在打开对安装程序的访问权限的同时保护Worklight Console和AppCenter控制台的安全
[英]Securing Worklight Console & AppCenter console while opening access to installers
问题描述
IBM Worklight 6.2 docs recommend shutting off access from outside networks to Worklight Console and AppCenter console as a means of securing it. 
IBM Worklight 6.2文档建议关闭外部网络对Worklight Console和AppCenter控制台的访问,以保护它的安全。 I did exactly that (Tomcat 7): 我正是这样做的(Tomcat 7):
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
I log in to the console via an SSH tunnel (ie from the point of view of Tomcat from localhost). 我通过SSH隧道登录到控制台(即从本地主机的Tomcat的角度来看)。 Trying to access it from the internet returns an Unauthorized error (prompting me to enter name and password, but not letting any further). 尝试从互联网访问它会返回“未经授权”错误(提示我输入名称和密码,但不允许再输入)。
However, the installer apps within AppCenter are being accessed through /appcenterconsole/installers.html. 但是,可以通过/appcenterconsole/installers.html访问AppCenter中的安装程序。 This means in this setup the user will no longer be able to access them. 这意味着在此设置中,用户将不再能够访问它们。 Also, the installer itself uses /applicationcenter/ as its backend, ie it should be open. 另外,安装程序本身将/ applicationcenter /用作其后端,即应将其打开。 I can open access to this one, but I surely don't want to open access to appcenterconsole. 我可以打开对此端口的访问权限,但我当然不想打开对appcenterconsole的访问权限。 As a workaround, I put a single installer at /applicationcenter/ and pointed applicationcenter/installers.html to there. 解决方法是,将单个安装程序放在/ applicationcenter /中,然后将applicationcenter / installers.html指向那里。 The installer is now downloaded without AppCenter being involved (and thus not being managed by AppCenter for any updates). 现在,下载安装程序时不会涉及AppCenter(因此,不会由AppCenter管理任何更新)。
Are there any recommended practices to both secure the appcenterconsole and to open access for users to download installers, so that they are managed by AppCenter? 是否有建议的做法来确保appcenterconsole的安全并为用户开放下载下载安装程序的权限,以便由AppCenter对其进行管理?
Otherwise, will the installer app be managed by AppCenter if it's installed by a direct download (rather than through the AppCenter), but if it also exists in AppCenter? 否则,如果通过直接下载(而不是通过AppCenter)安装了安装程序应用程序,但是该安装程序也存在于AppCenter中,该应用程序将由AppCenter管理吗?
1 个解决方案
解决方案1
1 已采纳 2014-09-25 09:43:46
Yes. 是。 All the Worklight and AppCenter console pages are generally not accessible from the outside network since it is only accessed by internal users. 通常,所有Worklight和AppCenter控制台页面都无法从外部网络访问,因为只有内部用户才能访问它。 The only app that must be accessed externally is the AppCenter installer since it is used by the mobile devices and this page is protected. AppCenter安装程序是唯一必须在外部访问的应用程序,因为它由移动设备使用,并且此页面受到保护。
Best practice in production is to used a Load Balancer and/or a Web Server acting as reverse proxy in front of the application server where Worklight and AppCenter are installed. 生产中的最佳实践是在安装了Worklight和AppCenter的应用程序服务器之前,使用负载平衡器和/或Web服务器作为反向代理。 The Load Balancer or the Web Proxy can be configured to disable forwarding external requests to the Worklight and the AppCenter console so only authorizing requests on the AppCenter services and the AppCenter installer. 可以将负载均衡器或Web代理配置为禁用将外部请求转发到Worklight和AppCenter控制台,以便仅对AppCenter服务和AppCenter安装程序上的请求进行授权。
If you don't use a Load Balancer or a proxy you have fo find a way to open external access only to the AppCenter installer page and the AppCenter services for example with firewall configuration. 如果您不使用负载均衡器或代理,则可以找到一种方法,例如通过防火墙配置仅打开对AppCenter安装程序页面和AppCenter服务的外部访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.