Creating a web application firewall with nodejs - apache2

I want view if someone try to inject xss,sql to my apache2 server, My idea is create a waf in nodejs and if the connection is secure, redirect to apache2. It is posible?

Yes, it's certainly possible, but avoid the term "redirect" here. What you really want is to a reverse proxy. There's no shortage of basic examples of a node.js reverse proxy -- you'll just need to add whatever WAF checks prior to proxying.

Related

Ionic / Apache Cordova - HTTP requests best practices

i'm developping an app with the ionic framework and a jee + postgresql backend.
I'm actually doubting about the HTTP Requests :
Should i use only jsonp? Or add an Access-Control-Allow-Origin * in my HTTP headers ?
Of course, both of these solutions are working, the second solution seems unsecure to me but i'm not use to mobile requests (without domain-based call/endpoint) so i don't really know what to choose ... i might also miss some other way to do the job ....
Do somebody know how to properly build this kind of communication ?
Thanks you !
If you want to be very flexible and very secure, you might want to implement a JSON Web Token solution. The server issues json web tokens to your users. You can define who gets a token. Then the token must be attached to every request from ionic to your server. The server determines what data to return, if the user is authorized.
For JEE there is this package. For ionic the auth0 repositories are a good study start. You can find many examples online. I think that is the most elaborate solution available, despite might not be easiest to implement.

How Insecure is Elastic Search and how to improve its security?

I was thinking to make use of Elastic Search and want to know all the possible loopholes in security for Elastic Search and how to take care of them. Also, what effect will this have in performance of Elastic Search?
Elasticsearch by default is not secure, means anybody who knows your ip can access it. But there are lot of ways to secure it.
In configuration you can set the value of network.bind_host to localhost or your intranet ip so that is is accessible only from that. For more details check out the doc.
You can simply restrict the port access(default is 9200) using iptables.
You can use nginx as a proxy so that you can have all the goodness and configurability of nginx. Read about it at playing http tricks with nginx.
Elastic also has a commercial security product called shield.
There are few other security plugins available on the net also. Though elasticsearch by default is not secured it is easy to setup a security around it.
Of all I personally prefers the nginx proxy as it is very easy to setup and gives me an added advantage of logging all request to elasticsearch via nginx access logs.
Lastly, the security additions will have no/negligible performance impact.
ElasticSearch is insecure by default, however I'd really hesitate to say thats any different than any other service. You shouldn't have your database connection public facing, right? You should really consider treating it like any other services that you wouldn't want publicly accessible. Elasticsearch does provide https and basic auth. So it has the capability to be secure as long as you make it so, but the same can be said about many services you deploy.

Make cURL with cordova/phonegap

Hi i dont find any related info about this, my question is simple, is there any way
Plugin
Code (Java ,C)
etc
to make a cURL call in an apache cordova app to a custom web service, i know it sound weird but the thing is we have a service from a partner office and they didnt want/know to configure the CORS so i need to make a subservice that call they service via cURL and the send the data to the device, and seems like a lot i want to know if theres any way to achieve that in cordova, i know it cant be done in pure JS but maybe a guide or something to acomplish my goal with java or c will help, regards
Use the following process to setup a proxy service to make the call indirectly:
Use java.net.URL to map the URL
Use java.net.URLConnection to make the connection
Use java.net.Proxy to make a proxy connection
Use the CLI in conjunction with node.js and the ex-curl module for a platform agnostic solution.
References
Networking with Android
Cordova Guide: The Command Line Interface (CLI)

Riak like REST service with Angular.js client

I used Riak(http://basho.com/riak/) as rest service and Angular on client. When I try to use method "PUT" then first request is OPTION, but Riak doesn't know how to properly respond for this.
I found some clients but all of them are made to run on server, not sure about Node.js client like this http://riak-js.org/
Can I make it working from web client?
Maybe Riak was not meant to work with web clients directly, then I'll try something else.
I don't know about Riak, but the OPTIONS request suggests that you're trying to perform a cross-domain request (Angular running on domain "aaa.com", Riak on domain "bbb.com", although it can also even be just a different subdomain or port number).
My guess is that Riak doesn't support CORS, in which case you need to look for an alternative (a simple server-side proxy might be all that you need, although please consider the security impact of exposing Riak directly to browsers).
I have found js gui client for Riak https://github.com/basho/rekon, but it works directly from riak, that's not what i wanted but maybe i can use same solution also, or make proxy on server

Microservices communication/deployment

I read a couple of posts and presentations on Microservices concept and architecture and REST, and was unable to find answer to a few basic question.
If service A depends on service B, how does sevice A knows where to find (host and port) service B? I'm guessing hardcoding isn't very nice.
If I have, for example, an AngularJS client which request multiple services deployed, how does the angular app knows how to find those multiple services? Again, hardcoding doesn't sound right.
Thank you in advance
AngularJS has Dependency Injection baked in. Use that to construct your dependencies.
If you wanted to reduce the "hard-coding" further, I suppose you could deploy a "Service Registry," which could maintain all of the dependencies. You could then call the Service Registry service to get the port numbers and such, and maintain them in one place. Seems to me like overkill, though.
This is more of a Java based solution to your problem, however it is a very proven method. Take a look at Spring Cloud / Netflix OSS. The Spring Cloud project has a working example on github using AngularJS and the various backend services that make up the Spring Cloud solution.
Specifically the following:
Eureka -> Service Discovery, solves the problem of host and port
Zuul -> HTTP Proxy, solves the problem of finding the current host and port via Eureka integration. Zuul can help with security, CORS etc.
Another possible solution is Zookeeper. I have no experience with Zookeeper.

Resources