predictionio-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pat Ferrel <...@occamsmachete.com>
Subject Re: Securing Event Server on Heroku?
Date Fri, 01 Sep 2017 21:00:11 GMT
TLS/SSL is required along with authentication of the HTTPS requests. I’m not familiar with
Heroku but the Proxy must authenticate the incoming connections. Nginx has basic auth and
is a fast proxy, for instance.

A cheap, dirty, and not recommended unless it is your only option, is to set your security
restrictions to allow connections only from a known IP address or range where your app servers
run (the servers using the PIO SDK). This would be a setting in Heroku I assume. In AWS it
is done with PVC Security Groups.


On Sep 1, 2017, at 12:16 PM, Mars Hall <mars.hall@salesforce.com> wrote:

Shane,

A whole different perspective to this, still involving private networks, is to deploy all
the apps that need to access PIO directly onto the same network. No auth required!

Or, peer the PredictionIO private network with other cloud resources, such as Salesforce org
IP restrictions.

On Fri, Sep 1, 2017 at 12:10 PM, Mars Hall <mars.hall@salesforce.com <mailto:mars.hall@salesforce.com>>
wrote:
Hi Shane,

As you've found, PredictionIO itself does not include a complete authorization solution. A
general solution is to isolate PredictionIO from the internet on a private network, and then
implement a gateway/proxy to authorize and route traffic to PredictionIO eventserver and engine
query API.

With Heroku Enterprise, this architectural pattern may be implemented by provisioning two
Private Spaces <https://www.heroku.com/private-spaces>; recommended naming pattern:
example-public (frontend) & example (backend).

Configure the backend space to only trust incoming traffic from the public space and itself.
In the Heroku Dashboard <https://dashboard.heroku.com/>:
With two side-by-side browser windows, open the frontend & the backend spaces' Network
settings.
Copy each of the frontend Space Outbound IPs to the backend Trusted IP Ranges.
CIDR notation for each individual IP is X.X.X.X/32.
Copy each of the backend Space Outbound IPs to its own Trusted IP Ranges.
CIDR notation for each individual IP is X.X.X.X/32.
Then, deploy PredictionIO apps to the backend space. In the frontend space, deploy a public
proxy/gateway. We've used Node to make simple proxies, or try something like Kong API gateway
on Heroku <https://github.com/heroku/heroku-kong> and configure API's with simple key
authorization.

Keep in mind, all public-facing traffic and inter-space traffic should be encrypted. SSL/TLS
is not available by default for Private Spaces apps. Therefore, a custom domain name and certificates
must be procured and installed for every app.

I'd like to see a best-practices pattern emerge around securing PredictionIO. I would love
to hear about your ongoing progress,

*Mars

On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <shanewaldenjohnson@gmail.com <mailto:shanewaldenjohnson@gmail.com>>
wrote:
Hi everyone. We are building an app exchange app that is leveraging the Heroku deployment
of PIO. We are needing to secure the posts to the events.json endpoint as well the queries.json
endpoint on Heroku.

Do you have any suggestions on how to add security around adding events and querying predictions.
Is there an add-on on Heroku or would it be necessary to extend the scala code to look for
a secret key. I would prefer to not extend the scala and have authentication happen at the
heroku level if possible.

Thank you in advance!

Shane Johnson | 801.360.3350 <tel:(801)%20360-3350>
LinkedIn <https://www.linkedin.com/in/shanewjohnson> | Facebook <https://www.facebook.com/shane.johnson.71653>




-- 
*Mars Hall
415-818-7039
Customer Facing Architect
Salesforce Platform / Heroku
San Francisco, California


Mime
View raw message