1

I'm having a few problems trying to decide what would be the best solution for something I'm trying to build.

In the applications simplest form, I have a front end server which allows users to upload files which become associated with their account, for example a video or image. The upload file form posts the upload request to the front end server, which then uses a reverse proxy to pass the request directly along to a storage server's API (https://www.example.com/users/username/upload).

What I'm currently stuck on, is trying to work out what the best way to verify that the request being received at the storage servers API is actually being sent from the reverse proxy from the front end server, as opposed to somebody just sending a direct post request to the storage server's API endpoint.

Any suggestions would be really appreciated!

Benjamin Radovsky
  • 13
  • 6
  • You can send some kind of a token from the Frontend Server to authenticate that the request is from the correct server. – Dhanush Gopinath Aug 03 '16 at 05:53
  • Hey @DhanushGopinath, thanks for your reply. I've previously created a session that creates a CSRF token which gets validated on the storage server's side over the same client's session, but would it be better, for example, to create a token and send it over tcp before I pass along the actual request, wait for an ACK containing the correct token from the storage server, and only then if it's correct, proxy the file upload request? – Benjamin Radovsky Aug 03 '16 at 06:38
  • I do it the first way you mentioned. And I wrote an HTTP Handler to authenticate it and only if it is valid I pass the request to the actual handler. The second method also should be fine, except that fact that each call will need to send 2 requests every time. – Dhanush Gopinath Aug 03 '16 at 08:06
  • Do you control the storage server or is it a 3rd party service? Does it need to be exposed to someone who could make a direct call to it? A little more detail about the deployment would be helpful to the question. – jxstanford Aug 03 '16 at 14:24
  • Hey @jxstanford, I do control the storage server/s. I'm new to distributed computing so not sure about any best practices. The storage servers don't have to be exposed, but I'm not sure how I would go about blocking it off from requests other than from my own servers. Sorry about all of this being quite vague, it's all more of a learning challenge, trying to build scalable applications that scale well. – Benjamin Radovsky Aug 04 '16 at 01:33

1 Answers1

1

There are multiple ways to do it:

  1. you can use a API Gateway (e.g. APIGEE, AWS AI Gateway etc). Gateway can do request origin validation.
  2. You can let front end app to use OAuth (for storage server) and use that to get authenticated/authorized at storage server
  3. You can do IP whitelisting between servers & allow a restricted set of IPs in source
  4. You can use MASSL (Mutual Authenthicated SSL) b/w servers to make sure only clients which are verified access your API (may be not for your problem directly but can be used with combination)

These are the simple options if you don't need a complicated or more expensive solution.

Virgo_The_Perfectionist
  • 518
  • 1
  • 4
  • 10
  • Hey @Virgo, thanks for the comment! I've already implemented CSRF prevention over sessions since the storage server is being sent it's data through a form, but I've considered the idea previously to use IP whitelisting so I might give that a go as well! Great suggestions, much appreciated! – Benjamin Radovsky Aug 06 '16 at 11:43