I am looking for a reverse proxy with user management, if possible with a UI. Does anybody
know a software to handle multiple server connections and to create users with restricted access to only one specific client?
My second question: Is it possible to include the content of reverse proxy into an existing webpage hosted by an other webserver?
Thank you for your help.
First part of your Question (I know this is late):
You may want to checkout pritunl or ory oathkeeper
https://zero.pritunl.com/
https://www.ory.sh/docs/oathkeeper/
Pritunl is a reverse proxy with UI usermanagement but you can't use it to protect paid services since the license disallows commercial use.
Oathkeeper is a bit more complex but 100% open source Apache 2.0.
You also may want to take a look at https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ which is "Authentication Based on Subrequest Result".
Related
Security is not my area of expertise. I am working on a lightweight administrative Laravel web app for internal use by company (small) employees:
The app is intended to be used only by the employees
Remote work (from home) is not uncommon
Smartphones and laptops are usually used when working remotely
I would like to secure it as much as possible - beyond authentication, access controls or 2FA. I am trying to think of ways to make it virtually invisible to the public, but still available for the employees. Defining proper rules for crawlers might make it a bit more obscure but I think more could be done. Network based restrictions would limit the employee flexibility.
Based on this I got the idea that the app could be made available only if the request is made by an authorized device. I am not sure however whether or not this is a good approach. Neither do I know how to tackle the problem of authorizing the various devices and making that information available to the server during communication.
i.e. How would I tag a device as authorized so that I only have to do it once and can reliably validate the information in a web app? Regular authentication as well as role based access would still be in place but the app could return a 404 response if the accessing device is not whitelisted.
Is there a way to achieve something like this while not making it too restrictive for the users or painful to set up? Or is there a better method for achieving the same result?
Consider a VPN?
If you are hosting the device on an internal network, you could see if the IT dept. can set up VPN access to work remotely (in most cases, this is already in place) and then it does not need to be accessed over the internet via a URI. Instead you can simply navigate to the internal address once you're in the network through the VPN - no public access and no need to worry about pesky web crawlers!
It also makes it easier to moderate your application. For example, if an employee leaves the company you can simply revoke their VPN access and they'll no longer be able to access the application.
I am trying to find out if there is any build-in option on Tomcat to use it's authentication credentials from remote server?
We build some application based on Spring Boot and that application should use authentication based on the credentials configured on another Tomcat server. Ideally I think about some kind of Web Service for the authentication which Tomcat may provide, but as far as I remember there is nothing like that available. Any thoughts on that?
Please don't advise LDAP or dedicated solutions - I can't use them on that particular case.
Thanks!
The components in Tomcat that authenticate users are called Realm, and there's quite a lot of them already implemented. You can find an overview of them, what they do and how to configure them on the Realm documentation page.
Check if any of the other existing ones (some access a database, which might qualify as an external server in your usecase - you judge that for yourself) will suit your needs.
You can even find a realm for LDAP in there if that will ever become an option ;)
So I've been tasked to develop some enterprise web applications, but our users hate logging in to every site. After our users authenticate to eDirectory, is it possible to provide a Single Sign On feature for them. I know it's possible to do with AD, but I was wondering if anyone has actually done it with Novell?
Currently, I'm testing out solutions on WAMP (Apache 2.2). I was looking into mod_auth_sspi but I'm not sure if it will work with Novell.
The typical issue on these setups is how you are going to pass credentials from the Browser to the Web Application. You can setup Kerberos on eDirectory which should work similar to Microsoft Active Directory using GSSAPI which is vendor independent.
You may need to make some changes to browser settings to make any of these work seamlessly.
However, SPPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types and AFIK, will not work easily with eDirectory or browsers other than IE.
If possible, look into a Access Manager product that will be (at least nearly) seamless. Most will allow any(?) WEB based application to utilize SSO in one form or another.
-jim
We have a Java Spring application with lot's of contacts inside a database. Now we'd like to provide these contacts via CardDAV in order to access them via external devices.
As far as I understood CardDAV, it uses the 'well-known' protocol. Which means, it'll look up http://mydomain.com/.well-known/carddav
This might be a problem, because we have a Tomcat Server running, and multiple applications running on it and each of them should provide a CardDAV server. This means, our URLs look like:
http://mydomain.com/appOne/
http://mydomain.com/appTwo/
http://mydomain.com/appThree/
Each of those applications has a completely different set of users and data. Though each of those CardDAV repositories has to lookup its own data source and has to use its own authentication mechanism.
The question is of course: How can I get multiple different CardDAV servers with a single domain?
Btw: Is there any REAL information about CardDAV (not just WebDAV or is it all the same?!)?
For example I couldn't find anything about multiple repositories / access right restrictions. Maybe I want to have a single CardDAV server with multiple different Users, where each user has an own address book and there are some common address books.
The well-known url is used for clients to automatically discover the root of the carddav server, when a user just types in a domainname. You can only redirect to 1 server per domain, but you could setup multiple domains to redirect to multiple carddav servers.
If you can't use multiple sub-domains, you simply cannot use well-known. Instead, you will have to ask users to fill in a full url to their principal to setup their acccounts.
As to your question if there's 'real' information. rfc6352 is the official documentation. It's definitely a lot more than just WebDAV.
Effectively, iOS only supports well-known. If an iOS device cant connect via well-known it will allow the user to enter a complete principal address, BUT thats only AFTER displaying an error message to the user, at which point most users will give up.
However, the redirect occurs after authentication, so as long as you're able to authenticate at the root (eg with a username scheme that incorporates the sub-site, like 'appOne:brad') then you should be able to do it. Alternatively, as mentioned above, just use subdomains.
We are looking at a standard way of configuring the various "endpoints" of our application. Our application is a distributed system with Windows Desktop applications, Windows Server "services" and databases.
We currently configure each piece using XML files. This is getting a little out of hands as we work with larger customers who can have dozens of Servers running our application and hundreds of desktop clients.
Can anyone recommend a Microsoft technology or a third party that would allow us to centralize all that configuration information and manage it in a one place for all our applications? Any changes would be "pushed" to the endpoint(s) that are interested.
For example, if we were to change the login for one of our database, we would make that change on the database, then reflect that change in our centralized system. Following that last step, any service that needs to connect to the database would be notified of the change (and potentially receive the new data). How and what each endpoint does with that information is outside the scope of the system.
Our primary business is not "Centralized Configuration Services". We are a GIS company that provides solutions for various utilities worldwide.
I've done a couple of things to give myself this functionality over the years. I build enterprise applicatons that may be distributed across many servers. I don't want to bury config settings in each services config file or each web server's web.config file. For application specific stuff I usually create an application settings table in the app's database. The table only has two fields. SettingName and SettingValue. I then write a web or wcf service whose sole function it is to retrieve these settings. I write a function called GetSetting where you pass "SettingName" and it returns SettingValue or an empty string if your setting is not found. This way I can store all application settings for all components of the application in one spot. Maintenance and troubleshooting for this is really easy, I'm not hunting through scads of config files spread across a dozen web and app servers.
For larger scale apps I might create a separate AppSettings database where I add a new field to my table mentioned above. ApplicationName. My web or wcf service for this approach has the same method call (GetSetting) only at this scope I pass ApplicationName and SettingName and it returns SettingValue or an empty string.
Doing either of these things allows you to centralize all app settings for any size application or IT shop. It has worked really well for us.
You could use RSS together with BitTorrent to distribute changes. See Wikipedia. It is not MS specific however, but should provide the flexibility you need - a configuration server holding the configuration and providing the feeds needed to configure the clients and possibly servers.
Any VCS through a secure channel?
For example, git through ssh (both available in cygwin).
I think the first step is to have the secure channel (if you want the push ability, pulling might be different).
As for managing the "versions" in different "branches", what's better than a version control system?
As it goes for the Microsoft requirement, well the Microsoft sofwares in that exists in that area would suck pretty bad in your case (as in not the best tool for the job).