RoR: Private API Protection

Question

RoR: Private API Protection

I have two rail applications on separate virtual servers, but on the same object. Both applications can communicate through local IP addresses.

This is a two-part question:

1) How to check where the request is sent from and restrict requests to only those in this place?

2) Do you think it would be safe enough?

My gut tells me it's not secure enough because of IP spoofing, but I think OAuth or the like is too hardcore for my needs. Although, maybe not.

This is the first time I have approached something like this, and I am looking for anyone who can push me in the right direction.

Thanks.

+3

security ruby api ruby-on-rails

Brad Mar 03 '09 at 2:52

source share

2

Rails, -. , HTTP. , .

, , . , Rails, , API . API.

, , .

+1

Bryan Kyle 03 . '09 2:59

vladr · Accepted Answer · 2009-03-03T05:08:34+0000

, , ( ) , , , , , . , , , , .

, , :

iptables , IP- ( , iptables.) , (. ).
; SSL - node . : -, ( , , iptables - , config iptables ), -, (, .) (, , net-snmpd v3 .. ) SSL . , ssh stunnel

iptables, (HTTP, SSH ..) (-), www1 www2 node MySQL 3306 eth0 (www1 www2 /etc/hosts, IP-.):

# * raw
#
#  Allows internal traffic without loading conntrack
# -A PREROUTING -i lo -d 127.0.0.0/8 -j NOTRACK

*filter

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j DROP

#  Accepts all established inbound connections (TCP, UDP, ICMP incl. "network unreachable" etc.)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level debug

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

#  Allows MySQL within our cluster ONLY
-A INPUT -p tcp -s www1 -i eth0 --dport 3306 -j ACCEPT
-A INPUT -p udp -s www1 -i eth0 --dport 3306 -j ACCEPT
-A INPUT -p tcp -s www2 -i eth0 --dport 3306 -j ACCEPT
-A INPUT -p udp -s www2 -i eth0 --dport 3306 -j ACCEPT

COMMIT

RoR: Private API Protection

More articles: