SSL Secured.

[dalenoe]

Is it possible to secure the application itself?

I'll be using haproxy, and securing the front end.. but I want both the front end and back end secured.

After a bit of searching, it looks like a chain of proxies would be the way to go. That would ensure the traffic is encrypted all the way to the machine the application is on.

Am I overlooking anything?

[pglombardo]

There are quite a few strategies you could take. One option, for simplicity, would be running multiple copies of the app in docker containers and HA proxy inside of another container on the same host would keep traffic local to that host (and greatly simplify things).

As for securing the app itself, one immediate upside is that the app is so simple that many attack vectors aren't available. But the general doc on securing Ruby on Rails applications is here.

Host memory could be another attack vector. The general way to minimize this risk is to run a closed execution operating system such as SELinux.

You could also encrypt the filesystem but that could be partly redundant as the core payload (unassociated passwords) are already encrypted to the database.

And the last bit I can think of, I assume you'll be using a real database such as Postgres instead of the out of the box default of sqlite. Same traffic security concerns exist as those between HAProxy & the application. Plus, securing Postres itself.

There's a lot - hope this is helpful and I didn't overwhelm. ;-)

[dalenoe]

@pglombardo Very helpful, and didn't overwhelm me at all. I now have a better understanding, Thanks.

[dalenoe]

@pglombardo The environment variable for SSL that you have in the config/environments/production.rb.

Does that environment variable contain the actual certificate itself? or a path to the certificate?

[pglombardo]

That only checks existence (not content) of the environment variable. If that env var exists, we force SSL for all webpages. If it doesn't, then people can access via http://.

[dalenoe]

Ok, gotcha.

[dalenoe]

Does that variable go into the config/environment.rb file?

[dalenoe]

I am having a heck of a time getting this working with SSL. I have it proxied using haproxy right now, which is working. However, when a new password is "Pushed" its giving the url with HTTP instead of the HTTPS url.

[pglombardo]

That variable is set in config/environments/<whatever RAILS_ENV env var is set to>.rb. So if RAILS_ENV=private, then the file would be config/environments/private.rb.

Could you post your HAProxy config?

[dalenoe]

Gotcha, Thanks.

I will post the haproxy config on Monday, wont be in the office till then.

On Sat, Nov 11, 2017 at 4:41 AM, Peter Giacomo Lombardo < notifications@github.com> wrote:

That variable is set in config/environments/<whatever RAILS_ENV env var is set to>.rb. So if RAILS_ENV=private, then the file would be `config/environments/private.rb.

Could you post your HAProxy config?

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/pglombardo/PasswordPusher/issues/67#issuecomment-343655811, or mute the thread https://github.com/notifications/unsubscribe-auth/AA7gQCbmH-F4wp4aJOTQnjmuxU5CwE19ks5s1XnEgaJpZM4PmX16 .

[dalenoe]

@pglombardo I am trying this in a different environment, not using haproxy at all. I have nginx setup in front of pwpusher. My problem though, is that as soon as the PWPUSH_COM environment exists (thus forcing the SSL) it no longer works. Looking at the output after starting the application makes it look like its a redirect loop. A single request will cause 20+ entries into the daemon output.

[dalenoe]

When SSL isn't being forced on pwpusher, the application works perfectly fine through nginx (both https and http). However, when a password is "pushed".. the link created to share is NOT https (regardless on the url that it was created). Hopefully that makes sense.

[pglombardo]

Since you have HAProxy and Nginx setup as your SSL termination point, I would leave config.force_ssl as false. That way local network communication will always be HTTP to the backend PasswordPusher app.

But then I would put in an nginx or HAProxy rule to force HTTPs/443 requests only to the outside world.

In nginx, this could be done with something like this:

server {
    listen      80;
    server_name pwpush.com;
    return 301 https://$server_name$request_uri;
}

^ for any incoming requests on port 80, send a 301 redirect to https port 443 with the same domain and URI path.

The point being is that for this, you shouldn't have to configure PasswordPusher. You should be able to force SSL pages by configuring it in nginx/HAProxy.

[dalenoe]

My only problem now, is I can't get the application give me an HTTPS link when a password is "pushed"

https://dev.dalenoe.com/ As you can see on my instance, when a password is created the link it gives you to share is only HTTP. How can I make it provide an https link?

On Sun, Nov 12, 2017 at 5:05 AM, Peter Giacomo Lombardo < notifications@github.com> wrote:

Since you have HAProxy and Nginx setup as your SSL termination point, I would leave config.force_ssl as false. That way local network communication will always be HTTP to the backend PasswordPusher app.

But then I would put in an nginx or HAProxy rule to force HTTPs/443 requests only to the outside world.

In nginx, this could be done with something like this:

server { listen 80; server_name pwpush.com; return 301 https://$server_name$request_uri; }

^ for any incoming requests on port 80, send a 301 redirect to https port 443 with the same domain and URI path.

The point being is that for this, you shouldn't have to configure PasswordPusher. You should be able to force SSL pages by configuring it in nginx/HAProxy.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/pglombardo/PasswordPusher/issues/67#issuecomment-343729237, or mute the thread https://github.com/notifications/unsubscribe-auth/AA7gQFNPXtyj28Iz6VZLmc7vD5oxtH4yks5s1tELgaJpZM4PmX16 .

[pglombardo]

You don't need to. You can add the front end rule (in nginx/HAProxy) and when the browser requests the HTTP url, it will get a 301 to try the HTTPS version instead.

[dalenoe]

That works, I just want the URL shared to be an https link. That's currently how my instance is setup right now.

On Sun, Nov 12, 2017 at 5:14 AM, Peter Giacomo Lombardo < notifications@github.com> wrote:

You don't need to. You can add the front end rule (in nginx/HAProxy) and when the browser requests the HTTP url, it will get a 301 to try the HTTPS version instead.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/pglombardo/PasswordPusher/issues/67#issuecomment-343729715, or mute the thread https://github.com/notifications/unsubscribe-auth/AA7gQJJTYzs6dHCBiMO1c2HNQflOkQQFks5s1tMzgaJpZM4PmX16 .

[pglombardo]

The only option that can affect that in Ruby on Rails is force_ssl: https://stackoverflow.com/questions/15676596/what-does-force-ssl-do-in-rails

But... this might cause communication issues between Nginx/HAProxy and the backend PasswordPusher app. You might have to support 443 traffic on the backend, setup an SSL endpoint there. Unfortunately I'm not sure and you'll have to test this/work through it.

For these reasons, I suggest sticking to forcing SSL on the SSL endpoint.