TLS/SSL is required along with authentication of the HTTPS requests. I’m not familiar with Heroku but the Proxy must authenticate the incoming connections. Nginx has basic auth and is a fast proxy, for instance.
A cheap, dirty, and not recommended unless it is your only option, is to set your security restrictions to allow connections only from a known IP address or range where your app servers run (the servers using the PIO SDK). This would be a setting in Heroku I assume. In AWS it is done with PVC Security Groups. On Sep 1, 2017, at 12:16 PM, Mars Hall <mars.h...@salesforce.com> wrote: Shane, A whole different perspective to this, still involving private networks, is to deploy all the apps that need to access PIO directly onto the same network. No auth required! Or, peer the PredictionIO private network with other cloud resources, such as Salesforce org IP restrictions. On Fri, Sep 1, 2017 at 12:10 PM, Mars Hall <mars.h...@salesforce.com <mailto:mars.h...@salesforce.com>> wrote: Hi Shane, As you've found, PredictionIO itself does not include a complete authorization solution. A general solution is to isolate PredictionIO from the internet on a private network, and then implement a gateway/proxy to authorize and route traffic to PredictionIO eventserver and engine query API. With Heroku Enterprise, this architectural pattern may be implemented by provisioning two Private Spaces <https://www.heroku.com/private-spaces>; recommended naming pattern: example-public (frontend) & example (backend). Configure the backend space to only trust incoming traffic from the public space and itself. In the Heroku Dashboard <https://dashboard.heroku.com/>: With two side-by-side browser windows, open the frontend & the backend spaces' Network settings. Copy each of the frontend Space Outbound IPs to the backend Trusted IP Ranges. CIDR notation for each individual IP is X.X.X.X/32. Copy each of the backend Space Outbound IPs to its own Trusted IP Ranges. CIDR notation for each individual IP is X.X.X.X/32. Then, deploy PredictionIO apps to the backend space. In the frontend space, deploy a public proxy/gateway. We've used Node to make simple proxies, or try something like Kong API gateway on Heroku <https://github.com/heroku/heroku-kong> and configure API's with simple key authorization. Keep in mind, all public-facing traffic and inter-space traffic should be encrypted. SSL/TLS is not available by default for Private Spaces apps. Therefore, a custom domain name and certificates must be procured and installed for every app. I'd like to see a best-practices pattern emerge around securing PredictionIO. I would love to hear about your ongoing progress, *Mars On Thu, Aug 31, 2017 at 10:24 PM, Shane Johnson <shanewaldenjohn...@gmail.com <mailto:shanewaldenjohn...@gmail.com>> wrote: Hi everyone. We are building an app exchange app that is leveraging the Heroku deployment of PIO. We are needing to secure the posts to the events.json endpoint as well the queries.json endpoint on Heroku. Do you have any suggestions on how to add security around adding events and querying predictions. Is there an add-on on Heroku or would it be necessary to extend the scala code to look for a secret key. I would prefer to not extend the scala and have authentication happen at the heroku level if possible. Thank you in advance! Shane Johnson | 801.360.3350 <tel:(801)%20360-3350> LinkedIn <https://www.linkedin.com/in/shanewjohnson> | Facebook <https://www.facebook.com/shane.johnson.71653> -- *Mars Hall 415-818-7039 Customer Facing Architect Salesforce Platform / Heroku San Francisco, California
