Ijaws2014 - websockets, elb and security

websocketselastic load balancer

Sergio @ coursebase.co

New analytics features

Before

After (engine=websocket)

X-Forwarded-For: Ip, Ip, ...

X-Forwarded-For: Ip, Ip, ...

PROXY protocol (30/07/2013)1) Read ELB doc for enable with aws elb

PROXY PROTOCOL (TCP4 or TCP6)remoteAddress (1.1.1.1)proxyAddress (2.2.2.2)remotePort (34567)proxyPort (80)\r\n

2) Use a library in your API to retrieve this information

Note: socket.io engine polling requires Sticky Session

Big picture

elbip:443SSL

ec2ip:80PROXY

+

HTTP

@TODO Use SPDY (move SSL into API)

Is your ec2ip:80 visible ?

Proof of concept$ cat proxy.txt

PROXY TCP4 ijaws2014 ec2ip 80 80\r\nGET /x/ HTTP/1.1\r\nUser-Agent: curl/7.35.0\r\nHost: ec2ip\r\nAccept: */*\r\n\r\n\r\n$ cat proxy.txt | nc ec2ip 80

ElasticSearch - @ip spoofed

?

OWASP Top 10 (2013)A01 - InjectionA02 - Broken Authentication and Session ManagementA03 - Cross-Site Scripting (XSS)A04 - Insecure Direct Object ReferencesA05 - Security MisconfigurationA06 - Sensitive Data ExposureA07 - Missing Function Level Access ControlA08 - Cross-Site Request Forgery (CSRF)A09 - Using Components with Known VulnerabilitiesA10 - Unvalidated Redirects and Forwards

AWS Security rules

(dont hardcode ips, use security groups)

Questions?Sergio @ coursebase.co