servers would be:
Because you want that if the front-end fails the back-end API continues to work.
Because you want to balance network traffic.
Because you want to keep them separated.
It is definitively not a bad practice if both applications are highly related.
I have an instance of Solr (not Solrcloud) installed on my server, Apache/2.4.7 (Ubuntu), and would like to use with a php web application. I have password protected the admin page, but queries can still be run remotely. I want to restrict my Solr app so that it can only be queried (both read and write) by a web application (php, with Solarium) stored on the same server. What is the best way to do this?
This is more of a server administration question, so it would be better suited on Superuser. That being said, you have a few options:
Make Solr listen to connections on the internal or loopback interface only. This would be 127.0.0.1 or 192.168/16 etc. In solr.in.sh, you can send a parameter to Solr to tell it which IP it should bind to: SOLR_OPTS="$SOLR_OPTS -Djetty.host=127.0.0.1"
Configure your firewall to only allow connections from IPs that should be able to access Solr.
Configure Solr Authentication and Authorization. Zookeeper is required to make this work (you'll have to be running in SolrCloud mode).
Unpack the bundled jetty and set up authentication there. This is not really a good idea, as it will make it harder to upgrade.
The methods suggested in 1 & 2 can also be combined with a proxying / forwarding web server that performs authentication in front of the service (using mod_proxy and friends on other httpds) if you need the service to be exposed through a non-trusted interface.
I'm trying to set up a reverse proxy on Apache 2.2 (Windows). I am able to do it on a non-corporate network without any problems. I am attempting to reverse proxy content from a vendor domain, but keep it under my own domain for SEO reasons.
dev.example.com/stuff ===> devstuff.vendor.com
However, when I try to incorporate this on my internal network, the Internet Gateway proxy is blocking the request, presumably as I'm not properly authenticating the call to the external domain.
dev.example.com ===> Internet Proxy =X=> devstuff.vendor.com
I've been googling every term I can think of and reading the Apache docs and can't find anything which seems to work. I have tried running Apache as a service with a network account which would have access, but naturally, it's probably not trying to use the proxy at all.
Is there any way to tell Apache to send external ProxyPass requests to use a specific proxy server, and perhaps a specific username/password as well? I'd love to avoid modifying the proxy or firewall too heavily to accomplish this.
Thanks!
Never quite did figure out the "with passing credentials" part, but using the ProxyRemote directive, we could pass everything for our devstuff.vendor.com domain through our network proxy. From there, we had a proxy exception put in to allow from our web server IPs without authentication, since this was an approved arrangement anyhow.
Though, in hindsight, even after solving this, we ended up backing up one step further and just going straight out the firewall for performance reasons (both for the end user with too many hops) as well as negative impacts to our proxy server.
It has nothing to do file-descriptors. Is it some sort of connection between different protocols? Does there exist more like that? Reverse -proxy? Direct -proxy? Indirect -proxy? Does proxy mean 3-layer, 7-layer or different layer in OSI reference model? If you have NAT, you have 3-layer while 7-layer is the common proxy according to Wikipedia here. The Wikipedia continues "Because NAT operates at layer-3, it is less resource-intensive than the layer-7 proxy, but also less flexible" -- there are different kind of ways of doing the proxy:
So now a very stupid and irrogant question "What is a proxy in Apache?"
Other ignorant Questions by which I try to understand the proxies deeper
https://stackoverflow.com/questions/12397242/explain-apache-mod-proxy-module-is-it-overused-and-many-times-a-red-herring-w
Explain CouchDB's serving of websites, is CouchDB bundled somehow with Apache and how does it work?
Apache is a layer-7 proxy (as far as OSI is concerned), it doesn't use network address translation or any type of packet mangling/rewriting. It receives a request and based on some rules/configuration, makes a request on behalf of the client. Apache can act as a forward proxy and/or reverse proxy. In your images above, apache would be running on the blob that is red.
In the first image, apache would be acting as a reverse proxy, it receives an HTTP request from the internet, and proxies it to a specific place internally.
In the second image, apache acts as a forward proxy. Local users are using it to request anything on the internet (within the rules/config).
In a reverse proxy, a request for a specific resource is received, e.g. http://my.homepage.com/, and apache, knowing that the content is actually internally located at http://192.168.2.45/my.homepage/, proxies the request to the internal location.
In a forward proxy, a user on a LAN requests http://www.google.com/, and either the browser or OS knows to proxy the request to a local proxy server (apache, the red blob in the image), and apache then makes the request to www.google.com on the user's behalf.
There are different kinds of proxies! The key is a middleman, it is somehow in the middle of things A and B. I will use now terminology of Tanenbaum (more here). He defines for example in the context of the Globus security model two different proxies: user proxy and resource proxy. Then he defines object proxy that is an interface in object-distributed systems. Then he defines a web-proxy that is some sort of ancient idea when client-side web-browsers missed features such as ftp-support.
Now according to Jon Lin, reverse/forward proxies are similar to resource/user, respectively. Object proxy and web-proxy are special kind of implementations. I think they can be either resource -proxy or user -proxy, actually. If you have object -proxy, it could be implemented in different ways: you could could implement it so that user gives rights to use it, hence user proxy, or more global activity where it has different methods by which it co-operates with local environment from some global setting, hence a resource-proxy.
Related
https://stackoverflow.com/questions/12398389/different-definitions-of-the-term-proxy/12398390#12398390
I have an HTTP server which is in our internal network and accessible only from inside it. I would like to put another server that would listen to an HTTPS port accessible from outside, and forward the requests to that HTTP server (and send back the responses via HTTPS). I know that there are several ways to do this with some programming involved (and I myself made a temporary solution with Tomcat and a very simple servlet I wrote), but is there a way to do the same just plugging parts already made (like Apache + modules)?
This is the sort of use-case that stunnel is designed for. There is a specific example of using stunnel to wrap an HTTP server.
You should consider whether this is really a good idea, though. Web applications designed for use inside a corporate firewall are often fairly lax about security. Merely encrypting the connections prevents casual eavesdropping, but does not secure the site. If an attacker finds your outward facing server and starts connecting to it, they can still try to find exploitable flaws in the web service (SQL injection, cross-site scripting, etc).
With Apache look into mod_proxy.
Apache 2.2 mod_proxy docs
Apache 2.0 mod_proxy docs