On 27 May 2011, at 07:10, Antonio Rohman Fernandez wrote:
> "In our case, the only nodes that are allowed to hit the Riak cluster are
> those of our applications"... what if your app is more complex than that and
> you have thousands of servers all around the world ( different datacenters,
> different networks ) with crawlers, scanners, blackboxes, etc... all
> communicating with Riak and adding/removing new
> scanners/crawlers/blackboxes/etc... every now and then... quite troublesome
> to set up and maintain a firewall for that.
>
> "It is not recommended that you deploy Riak on the public internet"... what
> if apart from webservers with a web-app i want to build iPhone/iPad/Android
> apps that access Riak directly? one thing i love from Riak is its RESTfull
> architecture, but if i have to build some API somewhere for the mobile apps
> to interact with Riak... well... the 'cloud' paradigm just vanished for me...
> also, i would have a single point of failure on the API implementation.
>
> any other suggestions?
>
>
Something linke nginx set up as a reverse proxy with re-write rules/filters for
urls you consider a security risk? Instance per riak instance, riak only
available on localhost and nginx facing the outside world?
> Rohman
>
> On Fri, 27 May 2011 01:20:00 -0400, Alexander Sicular <sicul...@gmail.com>
> wrote:
>
>> Hi Rohman,
>>
>> It is not recommended that you deploy Riak on the public internet. Keep all
>> access private and then implement iptables on each individual node securing
>> access to upstream clients.
>>
>> Ports to keep in mind -
>>
>> http(s) port (8098)
>> protocol buffers port (8099)
>> epmd (4369)
>> forcing the range of ports erlang uses to communicate amongst other erlang
>> nodes.
>>
>> The latter is not part of the default configuration but I think it should
>> be. At least commented out in app.config.
>>
>> Put it right at the top of the config array above the riak_core directives
>> like so:
>>
>> [
>> %% limit dynamic ports erlang uses to communicate
>> %% pick some range that works in your environment
>> %{kernel, [
>> % {inet_dist_listen_min, 21000},
>> % {inet_dist_listen_max, 22000}
>> %]},
>> %% Riak Core config
>> {riak_core, [
>> ...
>> Cheers,
>>
>> Alexander Sicular
>> @siculars
>> http://sicuars.posterous.com
>>
>> On Friday, May 27, 2011 at 12:55 AM, Antonio Rohman Fernandez wrote:
>>
>> hello all,
>>
>> http://IP:8098/riak?buckets=true [ will show all available buckets on Riak ]
>> http://IP:8098/riak/bucketname?keys=true&props=false [ will show all
>> available keys on a bucket ]
>>
>> to me, this proves a very big security risk, as if somebody discovers your
>> Riak server's IP, is very easy to read all the information from it, even if
>> you try to obfuscate the buckets/keys... everything is highly readable.
>> there is any way to disable those options? like {riak_kv_stat, false} hides
>> the /stats page
>>
>> thanks
>>
>> Rohman
>>
>> <blocked.gif>
>> <blocked.gif> Antonio Rohman Fernandez
>> CEO, Founder & Lead Engineer
>> roh...@mahalostudio.com Projects
>> MaruBatsu.es
>> PupCloud.com
>> Wedding Album
>> <blocked.gif>
>> _______________________________________________
>> riak-users mailing list
>> riak-users@lists.basho.com
>> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
> --
>
> Antonio Rohman Fernandez
> CEO, Founder & Lead Engineer
> roh...@mahalostudio.com Projects
> MaruBatsu.es
> PupCloud.com
> Wedding Album
>
> _______________________________________________
> riak-users mailing list
> riak-users@lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
