We have this architecture:
Web Server: Web Application is deployed (html, javascript, css)
Application Server: WebApi is deployed
Problem is , I cannot make ajax request to reach Application Server because its behind firewall.
The Web Application is supposed to be used publicly to the internet users.
What changes should we do to make it work?
Should we move our Web Application to Application Server? But how would this be accessible on internet.
Thanks in advance for suggestions/advice.
You're going to have to put an exception in the firewall for the address of your web server... that way your web server can access the API but nothing else can (well, not quite nothing else - other stuff on that web server can but that can easily be solved by having your web app hosted on it's own/dedicated web server).
If your Web Application makes direct calls to the Web API endpoint (e.g. is a single page application that use a client-side javascript framework like AngularJS and/or it uses AJAX calls to your application server address), there is no way for your clients to access your API if you do not allow public access to your application server.
That's because your client resides inside your users web browsers.
You have to allow incoming connections to your Application Server through internet in your firewall.
Well, it all depends on how you look at things and how distributed your application should be (criteria like load, security).
In general, Web API might be just one more client (from your applications server perspective).
On the other hand, in robust/distributed system, you would have Web API only as an endpoint (controllers, mappers and things like that) that your mobile/ajax clients send requests to and then Web API communicates to Application server (where your business logic is).
Having Web API communicate to DB directly is not a good idea because as you add clients to application server (mvc, web api, services, etc...) then you have as many db access points as you have clients. So, its a code maintenance problem plus a problem of your view tier being aware of DB.
Ideally, you need Application server as a tier where all your business logic is and its the one that all your clients target (mvc web app, web api, desktop, services, etc...) and that is the one that should communicate to your DAL. Also, then you can set firewall rules on your application server to allow incoming traffic from trusted sources (your other servers) instead from the whole internet (ajax).
Related
I have a vps, where my spring boot backend is running on. The frontend is a mobile app built with the ionic framework.
The backend is built this way: in the front there is an so called resource server, which is an graphql server, which redirects the requests to rest microservices which are behind the resource server. Every microservice has is own task, which he's responsible for. (e.g. an fileupload-server which uploads/downloads files to a database). The whole application, including the frontend is secured by an keycloak instance, which is running as an docker container like the whole application, except the frontend.
Now my questions is, we dont have a domain and for some reason they wont buy one, but we wont to secure the communications over ssl/lets encrypt. But lets encrypt isn't able to create ssl certificates for ip adresses. So finnaly my question is: do you guys, know a solution to my problem which fits?
So far,
Daniel
I have written a web application that is, typically, installed internally by customers (based on IIS/MSSQL server).
When a customer wants to provide external access to the application, we offer the following supported scenarios:
Publish the application in their DMZ (pretty standard deployment).
Use our own platform where we host the application in our own cloud infrastructure for them.
However, because I have more and more customers who misunderstand the requirements for publishing an internal application, I would like to add a "one click" way of providing that service.
My idea is to have a reverse proxy installed on the customer's web server that will connect to a cloud server we control. When the application starts, it will connect to our server, authenticate and maintain the connection. When a user wants to use the application, she will use an URL that directs it to our server (say https://myapp.mycompany.org/CustomerID or https://CustomerID.myapp.mycompany.org). The server will then lookup the list of connections from reverse proxy to find the one matching the customer ID and, if found, use that connection to relay the end user connection.
In essence, that is the same thing as what Azure Application proxy or TeamViewer do, only without the need for using Azure AD or TeamViewer.
Is there an existing framework I can use for building such a service ? I know I can write it on my own but that is quite a large development.
We're getting ready to rewrite an old native windows mobile application that accesses data through a VPN. We'd like the new version (.NET Windows 10 mobile application) to access data through web services that are protected by Okta. What is the best way to do this?
Thanks!
The best way to do this depends on how the web services are protected.
The main thing to keep in mind is that you don't want to store any secrets on the mobile application.
In an ideal world, these web services would be secured with something like OpenID Connect (OIDC), allowing you to authenticate against Okta (the "IDP") to get access to the web services (the "Relying Parties").
However, the real world is messy, where some web services are protected via SAML, OIDC, OAuth, custom headers, etc.
Without knowing more about your setup, my recommendation would be to build against OIDC, using a proxy server (or "API Gateway") as needed to secure your web services using OIDC.
One of my co-workers at Okta has written a sample iOS application in Xamarin that implements OIDC, I suggest taking a look at the ViewController.cs file in that repository.
Firstly, I'm relatively new to Web API / CORS and security implementation.
This question is specifically with regards to security. The Web API houses extremely sensitive data and provides clients with the ability to execute transactions online.
The context :
I have a Web API self hosted as a windows service with a fixed port.
The Web API is sitting behind a firewall / DMZ on an internal network.
The Web API (using CORS) only allows traffic from the external server.
The external server hosts our web site using IIS.
The Web API is making use of Token authentication (bound to client IP to avoid hi-jacking).
Both the external website and internal Web API force the use of SSL.
The problem :
The web page makes ajax calls via javascript to the Web API. However, the Web API is not directly exposed to the internet.
What would the security impact be on having the below setup?
What sort of vulnerabilities would I be exposing my network too by doing so.
Is there a better way of implementing such a setup!?
Eg
User enters https://test.mydomain.com into the browser and is served a page.
ajax call gets made to https://test.mydomain.com/api/test/action
external server routes https://test.mydomain.com/api messages to internal server https://myInternalWebAPI/api/test/action which is not exposed to the public.
So this requires a little bit of leg work, but it's implemented into a production environment so I thought I'd share the solution.
I created a WCF service and a WebAPI.
The primary WCF Service resides on the internal network and contains all the business logic, database connectivity.
The proxy WebAPI mimics the WCF service structure and is exposed to the public.
The proxy WebAPI is called from the client (javascript), the proxy WebAPI then calls the internal server hosting the WCF service and voila, victory.
I am new to windows azure plateform i want to ask a very basic question. I am doing a project on windows azure and due to some concurrency problems i want also my Browser GUI to be in the cloud which will call the web services which are also deployed in the cloud.
Just need to ask that is it possible that i will also put my GUI in the cloud and i have some URL which i will hit so that my GUI will appear in the users browser...
I want my architecture some what like that
Sorry for the drawing but i am in very hurry
Your web browser would be on the user's desktop, and make a HTTP request to a web application/site that is hosted in Windows Azure. For instance, an ASP.NET MVC web site that makes a service call to a WCF service, that then retrieves data from a SQL Azure database. One way to do this would be to create a single hosted service that contains:
Web Role (to host your ASP.NET site)
WCF Web Role (to host your WCF service)
SQL Azure (for your database)
I think the web GUI you mentioned would be like an agent, it will connect to the real websit and render the content for you. If this is true I would like to say in theroy it's possible, but in practice it will be very difficult, since what you want to do is a web based web browser. You might need to handle HTML, CSS and JS, etc.. But if it's just a web ui that render your data from your service that is fine. So back to your question, when you said the "browser gui", if it's a desktop application, you cannot run it on the cloud; if it's a website then yes you can and your proposal looks fine.
Hope my feedback helps.