Servoy Forum

[gzola]

We have just launched a new web solution that exposes on the web of documents to the Italian law must be accessible to all citizens.

http://88.56.51.21/servoy-webclient/ss/s/albo_pretorio

The application server is inside our LAN and is reached from the outside with a public IP. To achieve a satisfactory level of security we have put the application server (which has only this solution on board) in a DMZ area.

All right? Not really.
There is a feature that I think is still missing. The ability to prevent access to the administration of Servoy Application Server from outside our LAN. Certainly you must know the login but it is possible that an attacker could perform a brute force attack with predictable consequences.

If there it is already possible I apologize in advance, otherwise I think that is to be implemented to ensure the highest level of security required by this type of situation.

Sincerely

[ngervasi]

Hi Giovanni,
The best approach is to shield the servoy server using an Apache Reverse Proxy so that a call to http://yourwebserver/albo_pretorio can be proxied to http://yourServoyIPAddress/servoy-webcl ... o_pretorio but the admin pages will not be accessible from outside the LAN.
Search the forum for details about how to setup a reverse proxy.

[gzola]

Thanks for the tip Nicola.

Now go into the issue with Apache since usually use IIS ...

Of course if you could do it directly from the Administration page of Servoy would be much more convenient ....

[ngervasi]

You can also use IIS for the reverse proxy, I did it years ago for a project. To be honest I don't like IIS but when it's not an option to change it...
Google for IIS+AJP+Proxy, you should find quite some docs about it.

[gzola]

Hello Nicola.

In the end I opted for a granular configuration (a rule ad hoc of reverse proxy) of our WinGate Proxy Server. Now is accessible only what I want to be. Small problems (not vital): all external users are presented, on the application server, with the IP of the proxy server.

That said, I believe that at least the administration interface of Servoy should be accessible (via setup) only by an IP, a pool or a network. If you do dream, to imagine a situation where each solution is published on a specific port, or possibly on multiple ports ...

Thanks anyway for the tip. He still helped me to find an appropriate solution.

[ngervasi]

You are welcome!
Publishing different solutions on different ports is quite difficult... but for restricting access to the admin pages you could file a feature request altough I think it's something beyond Servoy control since what we are talking about is pure Tomcat.