Thanks Troy. Please don't think I'm picking your solution apart...
On Monday, August 6, 2012 6:47:01 PM UTC-7, Troy Davis wrote: > > - If you control both endpoints and aren't tied to a firewall-based > solution, configure digest auth on the Web server and rely on that. > Expose the Web server on a non-default port and/or path if you want > less noise. The attack surface is still fairly small, especially if > the Web server performs digest auth before your app sees the request. > I only control the Heroku end. The other end is behind a corporate firewall that I don't control, but I can give them suggestions. > - Use a proxy, typically a tiny VM from your choice of providers. > And that is my first thought. But not every company has one, or is willing to start one just for my app. - Amazon does publish EC2 public IP ranges: > https://forums.aws.amazon.com/ann.jspa?annID=1528. I'd opt for either > of the other options before this one, since it would mean keeping up > with the forum posts, inevitably missing one, and then having to > detect the problem from spurious (dyno-specific) connection timeouts. > Creates more problems than it avoids. > Agreed. Plus, I just don't believe they (corporate IT) is willing to punch that many holes in their firewall. > Finally, if you use a proxy, here are iptables rules to forward eth0 > TCP 1880 to 1.2.3.4:80: > > -A PREROUTING -i eth0 -p tcp -m tcp --dport 1880 -j DNAT > --to-destination 1.2.3.4:80 > -A POSTROUTING -d 1.2.3.4/32 -o eth0 -j MASQUERADE > -A FORWARD -d 1.2.3.4/32 -i eth0 -p tcp -m tcp --dport 80 -m state > --state NEW -j ACCEPT > > and permit connections to it: > > -A INPUT -i eth0 -p tcp -m tcp --dport 1880 -j ACCEPT But that doesn't solve the problem with Heroku. Heroku could pull from any IP in the EC2 (east) ranges, correct? Or is what you are suggesting is putting my app server on a different port than 80/443, and allowing http traffic through the firewall for only that port? But wouldn't that disregard other users who expect the app to operation on 80/433? Thanks. -- You received this message because you are subscribed to the Google Groups "Heroku" group. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en
