Securing the POL webserver

Open discussion forum. For topics that do not fit anywhere else.

Moderator: POL Developer

Post Reply
Laephis
New User
Posts: 6
Joined: Fri Jul 08, 2011 6:00 am

Securing the POL webserver

Post by Laephis » Fri Oct 13, 2017 5:36 pm

I'm wondering what folks have done to better secure the POL administration webserver. It's incredibly convenient, but the simple password authentication process is very insecure. In the past I've restricted access via IP and firewalls, but that inevitably leads to me not having access to it when I'm on the road. I've started looking into way to possibly wrap the site with some kind of token or two-factor auth method - something like Auth0. Not even sure how feasible this is, but thought I'd ask before I start reinventing the wheel.

Thanks!

Yukiko
Distro Developer
Posts: 2505
Joined: Thu Feb 02, 2006 1:41 pm
Location: San Antonio, Texas
Contact:

Re: Securing the POL webserver

Post by Yukiko » Sat Oct 14, 2017 8:37 am

We "recently" had a long discussion about this on chat and I think the general consensus is that the best way to handle securing the web server is to intercept the web connection request and use some form of authentication externally prior to allowing access to the server. It was a month or so ago when the discussion took place and I am not a web programmer but that was the gist of the conclusion, at least that's what I remember :)
Sincerely,
Yukiko

I would tell you a UDP joke but you might not get it.

Titus 2:13

xeon
Forum Regular
Posts: 333
Joined: Fri Oct 31, 2008 3:18 am
Location: Italy
Contact:

Re: Securing the POL webserver

Post by xeon » Mon Oct 16, 2017 12:09 am

My solution was simple.
Block access to the POL webserver from public, and export generated data to public website.

Many reasons behind this decisions, mainly:
1) securing a webserver is hard. Apache, IIS, etc. have years and millions of dollars behind in development. Let's do webserver to webserver software.
2) public access to POL webserver leads easily to information disclosure and similar, with people directly querying the webserver and finding scripts or bug in the scripts
3) public access to POL webserver leads easily to denial of service, as webserver script handling time is subtracted from world scripts time
Scripter Xeon | Zulu Hotel Italia 7th Age | www.zhi.it
Image

RusseL
Forum Regular
Posts: 349
Joined: Fri Feb 20, 2009 8:30 pm

Re: Securing the POL webserver

Post by RusseL » Mon Oct 16, 2017 3:19 am

I use nginx and proxy_pass to access polweb, so i can use all nginx security features before accessing pol.
Last edited by RusseL on Wed Oct 18, 2017 8:45 am, edited 1 time in total.

Laephis
New User
Posts: 6
Joined: Fri Jul 08, 2011 6:00 am

Re: Securing the POL webserver

Post by Laephis » Mon Oct 16, 2017 7:19 pm

Thanks, these are some good ideas that I'm looking into.

Post Reply