I want to host a production Rails application on Heroku but have some doubts. Can there be any problems with accessing application from Russia because of the Roskomnadzor ban?
Heroku runs on Amazon Web Services, and it looks like many AWS IP addresses have been blocked in the past:
On 13 April 2018, messaging service Telegram was banned... The ban has been enforced via the blockage of over 15.8 million IP addresses. IPs associated with Amazon Web Services and Google Cloud Platform are included in the block, due to Telegram's use of these platforms; this measure resulted in collateral damage due to usage of the platforms by other services in the country, including... many other unknown websites being blocked for no reason for a month.
I'm not sure that any host would be completely safe from this kind of block.
Related
I basically have an API that is going to be used with a web app and a mobile app. I don't want the API to publically available, where should I deploy it then? is there a way without using AWS? Thanks, Nav :)
There are multiple ways of doing this. This is a sensitive topic, as this is an opinion-based field.
However, I will try to answer below - and challange your way of approaching this.
It really depends on your 'operational' skills, funds, need for security, deadline(s) etc.
Basically you need to make an endpoint available on the www, without everybody being able to connect.
You could either:
Deploy a virtual machine or web app. in Azure/AWS/GCP/... and whitelist the IP's you need to connect from.
Rent a VPS from any provider, and deploy your application here - Again, whitelisting. (Edit: Not phones, since this IP changes constantly. A proxy can be implemented here (potential bottleneck), or any authentication mechanism like OAuth, JWT, Certificates etc. can be implemented either on the ingress controller (e.g. NGINX) or the application itself.)
Deploy the application on your Home-PC, order a static IP to your home and make a forwarded port and set up security on your premise (not recommended, and raises and bunch of other headaches)
Get in touch with a company that hosts web applications (Can be quite expensive)
Based on the limited information provided in your question, there is a ton of options, nice-2-haves and factors that comes in to play when choosing the setup that suits your needs.
You should also consider; VPN usage, Backup/disaster recovery, data leaks, redundancy, the need for future deploys, how you would access your environment in six months....
I hope this answered your question, but also raised a few for you to answer yourself.
Finally, I'd recommend you looking for inspiration here.
EDIT:
Question:
Whitelisting mobile IP's.
VPS selected.
Answer:
This becomes quite a task when mobile phones tend to change IP's frequently.
Since you are looking further into the VPS setup, you are more in control of the setup and can choose to look into OAuth and JWT.
Links:
OAuth - https://oauth.net/getting-started/ https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps
NGINX JWT - https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-jwt-authentication/
So - At the end of the day, you can make your app use a proxy (potential bottleneck) and whitelist this IP, or make the endpoint open (any -> 443) and implement an authentication mechanism like the ones mentioned above.
Consider implementing a DMZ zone for incoming traffic from the web.
https://en.wikipedia.org/wiki/DMZ_(computing)
and put your application behind this zone, making sure that the only the DMZ zone is facing the internet, and the server hosting your application is talking to the server in the DMZ.
Again, this is quite a big topic and is hard to simplify to a stackoverflow post.
If you are hosting the app on AWS you have a couple of options.
API Gateway now supports private endpoints. These endpoints can not be called via the public internet. That means if your app is hosted on AWS only the internal services of the app can call the end point. i.e. front end to database etc. I've used this method for internal micro services such as placing in house app data onto kinesis streams.
Alternatively, if you don't want to use API Gateway you have lots of options. Most of which would involve you creating rest APIs from where ever you plan on hosting your code. This could be on the server it's self or some sort of container.
API Gateway Private Endpoint Reference:
https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/
I have an application that uses spring boot for a backend and Vue.js as a front end. I have packaged the app into a jar file and deployed to PCF with ease. The problem is the application uses API Keys from https://developer.clashroyale.com/#/getting-started ...these keys require you to input the IP Address that will be used...
Obviously my key will not work unless I give the correct IP address, so how do I retrieve the IP Address for my PCF application so I can generate the proper API Key?
Also, the documentation says that the IP will change with every deployment of my application... Which prompts the question :
Is it impossible to use API Keys that require static IP Addresses with PCF applications?
I have deployed this same application to amazon AWS and it worked because I have a static IP Address that I can use to register a key. I prefer to use PCF, but am having trouble setting it up.
I don't think you will be able to use that API on the PCF platform. Every time you either cf restage or anything to cause the container to be rebuilt/redeployed, the IP will change.
So in short yes, it's impossible: https://docs.run.pivotal.io/marketplace/external-ips.html
Your app will be run on any number of Diego Cells, which all have different IP addresses. There are a couple ways that traffic can leave your app and the Cell.
In some cases, outbound traffic may go through a NAT, in which case the number of possible IPs may be small and the IPs may not change often (or at all). In other cases, traffic may leave directly from the Diego Cell on which your application is running. In this case, there's a lot more IPs & the IPs will change any time your app is restarted.
If you're talking about some general installation of Cloud Foundry, it will depend on how the operators for that environment have set up the traffic to flow so you'd need to confirm with your operator to be certain.
If you're talking about Pivotal Web Services, outbound traffic will originate from the IP of the Cell on which your app is running. See the link in Francisco's post.
Having said all that, there's a hack that you can use to work around the behavior above. Route your traffic through a proxy. Traffic coming out of the proxy can be made to have a fixed IP address.
On PWS, there is a service in the marketplace available to do exactly this. It's called QuotaGuard.
https://docs.run.pivotal.io/marketplace/services/quotaguard.html
You don't have to use that service though, you could use any other service provider or you could even set up your own proxy. I would recommend using a service unless you know exactly what you are doing though. Setting up & securing a proxy is not trivial and an improperly secured proxy is bad not just for you as the owner but the whole Internet.
I have a quick question regarding hosting web applications. I've recently started getting into hacking so I just wanted to understand them a little more.
I am aware that to host websites you need to pay for a domain name, as well as a hosting service. So let's say you buy a domain from GoDaddy, and then you buy hosting from Dreamhost.
Let's say I'm making a web application in Node.js, then I need to buy a cloud platform such as heroku, correct?
So do I need to buy a domain, hosting service, AND a cloud platform in order to launch a web application?
Cloud hosting is just another kind of hosting versus stuff like Dreamhost.
You likely can't run something like Node.js on Dreamhost's shared hosting, but you could on one of their VPS/dedicated servers. Heroku's just easier for that sort of thing. You'd in most cases pick either Dreamhost or Heroku, not both.
I have started using Heroku's addon for ElasticSearch, Bonsai. I want to create a backend search for several categories on my website. Since this is a backend only service, and may contain sensitive information, how do I limit the IP addresses connecting to the Bonsai server that Heroku has provided me to only the IP address/range of my web servers.
Note that my web servers are running on private hardware and are not hosted on a cloud service. I am also not using any other web service on Heroku, so I prefer not to use a Ruby answer to this.
I ended up working with the Bonsai team to set up a custom solution on their end that required a username and password combination to access any data on my hosted search.
I have an application deployed to Heroku. I'm using a service that requires me to access their SFTP server using a static ip address. I know Heroku dynos are unreliable in this regard. I have successfully achieved this using the Proximo addon, however, its too expensive for the amount of traffic that I'll be sending (around 500 MB/month). Is there an alternate to this? I'm inclined towards using an EC2 instance but not quite sure what's required to create a proxy or whatever.
I'd go with an EC2 micro instance; pushing bits around doesn't really consume much CPU, so it's unlikely to get throttled. I would then give that instance an elastic IP address and communicate that address to the other service. (Whatever I choose to do later, I can always spin up another instance and associate it to that IP.) I would then deploy a SOCKS proxy (Dante?); SOCKS has pretty widespread application support, and it can handle SFTP just fine.
From here, there are a couple details specific to Heroku -- for one, you'll want to configure your proxy server's EC2 security group such that Heroku can access it (see Dynos and the Dyno Manifold). You'll also want to enable authentication on the SOCKS server, since granting Heroku access to your proxy grants everyone in Heroku access to your proxy. Then, heroku config:set SOME_SERVICE_SOCKS_PROXY=socks://user:pass#ip-10-1-2-3.ec2.internal, and have your application look for that environment variable and do the right thing.
You'll likely be paying $0.01/GB for intra-region data transfer between your proxy and Heroku, since statistically, your application will be in a different availability zone most of the time. Heroku dynos last about 24 hours in production, so while the exact location will dance around unpredictably, it'll probably land in the $0.008/GB range in aggregate. You'll also be paying for the micro instance itself (though reserved instances make them stupid cheap) as well as the usual AWS Internet data transfer rates.