More of a theoretical question, but I'm really curious!
I have a two part application:
Apache server hosting my UI
Back-end that services all http requests from the UI
The apache service proxies all http requests from the UI to the server. So, if the user is reasonably adept, they can reverse engineer our API by inspecting the calls in the browser's developer tools.
Thus, how do I prevent a user from using the server API directly and instead force them to use the UI?
The server can't determine whether a call came from the UI or not because a user can make a call to myapp.com/apache-proxy/blah/blah/blah from outside of the UI, apache will get the request and forward it to the server, which will have no idea it's not coming from a UI.
The option I see is to inject a header into the request from the UI, that indicates the origin of the request as the UI. This seems ripe for exploitation though.
To me, this is more of a networking question since its something I'd resolve at the network level. If you run your backend application in a private network (or on a public network with firewall rules) you can configure the backend host to only accept communication from your Apache server.
That way the end-user can't connect directly to the API, since its not accessible to the public. Only the allowed Apache server will be able to communicate with the backend API. That way the Apache server acts as an intermediary between the end-user (client side) and the backend API server.
An example diagram from AWS.
You could make the backend server require connections to be authenticated before accepting any requests from them. Then make it so only the Apache server can successfully authenticate in a way that end users cannot replicate. For example, by using SSL/TLS between Apache and the backend, where the backend requires client certificates to be used, and then issue Apache a private certificate that the backend will accept. Then end users will not be able to authenticate with the backend directly.
Related
Most articles or answers I find deal with proxying a localhost url to a localhost backend server on a different port, or to a non-authenticated remote server (no log in required). However, what I am unable to find is how to generically proxy requests to a remote server that requires authentication.
A common practice in web development is to create multiple instances of the app (beta/dev, integration/test, production, etc.) so you can test and deploy gradually before the code hits production. Each instances has it's own backend server and data that is typically accessible through public urls (e.g. beta.app.com/api).
The difficulty comes when the api requires user authentication to access. Setting up a typical proxy won't work as the credentials from localhost will be different from those of the remote server.
What I want to be able to do is be able to proxy all localhost api calls to one of the remote servers so I don't have to run a backend server locally, or be able to test local code against remote data (great for debugging prod only bugs). What I don't want to have to do is hardcode credentials to the remote server into the proxy, as that won't work for anyone else who runs the app locally (so no hardcoding proxy headers that add auth cookies, etc.).
I image the solution will require more than just a proxy to work, and that's fine. Assume I have full control of both the frontend and backend and can make any changes needed to make this work.
I have been reading the Openshift documentation for secured (SSL) routes.
Since I use a free plan, I can only have an "Edge Termination" route, meaning the SSL is ended when external requests reach the router, with contents being transmitted from the router to the internal service via HTTP.
Is this secure ? I mean, part of the information transmission is done via HTTP in the end.
The connection between where the secure connection is terminated and your application which accepts the proxied plain HTTP request is all internal to the OpenShift cluster. It doesn't travel through any public network in the clear. Further, the way the software defined networking in OpenShift works, it is not possible for any other normal user to see that traffic, nor can applications running in other projects see the traffic.
The only people who might be able to see the traffic are administrators of the OpenShift cluster, but the same people could access your application container also. Any administrators of the system could access your application container even if using a pass through secure connection terminated with your application. So is the same situation as most managed hosting, where you rely on the administrators of the service to do the right thing.
I need to use certain software that connects with a server, that allows connections only from whitelisted IPS. To solve this, I have a droplet with fixed IP on DigitalOcean where I use Squid3 as proxy. I configure my system to work through the proxy, and I tell the central server to whitelist that proxy server IP.
Up to here all is great, but as I should have guessed, some people are using my proxy to send malicious packages, and now the server provider is telling me to get it sorted out, or they will cancel my account.
I added authentication to the proxy, and the attacks have stopped, since the attackers do not know the user/pass combination.
But now the problem I have is that I don't see any way to configure Windows to use authentication when connecting to the proxy! I am not talking just about HTTP requests, since the browsers allow for authentication. I am talking about some custom software that needs to communicate as well with this central server.
Is there any way to configure Windows so that it connects to the proxy passing the necessary username and password?
I have an Apache/2.2.15 web server with the modules, mod_shib, mod_ssl, and mod_jk. I have a virtual host which is configured (attached below) with AuthType Shibboleth, SSLCertificates, and JKMount to direct requests using AJP to my Tomcat 8 server after a session is successfully established with the correct IDP. When my http request reaches my app server, I can see the various Shib-* headers, along with the attributes my SP requested from the IDP.
Is there a way my app server can validate the shibsession cookie or other headers? I am trying to protect against the scenario where my web server, which resides in the DMZ is somehow compromised, and an attacker makes requests to my app server, which resides in an internal zone.
Is there a way I can validate a signature of something available in the headers, to guarantee that the contents did indeed originate from the IDP, and were not manufactured by an attacker who took control of my web server?
Is there something in the OpenSAML library I could use to achieve this?
Is there a way my app server can validate the shibsession cookie or other headers?
mod_shib has already done that difficult work for you. After validating the return of information from the Identity Provider (IdP), mod_shib then sets environment variables (cannot be set by the client) for your application to read and trust. Implementing OpenSAML in your application is unnecessary as mod_shib has done the validation work for you.
From the docs:
The safest mechanism, and the default for servers that allow for it,
is the use of environment variables. The term is somewhat generic
because environment variables don't necessarily always imply the
actual process environment in the traditional sense, since there's
often no separate process. It really refers to a set of controlled
data elements that the web server supplies to applications and that
cannot be manipulated in any way from outside the web server.
Specifically, the client has no say in them.
I will build a cross platform application (WP8, IOS, Android) and those apps will use
my server to make API requests.
My server also will call different type of APIs (google, facebook, etc) and return some results.
And application owner does not has to be logged in to make those calls.
If there is man in the middle, he can track api calls and use it for his own usage drain my quota against api services I am using.
I only want phone who has application be able to make those calls.
What would be the best way to detect api calls to my server should come from my application?
You can use SSL to prevent man in the middle attacks but there really isn't a way that you can be 100% certain that you are communicating with your application.. You can make it harder to do by requiring some sort of access token or using custom encryption but if somebody can decompile your app they can do whatever they want.
In your specific case you should use HTTPS and in the client, not only check that you are using an HTTPS connection, but that the certificate presented by the server and its certificate chain are the ones you expect.
If you fail to do so, you could still perform a MITM attack. For example:
The MITM proxy could act as the client to the server and use an HTTP connection to serve the contents to the real client.
The MITM proxy could act as the client to the server and use a self-signed SSL certificate to present the real client an HTTPS connection.