Once a membase server is setup, any machine can connect to it via the ip plus port. How to secure membase such that it will only listen to specific ip addresses?
Your best bet is to do this through the use of a firewall, either local to the Membase server or as part of your overall environment. Like Memcached, Membase also supports SASL authentication to control access to a particular dataset, but that's not meant to be a security measure.
Related
Is it possible to know what range of external IP the DataFlow workers on GCP are using? The goal is to set-up some kind of IP filtering on an external service, so that only our DataFlow jobs running on GCP can access the service.
The best solution would be to upgrade so that you can use SSL or other mechanisms of strong authentication.
You can use the --network= option to control the GCE Network that the worker VMs are assigned to. Take a look at the GCE docs on networking for details on how to set up a VPN (like the comment from Elmar suggested). You could also look at setting up a single machine in the network with a static, external IP and using it as a proxy for the other VMs in the network.
This is not a use pattern we have tested, so there may be issues with latency or throughput of traffic through the proxy/VPN. You will likely need to be careful to only send your traffic through this proxy so that you don’t accidentally hijack the traffic used by each worker to communicate with the Dataflow service.
Can someone explain why using a port is necessary when running things locally?
I assume the reason is because the same software could be run remotely and in that case specifying a port would be necessary.
When a database or server is running locally, do requests from a locally running web browser really "go through the port" specified?
Good question. In fact, there are local-only communication protocols, such as pipes and UNIX domain sockets that do not actually require port numbers to operate. This is because they refer to files or other identifiers that are only valid on the computer itself.
However, most servers are designed for TCP/IP connections. TCP/IP itself specifies a port number in the protocol. It is normally intended for remote use, but when a server that is used to TCP/IP runs "on local host", it must supply a port number to satisfy the TCP protocol.
Port numbers also enable multiple servers to coexist on a single computer, all running on different ports. For a protocol without port numbers, this is achieved by using different identifiers (e.g. a filesystem file) for each server.
Some servers can operate on both TCP/IP and local sockets. For example, MySQL can accept connections both through the usual TCP port, and also through a local socket (mysql.sock). Connecting through the local socket is reserved for local users only, and may be faster on some systems.
Sometimes You may have some other software installed in your computer that may use the same port. For instance Apache and IIS: imagine you set port 8080 to IIS as default, what about if you had previously installed Apache set port 8080 ?
Another example will be if you installed Mysql Workbench and days later install XAMPP you may have trouble with the ports if you don't change one instance's port different from 3306
This is why it is necessary to specify ports even though is locally.
I am running a Ruby on Rails application on Heroku and my database is in someother place where it will be accessed with certain whitelisted IP's only but since heroku doesn't provide dynamic IP's I thought of using proximo.
Please help me how to connect to remote database with proximo from heroku.
We had a difficult time achieving this (we ended up whitelisting every domain)
IP's
The problem is Dyno's are hosted on AWS' EC2 cloud - meaning they aren't actually Heroku's servers. This causes a lot of problems, as the IPs are all shrouded & change:
Because the Heroku dyno grid is dynamic in nature, the IP address that
a given dyno will be assigned over time will be both dynamic and
unpredictable. This dynamic sourcing of outbound traffic can make it
difficult to integrate with APIs or make connections through firewalls
that require IP-based whitelisting
After seeing the proximo addon, you may be able to achieve what you need using a static IP
Proximo
According to the proximo tutorial on Heroku's site, you should be able to install the add-on & receive your outbound IP relatively simply:
$ heroku addons:add proximo:development
Adding proximo to sharp-mountain-4005⦠done, v18 ($5/mo)
Your static IP address is 127.0.0.1
You should then be able to use this on your db host - to allow the IP
No ruby database adapters natively support proxy connections so for database access you need to proxy your calls via a SOCKS proxy. A SOCKS wrapper script to do this is available as part of our QuotaGuard Static Heroku add-on.
You configure this by prepending the call to the wrapper script in your Procfile so should work with minimal integration.
web: bin/qgsocksify bundle exec unicorn -p $PORT -c ./config/unicorn.rb
By default this wrapper routes all outbound TCP traffic via the proxy but there is additional configuration available to limit this to just your database traffic.
A workaround is to whitelist all IP adresses from your SQL database provider admin interface:
You can do this by whitelisting 0.0.0.0/0. (In Google Cloud SQL, you can do this under "authorized networks")
If you do so, it is highly recommended to configure your connection to use SSL and to only allow SSL connections to your database.
You can configure NGINX as your reverse proxy to allow your Heroku app to connect to the IP address(which is your NGINX server and whitelisted), the reverse proxy will connect to the DB.
https://stackoverflow.com/a/27874505/1345865
http://blog.talenox.com/post/107675614745/how-to-setup-static-ip-on-heroku
I have two heroku apps accessing the same Redis database. I need to make sure only these two servers can access it.
Normally, I can do this by setting firewall through IP. However, Heroku uses dyno system, and does not have fixed IP for servers.
I found proximo addon, which can be used to set an IP for each of my apps. But I would like to know if there is a simpler solution for this issue.
You don't have any control or guarantee about the servers running your application on Heroku or their IP addresses.
You should use a secondary authentication mechanism, like redis's built in auth scheme for connections to authenticate the incoming request.
This is the mechanism most of the hosted redis providers on Heroku use (RedisToGo, OpenRedis, etc).
working under linux server Centos remotly in local network, my rails server working there too. How can I enable remote web access? And if so how can I enable only couple of ip addresses for web access?
You should check on which addresses the server applications binds. If it has no external IP-Address then it wont be possible to access it directly from the internet. Then it is possible to use port forwarding to forward your application over your router. If you havent any access to the router you should ask the administrator of your network to forward it for you.
Another possibility is to plug a VLAN to a secound interface but you should think about security when you have a server that is connected to your NATed network and the internet directly!
if its only rails production server setup then you can try with this:
http://www.leonardteo.com/2012/11/install-ruby-on-rails-on-ubuntu-server/
it uses https://github.com/ballistiq/ruby-passenger-nginx-installer and they are maintaining the installer. I found its very helpful. it works like no-pain