I have a java based web application developed in Amazon EC2. It is doing transactions of confidential information. I have a MySQL server installed all by my self in the same amazon instance. The web application access the database via localhost. In Security Groups, I have created a custom security where the port 8080 (the Tomcat) can be accessed only via localhost.
Considering these, do I still need SSL to make sure the transactions are secured?
It depends. Are you comfortable with plain text inside the datacenter? Don't bother with SSL.
Are you worried about that traffic being sniffed locally (tcpdump) or from a malicious source (for instance, if data was being rerouted from the switch between EC2 instances)? Use SSL.
There's a trend of large companies making sure to encrypt local traffic.
Related
I know quite ok that is is not a good idea except for inevitable reasons. it is ideal to host database on the same server with the web applications. However my server couldn't log phpmyadmin using MySQL 5 despite all credentials correctly provided with no error except for the note that "Cookies must be enabled past this point." and i have set cookies to allow, add the website and others configuration and still not working. i have tried several browsers both on PC and mobile phones and its not working either. i tried to create database from several online remote source as FreeSQl, FreeDB, Somee etc, it works fine while tesing through visual studio locally on pc remotely but as soon as i host, it will not work as a result of connection issue which am aware of. i hope someone will help me out, possible provide me with link of where i can create and setup MySql database and the connection will work live on another server where i host my website or How to solve the Phpmyadmin issue. I will fine with it. I am available to answer questions so as to help me achieve my aim. Thanks
Not only is this possible, but is a common setup. You will often have some database server system - and it certainly not going to host the web site. The web site is VERY often hosted and placed on a different server.
In fact, some companies will adopt a hosting company for their web site, but it hits and connects to their database server that is on premises (or so called "on-prem"). In fact this approach is often used to allow say Android phones, and other services to consume data from the company database, but that company would NEVER think of opening up ports to outside connections. (they setup a secure connection between the web hosting system and their local network - often VPN, but it really don't matter. As such the company database server ONLY allows connections from the local network and then say a pre-defined IP address incoming from the web hosting.
So, you can adopt cloud hosted say SQL running on the Azure OS. (SQL Azure). And just like all instances of Azure? Well security can be several approaches. I mean a database hosted on Azure is RARE simply opened up to the wild internet to allow ANY one to connect. Heck, 16 years ago I tested opening up my home router to outside SQL connections. In less then 20 minutes, I began to see attempted logons to that SQl server.
There are bots that scan IP numbers + ports on the internet. So I began to see this:
Logon fail: sa, password="password"
Logon fail: sa, passowrd="123456"
etc. etc. etc.
So there is quote a few companies offering hosted database systems Azure, and AWS come to mind. However, they don't allow just any old one with a IP address to connect. In a lot of cases, security will be some fixed IP address (like for example the companies network or external fixed IP that their ISP provider gives them. While most consumer internet systems are not fixed IP addresses? Today even relative smaller business need and want workers to work remote. So they pay a few extra dollars per month (often only about $10, maybe $20) and now they have a fixed IP address. And from that they tend to setup and adopt a VPN based on that now fixed IP address.
The hosted SQL server? Well, it also will be setup to ONLY accept external incoming request from a known IP address - and thus those bots and IP scanners can't connect.
Now MOST low cost web hosting plans include SQL server or MySQL as part of the low cost hosting package. In that case, the connection from the web site to the database server is INTERNAL and such database systems do NOT allow or permit outside connections to the database server. So, when buying a book on Amazon.com, their web hosting system can easy connect to the database - but that is NOT a outside connection.
However, can you use that VERY low cost budget web hosting, and connect OUT to a outside database? yes, a lot of them allow this, and as noted, it not going to be a surprise that some database is being hosted say on Azure. And as noted, in this case, your web hosting software will thus connect to Azure in much the same way any other outside system connects. So while few web hosting systems allow OUTSIDE connections to the database included with such packages? Well, a lot of them certainly allow you to reach out - and hit other web sites, other web services (maybe a weather and temp display on your site????). So reaching out as a general rule is possible - reaching in? not so much!! about 10 years ago, quite a few web hosting providers - even low cost ones DID allow external ODBC connections to the database system. However, due to security issues - most providers don't allow this. I think even GoDaddy still allows this, but if you do ask for this ability, then the database server(s) you get are different then their regular ones - again they don't want to open up security issues and that can often open up holes to other customers databases hosted on that system. But, as noted, with the rise of SQL Azure and others? We are seeing a real comeback in hosting providers now offering external connections to database systems that are seutp to allow the hosted web sites to hit those databases.
So you have to check with who ever going to provide you with the web hosting, and find out if that web hosting allows "reaching out" to other web services, or reaching out to other database servers - as I noted - this is quite common now. it just a question then does the web hosting say support a VPN to reach out, or say reaching out on a particular port + fixed IP to some database server is the nitry grity details that will vary based on your needs, or what that ISP in fact allows.
So what and who and what ports are allowed to reach out? Well, that's going to be based on what your ISP and hosting plan for the web site allows - you have to check if they allow hosted web sites to "reach out" of their web hosting plans.
Ok so I have an app with a Node/Express API and everything works fine on localhost. I'm trying to figure out how to make everything work on CPanel that's running on Apache. The client side stuff but I am unable to fetch any data from the backed. I've searched and looked, yes, but I'm still quite unsure on how to approach this. Do I have to use a Virtual Host and if so what are the specific steps I need to do?
NodeJS doesn't run on Apache or Nginx. Most you can do in these web servers is to set a reverse proxy.
NodeJS has its own web-server. cPanel won't help you in that regard, since you only need to install NodeJS on your server (you must have SSH access-root), and run it from there. You can daemonize your Node process to keep running installing PM2 or Forever (NPM Packages).
Here's a good answer (search before asking, the issue might be solved by then).
Run node.js on cpanel hosting server
cPanel typically runs Apache or another web server that is shared among all the cPanel/unix accounts. The web server listens on port 80. Depending on the domain name in the requested URL, the web server uses "Virtual Hosting" to figure out which cPanel/unix account should process the request, i.e. in which home directory to find the files to serve and scripts to run. If the URL only contains an IP address, cPanel has to default to one of cPanel accounts.
Ordinarily, without root access, a job run by a cPanel account cannot listen on port 80. Indeed, the available ports might be quite restrictive. If 8080 doesn't work, you might try 60000. To access a running node.js server, you'll need to have the port number it's listening on. Since that is the only job listening on that port on that server, you should be able to point your browser to the domain name of any of the cPanel accounts or even the IP address of the server, adding the port number to the URL. But, it's typical to use the domain name for the cPanel account running the node.js job, e.g. http://cPanelDomainName.com:60000/ .
Of course port 80 is the default for web services, and relatively few users are familiar with optional port numbers in URLs. To make things easier for users, you can use Apache to "reverse proxy" requests on port 80 to the port that the node.js process is listening on. This can be done using Apache's RewriteRule directive in a configuration or .htaccess file. This reverse proxying of requests arguably has other benefits as well, e.g. Apache may be a more secure, reliable and manageable front-end for facing the public Internet.
Unfortunately, this setup for node.js is not endorsed by all web hosting companies. One hosting company that supports it, even on its inexpensive shared hosting offerings, is A2Hosting.com. They also have a clearly written description of the setup process in their Knowledge Base.
Finally, it's worth noting that the developers of cPanel are working on built-in node.js support. "If all of the stars align we might see this land as soon as version 68," i.e. perhaps early 2018.
References
Apache Virtual Hosting -
http://httpd.apache.org/docs/2.4/vhosts/
Apache RewriteRule Directive - http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
A2Hosting.com Knowledge Base Article on Configuring Node.js - https://www.a2hosting.com/kb/installable-applications/manual-installations/installing-node-js-on-managed-hosting-accounts
cPanel Feature Request Thread for node.js Support - https://features.cpanel.net/topic/nodejs-hosting
Related StackOverflow Questions
How to host a Node.Js application in shared hosting
Why node.js can't run on shared hosting?
Is worth to point out that the NodeJS support hasn't yet come to cPanel (as early 2019)
The app is not accessible sometimes but only for some users. In the same LAN also, some users can access but some cannot.
The web app was designed with following technologies
Node
Angular
Express
MySql.
It's hosted in AWS EC2, MySql is also installed on the same EC2 instance.
I have no idea how this is happening. The server was running all the time.
This eror is not related your application - it's just that domain can not be resolved. You should check your DNS setting on server and on clients. See also instruction here, for example.
We have developed a client app and a server app. The client communicates with the server using the http protocol and sends some data to be processed by the server.
Our structure allow us to have the server installed anywhere. I can be on the same client network or even on the cloud.
When the server is hosted on the cloud, it makes sense asking the user for the server address (since it can change if the user wishes to) but it does not make sense when the server is on the same network that the client. Besides that, we are currently asking users to configure the server ip/name in order to connect to the server.
To avoid this (asking users for the address) I have developed a discovery service based on UDP. The client broadcasts a message that the server answer with its address. It does work on some cases, but it does not when the user has some kind of firewall, proxy or even an anti virus.
I have read a lot about discovery services, and the one that a like most is Bonjour.
So, the question is: what is the best way of discovering a server's IP when the server is on the same network that the client without being blocked by firewalls, proxies, etc?
You can keep your service purely local (in the intranet) and build on top of what you are using now by implementing hole punching. You can get past firewalls, but Im really not sure about AV software policies.
Or you can establish a well-known http-based discovery service in the internet.
A server comes alive, sends its (local) ip address to the discovery service (keeps sending keep-alives)
On startup, the client queries that discovery service, identifies the local subnet he is in, and gets back the local ip address of the server.
That of course creates a single point of failure in your system in that if the discovery service kicks the bucket, your clients cannot find servers. You can remedy that by replicating the service and/or introducing fallback mechanisms (like the purely local discovery you have), which you probably want to do anyway. The only problem you might have is the subnet identification, if computers in local subnets dont share external IP addresses (then it depends on what a local subnet is for you).
I would like to create a desktop application that should work with data on a mySql server running on a remote machine.
So each user has a copy of the desktop app and edits data on the remote mySql server.
Now my problem is that the mySql server will not allow connections from other hosts.
Question, is this just the wrong way of creating the app. If not how do I give any host access to the MYsql server.
(I know I can open up for a specific IP but that won't work as the app could be running anywhere)
You should front your database on the server with a thin service layer, where you could do some validation / processing on the data, perform authentication, etc. Your client apps would then expose those methods in your service layer as web services, to which your client apps would communicate using either SOAP/XML, REST/JSON, etc. In general, it is a bad idea to expose your database directly if your application is within a LAN, and a terrible one to expose it on the internet.