Re: Securing Event Server on Heroku?

2017-09-01 Thread Pat Ferrel 
TLS/SSL is required along with authentication of the HTTPS requests. I’m not 
familiar with Heroku but the Proxy must authenticate the incoming connections. 
Nginx has basic auth and is a fast proxy, for instance.

A cheap, dirty, and not recommended unless it is your only option, is to set 
your security restrictions to allow connections only from a known IP address or 
range where your app servers run (the servers using the PIO SDK). This would be 
a setting in Heroku I assume. In AWS it is done with PVC Security Groups.


On Sep 1, 2017, at 12:16 PM, Mars Hall  wrote:

Shane,

A whole different perspective to this, still involving private networks, is to 
deploy all the apps that need to access PIO directly onto the same network. No 
auth required!

Or, peer the PredictionIO private network with other cloud resources, such as 
Salesforce org IP restrictions.

On Fri, Sep 1, 2017 at 12:10 PM, Mars Hall mailto:mars.h...@salesforce.com>> wrote:
Hi Shane,

As you've found, PredictionIO itself does not include a complete authorization 
solution. A general solution is to isolate PredictionIO from the internet on a 
private network, and then implement a gateway/proxy to authorize and route 
traffic to PredictionIO eventserver and engine query API.

With Heroku Enterprise, this architectural pattern may be implemented by 
provisioning two Private Spaces ; 
recommended naming pattern: example-public (frontend) & example (backend).

Configure the backend space to only trust incoming traffic from the public 
space and itself. In the Heroku Dashboard :
With two side-by-side browser windows, open the frontend & the backend spaces' 
Network settings.
Copy each of the frontend Space Outbound IPs to the backend Trusted IP Ranges.
CIDR notation for each individual IP is X.X.X.X/32.
Copy each of the backend Space Outbound IPs to its own Trusted IP Ranges.
CIDR notation for each individual IP is X.X.X.X/32.
Then, deploy PredictionIO apps to the backend space. In the frontend space, 
deploy a public proxy/gateway. We've used Node to make simple proxies, or try 
something like Kong API gateway on Heroku 
 and configure API's with simple key 
authorization.

Keep in mind, all public-facing traffic and inter-space traffic should be 
encrypted. SSL/TLS is not available by default for Private Spaces apps. 
Therefore, a custom domain name and certificates must be procured and installed 
for every app.

I'd like to see a best-practices pattern emerge around securing PredictionIO. I 
would love to hear about your ongoing progress,

*Mars

On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson mailto:shanewaldenjohn...@gmail.com>> wrote:
Hi everyone. We are building an app exchange app that is leveraging the Heroku 
deployment of PIO. We are needing to secure the posts to the events.json 
endpoint as well the queries.json endpoint on Heroku.

Do you have any suggestions on how to add security around adding events and 
querying predictions. Is there an add-on on Heroku or would it be necessary to 
extend the scala code to look for a secret key. I would prefer to not extend 
the scala and have authentication happen at the heroku level if possible.

Thank you in advance!

Shane Johnson | 801.360.3350 
LinkedIn  | Facebook 





-- 
*Mars Hall
415-818-7039
Customer Facing Architect
Salesforce Platform / Heroku
San Francisco, California

Re: Securing Event Server on Heroku?

2017-09-01 Thread Mars Hall 
Shane,

A whole different perspective to this, still involving private networks, is
to deploy all the apps that need to access PIO directly onto the same
network. No auth required!

Or, peer the PredictionIO private network with other cloud resources, such
as Salesforce org IP restrictions.

On Fri, Sep 1, 2017 at 12:10 PM, Mars Hall  wrote:

> Hi Shane,
>
> As you've found, PredictionIO itself does not include a complete
> authorization solution. A general solution is to isolate PredictionIO from
> the internet on a private network, and then implement a gateway/proxy to
> authorize and route traffic to PredictionIO eventserver and engine query
> API.
>
> With Heroku Enterprise, this architectural pattern may be implemented by
> provisioning two Private Spaces ;
> recommended naming pattern: *example-public* (frontend) & *example*
> (backend).
>
> Configure the backend space to only trust incoming traffic from the public
> space and itself. In the Heroku Dashboard :
>
>1. With two side-by-side browser windows, open the frontend & the
>backend spaces' *Network* settings.
>2. Copy each of the *frontend* *Space Outbound IPs* to the *backend* 
> *Trusted
>IP Ranges*.
>CIDR notation for each individual IP is X.X.X.X/32.
>3. Copy each of the *backend* *Space Outbound IPs* to its own *Trusted
>IP Ranges*.
>CIDR notation for each individual IP is X.X.X.X/32.
>
> Then, deploy PredictionIO apps to the backend space. In the frontend
> space, deploy a public proxy/gateway. We've used Node to make simple
> proxies, or try something like Kong API gateway on Heroku
>  and configure API's with simple
> key authorization.
>
> Keep in mind, all public-facing traffic and inter-space traffic should be
> encrypted. SSL/TLS is not available by default for Private Spaces apps.
> Therefore, a custom domain name and certificates must be procured and
> installed for every app.
>
> I'd like to see a best-practices pattern emerge around securing
> PredictionIO. I would love to hear about your ongoing progress,
>
> *Mars
>
> On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <
> shanewaldenjohn...@gmail.com> wrote:
>
>> Hi everyone. We are building an app exchange app that is leveraging the
>> Heroku deployment of PIO. We are needing to secure the posts to the
>> events.json endpoint as well the queries.json endpoint on Heroku.
>>
>> Do you have any suggestions on how to add security around adding events
>> and querying predictions. Is there an add-on on Heroku or would it be
>> necessary to extend the scala code to look for a secret key. I would prefer
>> to not extend the scala and have authentication happen at the heroku level
>> if possible.
>>
>> Thank you in advance!
>>
>> *Shane Johnson | 801.360.3350 <(801)%20360-3350>*
>> LinkedIn  | Facebook
>> 
>>
>
>


-- 
*Mars Hall
415-818-7039
Customer Facing Architect
Salesforce Platform / Heroku
San Francisco, California

Re: Securing Event Server on Heroku?

2017-09-01 Thread Mars Hall 
Hi Shane,

As you've found, PredictionIO itself does not include a complete
authorization solution. A general solution is to isolate PredictionIO from
the internet on a private network, and then implement a gateway/proxy to
authorize and route traffic to PredictionIO eventserver and engine query
API.

With Heroku Enterprise, this architectural pattern may be implemented by
provisioning two Private Spaces ;
recommended naming pattern: *example-public* (frontend) & *example*
(backend).

Configure the backend space to only trust incoming traffic from the public
space and itself. In the Heroku Dashboard :

   1. With two side-by-side browser windows, open the frontend & the backend
spaces' *Network* settings.
   2. Copy each of the *frontend* *Space Outbound IPs* to the
*backend* *Trusted
   IP Ranges*.
   CIDR notation for each individual IP is X.X.X.X/32.
   3. Copy each of the *backend* *Space Outbound IPs* to its own *Trusted
   IP Ranges*.
   CIDR notation for each individual IP is X.X.X.X/32.

Then, deploy PredictionIO apps to the backend space. In the frontend space,
deploy a public proxy/gateway. We've used Node to make simple proxies, or
try something like Kong API gateway on Heroku
 and configure API's with simple key
authorization.

Keep in mind, all public-facing traffic and inter-space traffic should be
encrypted. SSL/TLS is not available by default for Private Spaces apps.
Therefore, a custom domain name and certificates must be procured and
installed for every app.

I'd like to see a best-practices pattern emerge around securing
PredictionIO. I would love to hear about your ongoing progress,

*Mars

On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <
shanewaldenjohn...@gmail.com> wrote:

> Hi everyone. We are building an app exchange app that is leveraging the
> Heroku deployment of PIO. We are needing to secure the posts to the
> events.json endpoint as well the queries.json endpoint on Heroku.
>
> Do you have any suggestions on how to add security around adding events
> and querying predictions. Is there an add-on on Heroku or would it be
> necessary to extend the scala code to look for a secret key. I would prefer
> to not extend the scala and have authentication happen at the heroku level
> if possible.
>
> Thank you in advance!
>
> *Shane Johnson | 801.360.3350 <(801)%20360-3350>*
> LinkedIn  | Facebook
> 
>