Websphere server config to allow requests from specific IP or systems - proxy

I heard from somewhere WebSphere server can be configured to allow only a pre-defined set systems (IPs, domains) to access server contents such as WSDL.
Need help with following questions:
Is this supported?
What are the steps to do the same?
Prerequisites?
Thanks!!

Check this post Ban ip for deny access to an app. It describes various methods (configuring transport channels, http server, or developing custom filter). Although it talks about banning access, same technique can be applied to allow access.
Take notice however that using transport channel will apply to all applications and resources available via given port (not just wsdl). So the solution depends on level of granularity you require.

Related

Understanding CoAP proxies

According to the CoAP specification RFC7252 section 5.7 two types of CoAP proxies exists, namely forward-proxy and reverse-proxy.
Orthogonal to this definition a proxy can be CoAP-CoAP or HTTP-CoAP proxy.
I have the following questions according to these definitions:
What are the use cases where each of these proxy types (forward-proxy, reverse-proxy, CoAP-CoAP and HTTP-CoAP) has to be used?
What exactly does the proxy in those use cases?
Which part of the CoAP message does each proxy need in order to accomplish its tasks? (I assume that proxy looks at some of the CoAP options?)
Where runs the proxy? On the boarder router?
It well be very nice if someone can provide in addition to the answers to the questions above also good reverences and examples.
Some use cases for proxy times are:
Forward proxies: Escaping a restrictive firewall (eg. because outgoing connections are blocked unless they go through a proxy); a special case thereof is accessing resources on CoAP from within a browser, when a CoAP-over-WebSocket server is used as a forward proxy.
Reverse proxies: Roughly the same as for forward proxies but in the reverse direction (ie. if the server is in a firewalled network, there can be a reverse proxy running on the firewall that lets requests in selectively). Additionally, reverse proxies can be used for load balancing on the unconstrained server side.
HTTP-CoAP-proxies: Accessing CoAP devices from programming environments that don't have good CoAP support (eg. if your monitoring system supports polling a HTTP server, a H-C proxy easily allows monitoring your CoAP servers).
CoAP-HTTP proxies: Making services on the big web available to constrained devices (eg. querying a weather forecast). This is often of limited use as those web services don't use data formats suitable for a constrained device.
That barely varies over the cases; apart from the obvious (cross-proxies translating CoAP and HTTP messages back and forth), forward and reverse proxies only differ in whether they react to messages with a Proxy-* option (typically Proxy-Scheme) set (forward proxies), or to those without (reverse proxies).
All proxies need to inspect the full message (ie. all header fields and look at all options). Most header fields (token, message-ID, mtype to some extent) and several options (eg. Observe) are hop-by-hop, ie. the server acts on them and creates new values for the forwarded request. If there is anything in the message the proxy would need to understand but doesn't (ie. unknown Proxy-Unsafe options), it rejects forwarding.
That is fully up to the application, but in most of the common examples, that would be some kind of border router; could be the 6LBR in a 6LoWPAN scenario, or the firewall of a larger setup. In cases of routing between a CoAP-over-WebSocket endpoint and the rest of the CoAP world, the CoAP-over-WebSocket server often runs on the same machine that also serves the web application that uses the socket.

Integration of Shenzhen Concox Information Technology Tracker GT06 with EC2

I have a concox GT06 device from which I want to send tracking data to my AWS Server.
The coding protocol manual that comes with it only explains the data structure and protocol.
How does my server receive the GPS data collected by my tracker?
Verify if your server allows you to open sockets, which most low cost solutions do NOT allow for security reasons (i recommend using an Amazon EC2 virtual machine as your platform).
Choose a port on which your application will listen to incoming data, verify if it is open (if not open it) and code your application (i use C++) to listen to that port.
Compile and run your application on the server (and make sure that it stays alive).
Configure your tracker (usually by sending an sms to it) to send data to your server's IP and to the port which your application is listening to.
If you are, as i suspect you are, just beginning, consider that you will invest 2 to 3 weeks to develop this solution from scratch. You might also consider looking for a predeveloped tracking platform, which may or may not be acceptable in terms of data security.
You can find examples and tutorials online. I am usually very open with my coding and would gladly send a copy of the socket server, but, in this case, for security reasons, i cannot do so.
Instead of direct parsing of TCP or UDP packets you may use simplified solution putting in-between middleware backends specialized in data parsing e.g. flespi.
In such approach you may use HTTP REST API to fetch each new portion of data from trackers sent to you dedicated IP:port (called channel) or even send standardized commands with HTTP REST to connected devices.
At the same time it is possible to open MQTT connection using standard libraries and receive converted into JSON messages from devices as MQTT in real time, which is even better then REST due to almost zero latency.
If you are using python you may take a look at open-source flespi_receiver library. In this approach with 10 lines of code you may have on your EC2 whole parsed into JSON messages from Concox GT06.

Do I *really* need RPC and NETBIOS to use transactional NServiceBus queues between local servers and Amazon EC2?

We have been trying - without success - to get transactional message queues working between local servers and our cloud servers up in Amazon EC2.
We're using NServiceBus, and have got the pub/sub examples and various other trivial apps working locally between here and EC2, but trying to spin up the components of our actual application is proving... vexatious.
As far as I can work out, to allow a local server (DYLAN-PC) to send a message transactionally via a queue on an Amazon EC2 instance, I will need to:
Enable NETBIOS name resolution (e.g. via the /etc/lmhosts file) at both ends
Allow RPC connections to be initiated from either end (so open port 135 for RPC plus various other ports)
Configure MSTDC on both systems, enabling remote connections and inbound/outbound connections
Have I missed something? In particular, the requirement to allow NetBIOS in an age where everything (including Active Directory!) runs on DNS seems particularly archaic. Are we doing something stupid trying to use MSMQ between sites like this? This is the first big project where we've tried this kind of distributed architecture, and the deployment/configuration is starting to hurt so much I'm convinced we've taken a wrong turn somewhere... a little perspective or advice would be gratefully received!
If you're look to build a geographically distributed system, where you can't arrange a VPN between these sites, you should be using the gateway capabilities of NServiceBus to communicate over alternate transports (like HTTP) between those sites.
RPC is required for reading from remote queues.
If you push to remote queues and pull from local queues, you won't be using RPC.

operate in internet gateway mode to relay data - windows

I want to write a general solution to relay data that comes from different application protocols to a proxy (socks and or/http) in order to do web filtering. Are there any open source projects for windows that do that ?
Check out cntlm. Here's the link:
http://cntlm.sourceforge.net/
It's main selling point is that it does NTLM authentication, but it also works well as a general-purpose proxy. It also has a gateway mode that allows it to proxy network traffic to another proxy server.

How to build local web proxy without configuring the browsers

How does Netnanny or k9 Web Protection setup web proxy without configuring the browsers?
How can it be done?
Using WinSock directly, or at the NDIS or hardware driver level, and
then filter at those levels, just like any firewalls soft does. NDIS being the easy way.
Download this ISO image: http://www.microsoft.com/downloads/en/confirmation.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff
it has bunch of samples and tools to help you build what you want.
After you mount or burn it on CD and install it go to this folder:
c:\WinDDK\7600.16385.1\src\network\ndis\
I think what you need is a transparent proxy that support WCCP.
Take a look at squid-cache FAQ page
And the Wikipedia entry for WCCP
With that setup you just need to do some firewall configuration and all your web traffic will be handled by the transparent proxy. And no setup will be needed on your browser.
netnanny is not a proxy. It is tied to the host machine and browser (and possibly other applications as well. It then filters all incoming and outgoing "content" from the machine/application.
Essentially Netnanny is a content-control system as against destination-control system (proxy).
Easiest way to divert all traffic to a certain site to some other address is by changing hosts file on local host
You might want to have a look at the explanation here: http://www.fiddlertool.com/fiddler/help/hookup.asp
This is how Fiddler2 achieves inserting a proxy in between most apps and the internet without modifying the apps (although lots of explanation of how-to failing the default setup). This does not answer how NetNanny/K9 etc work though, as noted above they do a little more and may be a little more intrusive.
I believe you search for BrowserHelperObjects. These little gizmos capture ALL browser communication, and as such can either remote ads from the HTML (good gizmo), or redirect every second click to a spam site (bad gizmo), or just capture every URL you type and send it home like all the WebToolBars do.
What you want to do is route all outgoing http(s) requests from your lan through a reverse proxy (like squid). This is the setup for a transparent web proxy.
There are different ways to do this, although I've only ever set it up OpenBSD and Linux; and using Squid as the reverse proxy.
At a high level you have a firewall with rules to send all externally bound http traffic to a local squid server. The Squid server is configured to:
accept all http requests
forward the requests on to the real external hosts
cache the reply
forward the reply back to the requestor on the local lan
You can then add more granular rules in Squid to control access to websites, filter content, etc.
I pretty sure you can also get this functionality in different networking gear. I bet F5 has some products that do some or all of what I described, and probably Cisco as well. There is probably other proxies out there besides Squid that you can use too.
PS. I have no idea if this is how K9 Web Protection or NetNanny works.
Squid could provide an intercept proxy for HTTP and HTTPs ports, without configuring the browsers and it also supports WCCP.

Resources