Parse server with ElastiCache redis server and password - amazon-web-services

I have set up a working Parse server on Elastic Beanstalk. I have added an AWS ElasticCache Redis server to use for caching but I can't get the connection to work when using a password, only without. In my Parse server index.js file where I create the new Parse server I connect with Redis like this:
// Redis cache server
var RedisCacheAdapter = require('parse-server').RedisCacheAdapter;
var redisurl='rediss://:'+process.env.REDIS_PASS+'#'+process.env.REDIS_URL
var redisOptions = {url: redisurl};
var redisCache = new RedisCacheAdapter(redisOptions);
Where my URL looks like REDIS_URL=clustercfg.xxxx.xxxx.use1.cache.amazonaws.com
I have tried both redis:// and rediss://. I understand that the RedisCacheAdapter takes only one option - the URL. I thought I could add in the password directly in the link but it does not seem like the adapter parses into password and URL but just expects the URL.
My question is am I doing something wrong here or is there another way to use a password? If it is not possible to use the password I wonder what the reason is (is it because ElastiCache is hidden from the internet and only seen by the server on EC2)?
Update:
Base on comments from #MarkB I tested a few different settings for ElastiCache with my code above modified to also use a password.
var redisOptions = {url: redisurl, password: process.env.REDIS_PASS};
Running ElastiCache with cluster mode, encryption at rest, encryption in transit, and Redis password fails.
Running ElastiCache with encryption at rest, encryption in transit and Redis password fails.
Running ElastiCache with encryption at rest, and encryption in transit, no password fails.
Running ElastiCache without encryption at rest, encryption in transit and no password succeeds.
Seems to me that using encryption at rest and in transit when connecting from Parse server causes a problem I am not sure how to fix. As #MarkB mentioned, the connection between Parse server (EC2) and ElastiCache is restricted to VPC so I am OK with not having the security options, but still, it would be nice.

According to the Parse Server documentation here, the redisOptions will be passed directly to the redis client documented here which supports a password field. I believe that's how you need to be specifying a password instead of specifying it in the URL.
Also note it says if you are using a Redis Client version <2.5 you need to specify auth_pass instead of password.
As you mentioned, with ElastiCache being restricted to your VPC many people consider that secure enough without adding password authentication, unless that is required for something like PCI or HIPAA compliance reasons.

Related

Digital Ocean, how can i secure my SSH connections?

I'm new to this online server area, all I've done so far is create a server on Digital Ocean using Ubuntu 20.04 operating system with LAMP library (apache2) installed.
Currently I use Putty to access the server's command line (I use private key ssh authentication files).
When I put the domain URL or IP, enter port 22, and click "Open connection", the application automatically manages to connect to the server asking for login and password.
Pretty simple isn't it? My concern is that anyone who has the least knowledge can come across the gateway to my server, just that he has the login and password to access.
But when I try to connect with putty on sites like stackoverflow.com, google.com, facebook.com and among others, putty doesn't give me the opportunity to type the login.
Knowing this, how do I secure my server so that it can act in the same way as the aforementioned sites?
You could add some sort of VPN and whitelist a select amount of IP addresses able to access your server. This would add an extra layer of security.

PostgreSQL Db traffic encryption with Django

I am using Django 3.08 with a PostgreSQL 12 Remote server. I have searched the docs for Postgres and Django, but can’t find discussion of how/if Django encrypts the traffic between my app and the dB.
It looks like to me that the traffic is encrypted using md5 encryption by default in PostgreSQL based on the settings in PostgreSQL,and sends it by tcp over port 5432. It is my understanding that md5 is no longer sufficient encryption. However PostgreSQL has supported scram-Sha-256 since PostgreSQL 10. Does anyone know or have a reference to where I can set my app to use the stronger encryption or is it all taken care of if I set all traffic on my site to use https in the settings.py file. Or, will Django use scram-Sha-256 if I just change the setting in PostgreSQL?
md5 and scram-sha-256 are for password-based authentication, not for encryption. While the password exchange itself would not be readable in clear text to someone eavesdropping on the connection, the rest of the data (queries and results) still would be readable, and changeable if the session is hijacked.
Encryption is implemented by ssl (common), or in recent versions perhaps by encryption tied to GSSAPI authentication (which I think is rare).
The reference of course would be the documentation for the server and the client (Django as far as I know uses psycopg2, which in turn uses libpq)

Encryption/decryption of cookies by HAProxy

We're trying to set up a load balancer with HAProxy which will serve multiple backend web applications. The use case is something like this:
User browses to foo.com/app1
HAProxy sees that the cookie doesn't contain session information, and redirects to an authentication gateway (a single-sign-on page of sorts)
The auth gateway provides a form, where if the user successfully logs in, the gateway redirects back to HAProxy, with a COOKIE storing the session details
HAProxy now sees that valid session information is present and redirects to app1-internal.foo.com (the actual web application) with the same COOKIE - which is used further by the web application.
Our doubt is in the 3rd step. We would like to encrypt the cookie which the authentication gateway adds (via AES or similar). The problem is, that at the HAProxy end we can't seem to figure out how to decrypt it, since HAProxy doesn't seem to support decrypting headers (or even running an external C/C++ program that can decrypt it). So our questions are:
Can we decrypt AES encrypted headers at HAProxy itself (note that this is not an SSL connection) ?
Is HAProxy not really designed for this use case - is there a better tool for this purpose that you can suggest for us?
Many thanks in advance!

How to use HTTPS for webservice and android app?

Im working on some JSON-based web service that is supposed to work with Android application.
I would like to encrypt data transport between client (android) and server (virtual server in datacenter).
I don't have to make sure that my server is my server, just data encryption.
I have no idea how to use HTTPS.
Do I just put my PHP files in private_html and use https://example.com url?
To use HTTPS, you don't have to do anything in the coding of your web service - it's all in your hosting. Here the are steps you can follow. The specific instructions differ in your hosting (IIS, Apache, AWS/Azure, etc), but you can google specifics on how to accomplish any of these steps for whatever host and application framework you decide.
Buy an SSL certificate (there are many different vendors, but expect between $75-$200 for the certificate) based on the vendor, reputation, and level of security you need.
Generate a certificate signing request (CSR) from the server you'll be hosting.
Upload the CSR to the SSL vendor who will validate and provide the certificate for your use.
Import the SSL certificate into your application server, and configure the site to use the certificate. For instance, if you're hosting Microsoft IIS, you'd import the SSL certificate and then add HTTPS bindings on 443 to the specific website hosting your web service.
Another point of security. Since you are deploying SSL, you don't have to do any application level encryption (assuming you are not putting sensitive information in query strings - use POST if you think you need to). You probably would want to implement some security to restrict access to your web service so only your app can access it. Best practice is some level of OAuth, but at a minimum some type of pre-shared key in the header of the request is a lot better than nothing.
Here are some additional sites for more information:
https://www.digicert.com/ssl-certificate-installation.htm
https://support.godaddy.com/help/category/742/ssl-certificates-installing-ssl-certificates?prog_id=GoDaddy
If you don't want to pay for a certificate, you can use certificate signet by your own CA and add the root certificates into your application using HTTPClient and keystores
Here there's some guides
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
http://developer.android.com/reference/org/apache/http/client/HttpClient.html
KeyStore, HttpClient, and HTTPS: Can someone explain this code to me?
http://blog.antoine.li/2010/10/22/android-trusting-ssl-certificates/
You can limit users to use JUST and only HTTPS in apache, IIS or whatever do you use. If your client connects to your server, his communications will be likely to encrypted, because he is already using HTTPS. And for responsing in HTTPS you virtually cannot send HTTPS responses, as far as I know, unless that other side isn't also a website (for example, if you have your website, you could send such a response e.g. to Google). You should be okay to send data like http status codes (OK, NotModified, PageNotFound, ...), or if you want something more, or if it is a requirement, then there you still have JSON and you could encode it as well, with some encoding algorithms, or use binary JSON format.
Check if your hosting company provides a free public shared https address. Most of them do.
If you want to understand how to do it right, follow this thread
Warning: Don't stick with the solution below for production.
If you plan o use an https endpoint without a certificate you have to make sure to disable peer verification, check this answer

Using CFHTTP with HTTPS domain in Railo

I keep getting Connection Failed when trying to request data from a page that is on an https:// domain. I did install the ssl cert using the built-in section of the railo admin at https://[mydomain]/railo-context/admin/server.cfm?action=services.certificates however I still get Connection Failed. How should I go forward with debugging this? I have confirmed that this server in particular does have access to the domain I am trying to request from.
You probably need some additional certs installed as Jason has said. Take a close look at the cert and it's chain. Go to the cert issuers site and look for some documentation.
To troubleshoot you can add some logging to your jvm args. I think it's something like:
-Djavax.net.debug=all
The results are either in the OUT log or the server.log. This post on SSL 3.0 has some debugging tips. It's possible that your cert needs to handshake at a lower security level than CF allows (SSL 2.0 instead of 3.0/TLS for instance) and that could cause this behavior - but it's more likely that you simply need an intermediate cert installed.
The problem ended up being the permissions weren't setup properly on the machine. After we had the server administrator fix our permissions to access the Railo-Tomcat Service Control, the requests started working. I'm assuming he fixed some other permissions while he was in there.