Securing Event Server on Heroku?

[Shane Johnson <sh...@gmail.com>]

Hi everyone. We are building an app exchange app that is leveraging the
Heroku deployment of PIO. We are needing to secure the posts to the
events.json endpoint as well the queries.json endpoint on Heroku.

Do you have any suggestions on how to add security around adding events and
querying predictions. Is there an add-on on Heroku or would it be necessary
to extend the scala code to look for a secret key. I would prefer to not
extend the scala and have authentication happen at the heroku level if
possible.

Thank you in advance!

*Shane Johnson | 801.360.3350*
LinkedIn <https://www.linkedin.com/in/shanewjohnson> | Facebook
<https://www.facebook.com/shane.johnson.71653>

Re: Securing Event Server on Heroku?

[Pat Ferrel <pa...@occamsmachete.com>]

TLS/SSL is required along with authentication of the HTTPS requests. I’m not familiar with Heroku but the Proxy must authenticate the incoming connections. Nginx has basic auth and is a fast proxy, for instance.

A cheap, dirty, and not recommended unless it is your only option, is to set your security restrictions to allow connections only from a known IP address or range where your app servers run (the servers using the PIO SDK). This would be a setting in Heroku I assume. In AWS it is done with PVC Security Groups.


On Sep 1, 2017, at 12:16 PM, Mars Hall <ma...@salesforce.com> wrote:

Shane,

A whole different perspective to this, still involving private networks, is to deploy all the apps that need to access PIO directly onto the same network. No auth required!

Or, peer the PredictionIO private network with other cloud resources, such as Salesforce org IP restrictions.

On Fri, Sep 1, 2017 at 12:10 PM, Mars Hall <mars.hall@salesforce.com <ma...@salesforce.com>> wrote:
Hi Shane,

As you've found, PredictionIO itself does not include a complete authorization solution. A general solution is to isolate PredictionIO from the internet on a private network, and then implement a gateway/proxy to authorize and route traffic to PredictionIO eventserver and engine query API.

With Heroku Enterprise, this architectural pattern may be implemented by provisioning two Private Spaces <https://www.heroku.com/private-spaces>; recommended naming pattern: example-public (frontend) & example (backend).

Configure the backend space to only trust incoming traffic from the public space and itself. In the Heroku Dashboard <https://dashboard.heroku.com/>:
With two side-by-side browser windows, open the frontend & the backend spaces' Network settings.
Copy each of the frontend Space Outbound IPs to the backend Trusted IP Ranges.
CIDR notation for each individual IP is X.X.X.X/32.
Copy each of the backend Space Outbound IPs to its own Trusted IP Ranges.
CIDR notation for each individual IP is X.X.X.X/32.
Then, deploy PredictionIO apps to the backend space. In the frontend space, deploy a public proxy/gateway. We've used Node to make simple proxies, or try something like Kong API gateway on Heroku <https://github.com/heroku/heroku-kong> and configure API's with simple key authorization.

Keep in mind, all public-facing traffic and inter-space traffic should be encrypted. SSL/TLS is not available by default for Private Spaces apps. Therefore, a custom domain name and certificates must be procured and installed for every app.

I'd like to see a best-practices pattern emerge around securing PredictionIO. I would love to hear about your ongoing progress,

*Mars

On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <shanewaldenjohnson@gmail.com <ma...@gmail.com>> wrote:
Hi everyone. We are building an app exchange app that is leveraging the Heroku deployment of PIO. We are needing to secure the posts to the events.json endpoint as well the queries.json endpoint on Heroku.

Do you have any suggestions on how to add security around adding events and querying predictions. Is there an add-on on Heroku or would it be necessary to extend the scala code to look for a secret key. I would prefer to not extend the scala and have authentication happen at the heroku level if possible.

Thank you in advance!

Shane Johnson | 801.360.3350 <tel:(801)%20360-3350>
LinkedIn <https://www.linkedin.com/in/shanewjohnson> | Facebook <https://www.facebook.com/shane.johnson.71653>




-- 
*Mars Hall
415-818-7039
Customer Facing Architect
Salesforce Platform / Heroku
San Francisco, California

Re: Securing Event Server on Heroku?

[Mars Hall <ma...@salesforce.com>]

Shane,

A whole different perspective to this, still involving private networks, is
to deploy all the apps that need to access PIO directly onto the same
network. No auth required!

Or, peer the PredictionIO private network with other cloud resources, such
as Salesforce org IP restrictions.

On Fri, Sep 1, 2017 at 12:10 PM, Mars Hall <ma...@salesforce.com> wrote:

> Hi Shane,
>
> As you've found, PredictionIO itself does not include a complete
> authorization solution. A general solution is to isolate PredictionIO from
> the internet on a private network, and then implement a gateway/proxy to
> authorize and route traffic to PredictionIO eventserver and engine query
> API.
>
> With Heroku Enterprise, this architectural pattern may be implemented by
> provisioning two Private Spaces <https://www.heroku.com/private-spaces>;
> recommended naming pattern: *example-public* (frontend) & *example*
> (backend).
>
> Configure the backend space to only trust incoming traffic from the public
> space and itself. In the Heroku Dashboard <https://dashboard.heroku.com/>:
>
>    1. With two side-by-side browser windows, open the frontend & the
>    backend spaces' *Network* settings.
>    2. Copy each of the *frontend* *Space Outbound IPs* to the *backend* *Trusted
>    IP Ranges*.
>    CIDR notation for each individual IP is X.X.X.X/32.
>    3. Copy each of the *backend* *Space Outbound IPs* to its own *Trusted
>    IP Ranges*.
>    CIDR notation for each individual IP is X.X.X.X/32.
>
> Then, deploy PredictionIO apps to the backend space. In the frontend
> space, deploy a public proxy/gateway. We've used Node to make simple
> proxies, or try something like Kong API gateway on Heroku
> <https://github.com/heroku/heroku-kong> and configure API's with simple
> key authorization.
>
> Keep in mind, all public-facing traffic and inter-space traffic should be
> encrypted. SSL/TLS is not available by default for Private Spaces apps.
> Therefore, a custom domain name and certificates must be procured and
> installed for every app.
>
> I'd like to see a best-practices pattern emerge around securing
> PredictionIO. I would love to hear about your ongoing progress,
>
> *Mars
>
> On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <
> shanewaldenjohnson@gmail.com> wrote:
>
>> Hi everyone. We are building an app exchange app that is leveraging the
>> Heroku deployment of PIO. We are needing to secure the posts to the
>> events.json endpoint as well the queries.json endpoint on Heroku.
>>
>> Do you have any suggestions on how to add security around adding events
>> and querying predictions. Is there an add-on on Heroku or would it be
>> necessary to extend the scala code to look for a secret key. I would prefer
>> to not extend the scala and have authentication happen at the heroku level
>> if possible.
>>
>> Thank you in advance!
>>
>> *Shane Johnson | 801.360.3350 <(801)%20360-3350>*
>> LinkedIn <https://www.linkedin.com/in/shanewjohnson> | Facebook
>> <https://www.facebook.com/shane.johnson.71653>
>>
>
>


-- 
*Mars Hall
415-818-7039
Customer Facing Architect
Salesforce Platform / Heroku
San Francisco, California

Re: Securing Event Server on Heroku?

[Mars Hall <ma...@salesforce.com>]

Hi Shane,

As you've found, PredictionIO itself does not include a complete
authorization solution. A general solution is to isolate PredictionIO from
the internet on a private network, and then implement a gateway/proxy to
authorize and route traffic to PredictionIO eventserver and engine query
API.

With Heroku Enterprise, this architectural pattern may be implemented by
provisioning two Private Spaces <https://www.heroku.com/private-spaces>;
recommended naming pattern: *example-public* (frontend) & *example*
(backend).

Configure the backend space to only trust incoming traffic from the public
space and itself. In the Heroku Dashboard <https://dashboard.heroku.com/>:

   1. With two side-by-side browser windows, open the frontend & the backend
    spaces' *Network* settings.
   2. Copy each of the *frontend* *Space Outbound IPs* to the
*backend* *Trusted
   IP Ranges*.
   CIDR notation for each individual IP is X.X.X.X/32.
   3. Copy each of the *backend* *Space Outbound IPs* to its own *Trusted
   IP Ranges*.
   CIDR notation for each individual IP is X.X.X.X/32.

Then, deploy PredictionIO apps to the backend space. In the frontend space,
deploy a public proxy/gateway. We've used Node to make simple proxies, or
try something like Kong API gateway on Heroku
<https://github.com/heroku/heroku-kong> and configure API's with simple key
authorization.

Keep in mind, all public-facing traffic and inter-space traffic should be
encrypted. SSL/TLS is not available by default for Private Spaces apps.
Therefore, a custom domain name and certificates must be procured and
installed for every app.

I'd like to see a best-practices pattern emerge around securing
PredictionIO. I would love to hear about your ongoing progress,

*Mars

On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <
shanewaldenjohnson@gmail.com> wrote:

> Hi everyone. We are building an app exchange app that is leveraging the
> Heroku deployment of PIO. We are needing to secure the posts to the
> events.json endpoint as well the queries.json endpoint on Heroku.
>
> Do you have any suggestions on how to add security around adding events
> and querying predictions. Is there an add-on on Heroku or would it be
> necessary to extend the scala code to look for a secret key. I would prefer
> to not extend the scala and have authentication happen at the heroku level
> if possible.
>
> Thank you in advance!
>
> *Shane Johnson | 801.360.3350 <(801)%20360-3350>*
> LinkedIn <https://www.linkedin.com/in/shanewjohnson> | Facebook
> <https://www.facebook.com/shane.johnson.71653>
>