tj
commented
10 years ago do you need to expose the sockets to the world? typically you'd firewall or just communicate in a private network
Closed paulshapiro closed 10 years ago
tj
commented
10 years ago do you need to expose the sockets to the world? typically you'd firewall or just communicate in a private network
paulshapiro
commented
10 years ago Right, we'd love to be able to keep all services private... Unfortunately, some of them must communicate across different hosting providers.
On Apr 14, 2014, at 5:41 PM, TJ Holowaychuk notifications@github.com wrote:
do you need to expose the sockets to the world? typically you'd firewall or just communicate in a private network
\ Reply to this email directly or view it on GitHub.
tj
commented
10 years ago hmm you could probably still pull it off with firewalls, I don't have any plans on adding auth support to axon personally
gjohnson
commented
10 years ago I have always done this with firewalls as well.
paulshapiro
commented
10 years ago Interesting. Do you guys mean whitelisting IPs of axon servers via a firewall? Can't think of another way without modifying axon....
On Apr 14, 2014, at 6:15 PM, Garrett Johnson notifications@github.com wrote:
I have always done this with firewalls as well.
\ Reply to this email directly or view it on GitHub.
gjohnson
commented
10 years ago We ran on AWS, so we used security groups, but you can just do it with iptables.
tj
commented
10 years ago we just use AWS security groups in our VPC to whitelist
paulshapiro
commented
10 years ago got it. thanks for the input!
paulshapiro
commented
10 years ago @visionmedia would you be interested in a pull request if we added auth + encryption into axon itself? Or, not planning on including auth in axon, as auth might bloat axon?
tj
commented
10 years ago yeah I can't think of any super compelling reason to have it in core
gjohnson
commented
10 years ago Try overriding via .use()
paulshapiro
commented
10 years ago @visionmedia gotcha.
@gjohnson aha, perfect. thanks!
We need to secure our bind points for our axon sockets, so that not just anyone can connect to the axon sockets, so we've been looking at auth strategies.
Normally, if just using req/req sockets, we'd be able to do the auth right within the socket, but we're also unfortunately using some pub/sub, which has no capacity for doing auth in the socket, since the sub side of things is totally passive (read only).
Thus, the most viable plan for auth that we came up with is having a tcp proxy sit in front of axon's socket ports and do the auth in there. Basically, any peers that try to access the axon socket port would have to go through the proxy, and peers would authenticated by send an initial tcp 'auth' command to the proxy, which would return with some secret key that all peers would have to send on any axon tcp socket activity, i.e. in a header of every socket .send and .connect.
The problem with this strategy is we'd have to inject data into the tcp socket stream used by axon, which would mean forking axon, which is not preferable.
Is there a good way to handle simple auth for axon sockets? Your guidance would be very much appreciated.
Thanks so much. Paul