I have multiple web applications running in CloudBees run#cloud. I need to communicate between these applications using HTTP. I have SSL router and custom domain names configured for all these apps too. Should I use the custom domain names or the default xxx.cloudbees.net address in the communication?
I understand that using SSL gives me better security, but I'm thinking more in the lines of performance, flexibility and data transfer costs.
Using custom domain name will only "consume" a DNS lookup to resolve the the adequate cloudbees.net node. I don't think one or the other name will have any significant impact on performances and network costs as the IP address has been resolved to internal routes.
Related
We have around 50 applications currently configured with LDAP and we have around 20 Domain Controllers. As per the security best practice we have to migrate all these applications from LDAP to LDPAS.
Currently, all applications are connected using Domain's "NETBIOS" name so there no need to worry about high availability.
What is the best design approach to achieve high availability for LDAPS?
Prefer not to configure individual DC servers as LDAPS servers in the application.
Note: all the servers (DC and application servers) are enrolled in on-prem PKI.
In my enterprise environment, there is a load balancer with a virtual IP which distributes traffic accross multiple DCs. Clients access ad.example.com, and each DC behind ad.example.com has a cert valid both for hostname.example.com and ad.example.com (SAN, subject alternative name). This has the advantage of allowing the load balancer to manage which hosts are up -- if a target does not respond on port 636, it is automatically removed from the virtual IP. When the target begins responding, it is automatically added back. LDAP clients don't need to do anything unusual to use this high availability AD LDAPS solution. The down side is that the server admin has ongoing maintenance as DCs are replaced -- we build a new server and then remove the old one. In doing so, the old IP is retired. The new IP needs to be added to the load balancer virtual IP config.
Another approach would be to use DNS to find the domain controllers -- there are SRV records registered both for the Site domain controllers and all domain controllers. Something like _ldap.tcp.SiteName._sites.example.com will give you the DCs in example.com's SiteName site. For all DCs in the example.com domain, look up _ldap._tcp.example.com ... this approach, however, requires the LDAP client to be modified to perform the DNS lookups. The advantage of this approach is that the DCs manage their DNS entries. No one needs to remember to add a new DC to the DNS service records.
I recently signed up for CloudFlare to take advantage of the security feautres the service provides. Specifically, I'm interested in its use against DDOS attacks (which are a problem I'm facing).
My web application employs nginx as a reverse proxy (with gunicorn as the application server). The Ubuntu-based virtual machine - procured via Azure - has a static/reserved IP (used as a VIP). I've read that after connecting to CloudFlare, it's best practice to change server IP so that malicious actors can't directly DDOS the said server.
Being a newbie, I'm unsure whether this guideline was applicable to the public VIP (virtual IP) or to the internal IP (which is entirely different). Can someone please conceptually and functionally clarify this for me? Can really use some help in setting this up!
What services like CloudFlare do is acting like a CDN for your website. They become front-end of your content delivery to clients while they have vast network for doing so (resources i.e. bandwidth which are consumed by DDoS). Then your IP is just known by the anti-DDoS service provider to fetch the content and deliver on your behalf.
You see if the IP is leaked by any mean the whole defense mechanism become useless since attackers can directly point to your machine while dynamic DNS of CloudFlare would distribute requests to its network and serve clients via them.
Since your website was up for a while before you migrate to CloudFlare your current public IP is known to attackers and hiding behind CloudFlare is useless since they don't ask CloudFlare DNS service and directly attack your server. This is the reason you need a new IP and the new one should not be revealed by any mean. Just set it in your CloudFlare panel and don't use it for other purposes.
I faced attacks too and used CloudFlare to prevent them, however, I have learned how to perform those attacks by myself and also how to bypass CloudFlare and take down the protected website. The best practice is to secure your server by yourself. Using nginx as a reverse proxy is a good option.
I have a server on DigitalOcean that I use to host my professional website. I have an additional server I just use to store data and make API calls to, but it just has the IP address, not a domain name.
Is this... normal? I want to have the transport to and from the server over SSL, so I should get a domain name for it, right?
Should I just be doing this on the same server I host my website? Separating the concerns seemed wise there.
Separation is a good idea, yes. I'd recommend naming the API server api.whatever-your-domain-is.com, and buying an SSL certificate for that hostname.
I'm using Jelastic for my application and I just installed the Apache for it. The problem is that I need to set up a firewall for it, like iptables or other, after all is a web application and it needs security.
How can I do that?
The host said to me, that the only way is to use VDS and I should configure a VDS for me, installing Apache, FTP and transfer my application to there.
But I can believe that there is no way to protect the Apache.
Thank you in advance.
The available options vary depending on your hosting provider. For example, the Jelastic platform gives hosting providers and private cloud customers the ability to define a set of default firewall rules for each newly provisioned node.
Additionally, since Jelastic 4.1, there is an option for the provider to define additional custom firewall rules for any specific container. At the moment this functionality is only accessible from the provider's side, so it means you need to work with your provider's support team.
If you don't want to do that, or your chosen Jelastic provider does not offer good support, you can either:
Use an unmanaged node type in your Jelastic environments, such as the Elastic VPS or Docker nodes. Here you have full root access to define whatever firewall rules you desire.
Use application server rules to restrict access according to IP. E.g. inside your httpd.conf (which you already have full access to customise)
In the recent release, Jelastic introduced a possibility to manage inbound and outbound firewall rules on the container level right through the interface. The detailed instruction is here.
I have a half-dozen domains (with associated domain names), hosted locally on Windows/Apache and accessible to the wider internet. At the moment, the name servers are provided by my domain name register at extra cost. I would like to host a domain name service (on the same machine as is hosting the websites).
I have tried BIND without success, I was unable to configure it correctly. I was confused about zones and the syntax of configuration, as well as how to test if it is configured correctly!
Most guides seem directed at users who wish to replicate DNS entries for local caching, whereas I simply want to host a name server (locally) which directs users to my local machine, when they request any of the half-dozen websites I host.
Is there a simple application to host limited Domain Name Service this on Windows (Vista Business), or an obvious tutorial that I haven't found yet? Or was I on the right track with BIND and missing something?
Bind is probably the best choice. The guides you're referring to are talking about configuring a caching resolver. What you want is an authoritative name server. Bind can be a pain to configure because there are so many options, but it's probably worth persevering.
Depends what your budget is..
The DNS Server on Windows 2003 Server is pretty good and easy to configure.
There's a bunch of alternatives list here:
http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
Simple DNS Plus could maybe do the trick for your case, but I haven't tried it.
Another option is maybe to use Bind and try to find a GUI for it, there's a few existing, usually web based, like webmin and such...