What is the purpose of a SGW server?
In a particular architecture, there is an SGW in front of four app servers. What role does it serve?
Related
On AWS, our EC2 container hosts an app that runs both a backend and frontend server. The frontend server is our customer facing app that we want open to the public, and our backend server hosts the admin panel that should be accessible from the web by ONLY the admins and devs.
Normally, we could just create a security group to filter who can access the app. However, doing this would also block users from accessing the frontend app.
We're looking for a solution that can distinguish not only the IP of the user, but also takes into account whether they are trying to access the frontend URL or the backend URL.
Any suggestions? Thanks!
This logic is taking the decision from network layer protection to the application layer instead, you're trying to prevent access based on the URI so features like security groups or NACLs would not work.
Instead the approach to take would be to use a WAF as a protective layer in front of your application.
To do this you would add the developers IPs to an IPSet then apply ordering through a rule group to always allow the request if it comes from these IPs. After this the second rule would evaluate the path of the request and block if it matches a particular pattern. Finally all other requests would be allowed.
The WAF would need to be attached to either an Application Load Balancer or CloudFront as it cannot be directly attached to an EC2 instance.
First of all, I'm in no way an expert at security or networking, so any advice would be appreciated.
I'm developing an IOS app that communicates with an API hosted on an AWS EC2 linux machine.
The API is deployed using **FastAPI + Docker**.
Currently, I'm able to communicate with my remote API using HTTP requests to my server's public IP address (after opening port 80 for TCP) and transfer data between the client and my server.
One of my app's features requires sending a private cookie from the client to the server.
Since having the cookie allows potential attackers to make requests on behalf of the client, I intend to transfer the cookie securely with HTTPS.
I have several questions:
Will implementing HTTPS for my server solve my security issue? Is that the right approach?
The FastAPI "Deploy with Docker" docs recommend this article for implementing TLS for the server (using Docker Swarm Mode and Traefik).Is that guide relevant for my use-case?
In that article, it says Define a server name using a subdomain of a domain you own. Do I really need to own a domain to implement HTTPS? Can't I just keep using the server's IP address to communicate with it?
Thanks!
Will implementing HTTPS for my server solve my security issue? Is that the right approach?
With HTTP all traffic between your clients and the ec2 is in plain text. With HTTPS the traffic is encrypted, so it is secure.
FastAPI "Deploy with Docker"
Sadly can't comment on the article.
Do I really need to own a domain to implement HTTPS?
Yes. The SSL certificates can only be registered for domains that you own. You can't get the certificate for domain that is not yours.
I'm not very familiar with deployment and networking as I'm primarily a frontend developer. I want to create a project with Laravel and React (separated, not integrated with blade), and deploy them to AWS. I want to use Laravel only as an API server, and I'm planning to deploy it on EC2. If I host my React app on S3, how will it be possible for me to share the same domain with the API sever running on the EC2 instance?
I know that I can have separate subdomains,like www.example.com for my React app and api.example.com for my API server. However, if I want to have www.example.com for my React app and www.example.com/api for my API server, what options do I have? And what resources can you recommend for me to get more up to speed on this topic? Thanks!
As you want to use S3 and EC2 you would need to use a service that can distribute to both endpoints based on a condition.
The best service for this would be CloudFront, which supports distribution to S3 and EC2 (as a custom origin).
To do this you would create your distribution with an origin for the S3 bucket, and an origin for the API. As your API is hosted on the /api/* path you would add this as the path pattern when adding the secondary origin via a behaviour.
CloudFront will then route any requests to /api/* paths to your EC2 origin.
I have found an article named How to route to multiple origins with CloudFront which I hope will explain the steps to accomplish this in greater detail.
We have a back-end website deployed on AWS. I deploy a front-end website in local tomcat and send a request to back-end website in order to get some object data with homemade soap api. Dose it work?
Yes , literally you are trying to access a remote api from local environment. After the deployment in AWS do make sure the security groups allows the protocol and port number, to be communicated from remotely.
By default there ports are not allowed.
Looks like you are trying to connect to a SOAP Webservice hosted in AWS. There is no reason it shouldn't be working, Only thing is you have to properly configure your AWS security groups attached to your backend server, to allow connections from your frontend website. Use front-end server port as the source ip in your security group. You might also have to allow outgoing connections from the network where your frontend server is hosted if it is protected by a firewall.
I goggled but I cannot determined what are the difference between endpoint and gateway. Based on their definition, they seems alike.
Description of Endpoint
What is Web Service Gateway? Web Service Gateway is a server-side
application that opens a communication channel between Bentley’s Apps
for mobile devices and Bentley’s project information management
systems.
Description of Web Service
Web services expose one or more endpoints to which messages can be
sent. A web service endpoint is an entity, processor, or resource that
can be referenced and to which web services messages can be addressed.
Endpoint references convey the information needed to address a web
service endpoint. Clients need to know this information before they
can access a service.
Endpoint:
The endpoint is a connection point where HTML files or active server pages are exposed. Endpoint is the URL where your service can be accessed by a client application. The same web service can have multiple endpoints. An end point indicates a specific location for accessing a service using a specific protocol and data format.
GateWay:
An service Gateway provides a central access point for managing, monitoring, and securing access to your publicly exposed web services. It would also allow you to consolidate services across disparate endpoints as if they were all coming from a single host. A service gateway encapsulates all the details of accessing the service into a single component and hides the component behind an interface that has no direct dependencies on the underlying communications channel.