On Mon, Aug 6, 2012 at 5:08 PM, Karl <[email protected]> wrote: > I know every firewall is different, and maybe a proxy and filter are the > best methods to handle this. But I need to give them some guidance. > > Can someone give me some tips on what to tell firewall administrators what > to do to allow access to a Heroku application?
Couple options: - If you control both endpoints and aren't tied to a firewall-based solution, configure digest auth on the Web server and rely on that. Expose the Web server on a non-default port and/or path if you want less noise. The attack surface is still fairly small, especially if the Web server performs digest auth before your app sees the request. - Use a proxy, typically a tiny VM from your choice of providers. - Amazon does publish EC2 public IP ranges: https://forums.aws.amazon.com/ann.jspa?annID=1528. I'd opt for either of the other options before this one, since it would mean keeping up with the forum posts, inevitably missing one, and then having to detect the problem from spurious (dyno-specific) connection timeouts. Creates more problems than it avoids. Finally, if you use a proxy, here are iptables rules to forward eth0 TCP 1880 to 1.2.3.4:80: -A PREROUTING -i eth0 -p tcp -m tcp --dport 1880 -j DNAT --to-destination 1.2.3.4:80 -A POSTROUTING -d 1.2.3.4/32 -o eth0 -j MASQUERADE -A FORWARD -d 1.2.3.4/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT and permit connections to it: -A INPUT -i eth0 -p tcp -m tcp --dport 1880 -j ACCEPT Troy -- @troyd // @papertrailapp -- You received this message because you are subscribed to the Google Groups "Heroku" group. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en
