Securing the POL webserver

Open discussion forum. For topics that do not fit anywhere else.

Moderator: POL Developer

Post Reply
Laephis
New User
Posts: 6
Joined: Fri Jul 08, 2011 6:00 am

Securing the POL webserver

Post by Laephis »

I'm wondering what folks have done to better secure the POL administration webserver. It's incredibly convenient, but the simple password authentication process is very insecure. In the past I've restricted access via IP and firewalls, but that inevitably leads to me not having access to it when I'm on the road. I've started looking into way to possibly wrap the site with some kind of token or two-factor auth method - something like Auth0. Not even sure how feasible this is, but thought I'd ask before I start reinventing the wheel.

Thanks!
Yukiko
Distro Developer
Posts: 2825
Joined: Thu Feb 02, 2006 1:41 pm
Location: San Antonio, Texas
Contact:

Re: Securing the POL webserver

Post by Yukiko »

We "recently" had a long discussion about this on chat and I think the general consensus is that the best way to handle securing the web server is to intercept the web connection request and use some form of authentication externally prior to allowing access to the server. It was a month or so ago when the discussion took place and I am not a web programmer but that was the gist of the conclusion, at least that's what I remember :)
xeon
Forum Regular
Posts: 338
Joined: Fri Oct 31, 2008 3:18 am
Location: Italy

Re: Securing the POL webserver

Post by xeon »

My solution was simple.
Block access to the POL webserver from public, and export generated data to public website.

Many reasons behind this decisions, mainly:
1) securing a webserver is hard. Apache, IIS, etc. have years and millions of dollars behind in development. Let's do webserver to webserver software.
2) public access to POL webserver leads easily to information disclosure and similar, with people directly querying the webserver and finding scripts or bug in the scripts
3) public access to POL webserver leads easily to denial of service, as webserver script handling time is subtracted from world scripts time
RusseL
Forum Regular
Posts: 375
Joined: Fri Feb 20, 2009 8:30 pm

Re: Securing the POL webserver

Post by RusseL »

I use nginx and proxy_pass to access polweb, so i can use all nginx security features before accessing pol.
Last edited by RusseL on Wed Oct 18, 2017 8:45 am, edited 1 time in total.
Laephis
New User
Posts: 6
Joined: Fri Jul 08, 2011 6:00 am

Re: Securing the POL webserver

Post by Laephis »

Thanks, these are some good ideas that I'm looking into.
Post Reply