I'm wondering what folks have done to better secure the POL administration webserver. It's incredibly convenient, but the simple password authentication process is very insecure. In the past I've restricted access via IP and firewalls, but that inevitably leads to me not having access to it when I'm on the road. I've started looking into way to possibly wrap the site with some kind of token or two-factor auth method - something like Auth0. Not even sure how feasible this is, but thought I'd ask before I start reinventing the wheel.
Thanks!
Securing the POL webserver
Moderator: POL Developer
-
- Distro Developer
- Posts: 2825
- Joined: Thu Feb 02, 2006 1:41 pm
- Location: San Antonio, Texas
- Contact:
Re: Securing the POL webserver
We "recently" had a long discussion about this on chat and I think the general consensus is that the best way to handle securing the web server is to intercept the web connection request and use some form of authentication externally prior to allowing access to the server. It was a month or so ago when the discussion took place and I am not a web programmer but that was the gist of the conclusion, at least that's what I remember
Re: Securing the POL webserver
My solution was simple.
Block access to the POL webserver from public, and export generated data to public website.
Many reasons behind this decisions, mainly:
1) securing a webserver is hard. Apache, IIS, etc. have years and millions of dollars behind in development. Let's do webserver to webserver software.
2) public access to POL webserver leads easily to information disclosure and similar, with people directly querying the webserver and finding scripts or bug in the scripts
3) public access to POL webserver leads easily to denial of service, as webserver script handling time is subtracted from world scripts time
Block access to the POL webserver from public, and export generated data to public website.
Many reasons behind this decisions, mainly:
1) securing a webserver is hard. Apache, IIS, etc. have years and millions of dollars behind in development. Let's do webserver to webserver software.
2) public access to POL webserver leads easily to information disclosure and similar, with people directly querying the webserver and finding scripts or bug in the scripts
3) public access to POL webserver leads easily to denial of service, as webserver script handling time is subtracted from world scripts time
Re: Securing the POL webserver
I use nginx and proxy_pass to access polweb, so i can use all nginx security features before accessing pol.
Last edited by RusseL on Wed Oct 18, 2017 8:45 am, edited 1 time in total.
Re: Securing the POL webserver
Thanks, these are some good ideas that I'm looking into.