predictionio-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mars Hall <>
Subject Re: Securing Event Server on Heroku?
Date Fri, 01 Sep 2017 19:10:08 GMT
Hi Shane,

As you've found, PredictionIO itself does not include a complete
authorization solution. A general solution is to isolate PredictionIO from
the internet on a private network, and then implement a gateway/proxy to
authorize and route traffic to PredictionIO eventserver and engine query

With Heroku Enterprise, this architectural pattern may be implemented by
provisioning two Private Spaces <>;
recommended naming pattern: *example-public* (frontend) & *example*

Configure the backend space to only trust incoming traffic from the public
space and itself. In the Heroku Dashboard <>:

   1. With two side-by-side browser windows, open the frontend & the backend
    spaces' *Network* settings.
   2. Copy each of the *frontend* *Space Outbound IPs* to the
*backend* *Trusted
   IP Ranges*.
   CIDR notation for each individual IP is X.X.X.X/32.
   3. Copy each of the *backend* *Space Outbound IPs* to its own *Trusted
   IP Ranges*.
   CIDR notation for each individual IP is X.X.X.X/32.

Then, deploy PredictionIO apps to the backend space. In the frontend space,
deploy a public proxy/gateway. We've used Node to make simple proxies, or
try something like Kong API gateway on Heroku
<> and configure API's with simple key

Keep in mind, all public-facing traffic and inter-space traffic should be
encrypted. SSL/TLS is not available by default for Private Spaces apps.
Therefore, a custom domain name and certificates must be procured and
installed for every app.

I'd like to see a best-practices pattern emerge around securing
PredictionIO. I would love to hear about your ongoing progress,


On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <> wrote:

> Hi everyone. We are building an app exchange app that is leveraging the
> Heroku deployment of PIO. We are needing to secure the posts to the
> events.json endpoint as well the queries.json endpoint on Heroku.
> Do you have any suggestions on how to add security around adding events
> and querying predictions. Is there an add-on on Heroku or would it be
> necessary to extend the scala code to look for a secret key. I would prefer
> to not extend the scala and have authentication happen at the heroku level
> if possible.
> Thank you in advance!
> *Shane Johnson | 801.360.3350 <(801)%20360-3350>*
> LinkedIn <> | Facebook
> <>

View raw message