I have a digitalocean droplet running Ubuntu 18.04.2 and nginx, and an API built with the Django Rest Framework on it. The specs of the project I'm working on require a VPN to be set up, so I've set up OpenVPN on the droplet. I've also generated a config file to send to the client that will be connecting to my API.
My API is currently still accessible by anyone who has the IP address and the username/password combination I've created. My question is: how can I configure my server/OpenVPN to allow access only to the client that I am going to give the configuration file to?
Related
I have a postgresql database on the google cloud platform (cloud SQL). I'm currently managing this database through pgadmin, installed on my laptop. I've added the IP address of my laptop to the whitelist on the cloud sql settings page. This all works.
The problem is: when I go somewhere else and I connect to a different network, the IP address changes and I cannot connect to the postgresql database (through pgadmin) from my laptop.
Is there someone who knows a (secure) solution, involving a proxy server (or something else), to connect from my laptop (and only my laptop) to my postgresql database, even if I'm not on a whitelisted network (IP address)? Maybe I can set up a VM instance and install a proxy server and use this? But I have no clue where to start (or search for).
You have many options for connecting to a Cloud SQL instance from an external applications such a Public IP address with SSL, Public IP address without SSL, Cloud SQL proxy, etc. You can see all of them here.
Between all connection options there exists Cloud SQL Proxy, it basically provides secure access to your instances without the need for Authorized networks or configuring SSL on your part.
You only need to follow the steps listed here and you will be able to connect your Cloud SQL instance using the proxy.
Enable Cloud SQL Admin API on your console.
Install the proxy client on your local machine (Linux):
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
Determine how you will authenticate the proxy. You can use use a service account or let Cloud SDK take care of the authentication.
However, if required by your authentication method, create a service account.
Determine how you will specify your instances for the proxy. Your options for instance specification depend on your operating system and environment
Start the proxy using either TCP sockets or Unix sockets.
Take note that as of this writing, Cloud SQL Proxy does not support Unix sockets on Windows.
Update your application to connect to Cloud SQL using the proxy.
I'm attempting to find a completely remote / cloud-based development workflow.
I've created an aws free-tier ec2 instance and on that box I've been developing a gatsby site (the framework doesn't matter, the solution I'm looking for should be framework agnostic). Since the code is on another box, I can't run the dev server and then from the local computer hit localhost as I would normally.
So,
What do I need to do so that I can run gatsby develop and hit my dev server that's hosted on the ec2 box?
How do I provide public access to that endpoint?
Is it possible to provide temporary access so that when I log off of the box, it's no longer accessible?
Is there some mechanism I can put into place so that I'm the only one that can hit that endpoint?
Are there other features that I should be taking advantage to secure that endpoint?
Thanks.
I can't run the dev server and then from the local computer hit localhost as I would normally
You can. You can use ssh to tunnel your remote port to your localhost, and access the server from your localhost.
What do I need to do so that I can run gatsby develop and hit my dev server that's hosted on the ec2 box?
ssh into the dev server, run gatsby develop and either access it on localhost through ssh tunnel or make it public to access through its public IP address.
Use sshfs to mount a development folder on the dev server onto your localhost.
Alternatively, you can setup vncserver on the dev server, tunnel vnc connection using ssh, and access the dev server using through a remove desktop. Something liteweight would be good, e.g. fluxbox as a desktop environment for vnc.
Is it possible to provide temporary access so that when I log off of the box, it's no longer accessible?
yes. through ssh tunnel. You close tunnel and the access is finished.
Is there some mechanism I can put into place so that I'm the only one that can hit that endpoint?
ssh tunnel along with security group to allow ssh for your IP address only.
Are there other features that I should be taking advantage to secure that endpoint?
Security groups and ssh tunneling would be primary choices to ensure secure access to the dev server.
You can also make the endpoint public, but set security group of your dev server to allow internet access only from your IP.
You could also put the dev server in a private subnet for full separation from the internet. Use bastion host to access it or setup double ssh tunnel to your localhost.
Other way is to do all development on localhost, push code to CodeCommit and have CodePipeline manage deployment of your code to your dev server using CodeDeploy.
You can also partially eliminate ssh by using SSM Session Manager.
Hope this helps.
So my partner builds an API on top .NET and uses a local server to put the project. so to connect the API endpoint I need to create a VPN before I can access the API,
I've done connect from my PC to my partner local server, if in windows 7
create a Workplace then filled Internet Address, destination Name, Username and Password.
So how can I do this from GCP till I can access my partner local server from GCP ?
Don't ask me why not just upload your partner api project to gcp.
thanks..
Have you tried to: just do it?
Just
Create a tunnel from a GCP Compute Instance (Virtual Machine with HTTP/HTTPS) to your partners local server on prefered port?
GCP offers VPN Products - https://cloud.google.com/vpn/docs/concepts/overview - maybe they will help you.
Based on your question, there are a few solutions available. I’ll provide two solutions which may help you.
If you would like to set up an internal path from your GCP instance to your partner’s local server, maybe you should look into this following quickstart on VPNs.
However if you’re looking to use an external path to connect your GCP instance to your partner’s local server, try exposing your partner’s server IP externally and configure a load balancer to it.
I remotely hosted the Realm Server on AWS and I got it to run and I am able to connect to the Realm Dashboard, but I'm not sure how to connect to the Realm Object Server using the Realm Browser App.
I was able to find the admin access token but since the server is remotely hosted what would the Server URL be? The Realm website tutorial provided us with realm://127.0.0.1:9080, but that's only for when the Realm Server is locally hosted.
You have to replace the localhost IP (in our examples, that is listed as 127.0.0.1) with the hostname or IP address of your EC2 machine. Please note that the numbers/addresses below are made up. They are just to serve as an example.
Typically, this will be something of the form 198.51.100.38, giving you the root URL: realm://192.51.100.38:9080. To this, you obviously have to append the path of the Realm file that you are trying to access.
Alternatively, you should be able to use the EC2 hostname, if you prefer that. Your EC2 hostname should look something like ec2-198-51-100-38.compute-1.amazonaws.com. You should check your EC2 dashboard for more information to get these proper values.
More information:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
We are working on an app whose Front-end has been decoupled from the back end.
We have 2 project packages. The first project package acts as the front-end for the app and interacts with the 2nd package which acts as the back-end via API.
Front-end is built with:
React
Redux
Back-end is built with:
ExpressJS
MongoDB
We have deployed the app successfully on the AWS EC2 instance but I am doubtful about the security inbound measure we have applied for the packages. Both the packages are deployed on the same ec2 instance.
The front end of the app can be accessed with https://xxx.xxx.x.xxx:8080. Under the security group, under inbound rules, I added the source as anywhere for port 8080 under the custom TCP rule.
I did the same for port 3000 reserved for the back-end API server and port 27017 reserved for MongoDB.
What I actually wanna do is only let the front-end package running on port 8080 talk to the API server and the API server in turn talks to MongoDB.
I do not want everyone to have access to the backend server and MongoDB except for the front-end app server.
Note that I have already used the JWT token to secure the API. This one is to add an extra layer of security.
How can I limit the access to only the Front-end app server?
Thanks in anticipation.
Sorry, are you accessing your MongoDB directly from the frontend? I hope no...
So you should configure firewall on your server (firewalld or iptables) to block Mongo and all other internal ports from access from web.