Versions Compared

Old Version 2

changes.mady.by.user David Grobelny

Saved on

compared with

New Version Current

changes.mady.by.user Pablo Bonilla

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Aspire app needs to be setup set up to mitigate DDOS DDoS attacks and other similar issues related to security findings (Jira vulnerability issue. )

Quick A quick and straightforward solution can be done by a Nginx server, which is setup set up as a proxy server to for Aspire.

Prerequisite:

Install Nginx server

Install Aspire 5

Aspire should not be not available out site outside the website directly, but always using Nginx or a similar technology (Apache, AWS WAF, etc...).

Nginx will be setup set up as a proxy server with https HTTPS certificates, request limit and other necessary security. 

Internally, Aspire 5 with cooperation with and internals apps can be connected directly (localhost:50505).

We will avoid with this approach to have some limitations between internal applications. 


Prerequisite:

Install Nginx server

Install Aspire 5


Limiting the Rate of Requests 

You can limit the rate at which NGINX accepts incoming requests to a value typical for real users. For example, you might decide that a real user accessing a login page can only make a request every 1 second.

You can configure NGINX to allow a single client IP address to attempt POST requests to API endpoints only every 1 second (equivalent to 60 requests per minute):

To enable POST requests limitations, open nginx.conf and put:

Code Block
languagejs
   http {
 # Maps ip address to $limit variable if request is of type POST
    map $request_method $limit {
    default         "";
    POST            $binary_remote_addr;
  }
# Creates 10mb zone in memory for storing binary ips and limit requests to 60 per minute.
 limit_req_zone $limit zone=one:10m rate=60r/m;
...
	server {
        ...
        location / {
            ...
		#limit post request 60 requests per minutes
		limit_req zone=one;
		
        }
}

There are two ways of configuring the encryption provider through Properties or Settings File (click each link to see more details)

Regardless of which way it is used to configure the provider, the following parameters will be used:

...

(Optional) If the KMS service must be accessed through the assumption of an IAM role, specify the role ARN. Role Assumption is recommended so the base account won't have direct access to the resources.

If not specified, the base account will be used to execute the encryption/decryption calls directly.

...

Limiting the Number of Connections

You can limit the number of connections that can be opened by a single client IP address, again to a value appropriate for real users. For example, you can allow each client IP address to open no more than 10 connections to the ASPIRE 5 area:


Code Block
server

How to create a KMS Key suitable for Aspire?

When creating a KMS key for Aspire, make sure to include the following properties:

  • Symmetric key: allows aspire to encrypt and decrypt secrets using the key
  • Permissions: The user or role to be used by Aspire should be granted the kms:Encrypt, kms:Decrypt and kms:DescribeKey permissions.

Key Policy:

You can add or remove permissions to this policy if needed, but make sure it still have the Encrypt, Decrypt and DescribeKey ones for the user or role that Aspire will use.

Code Block
languagejs
{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",# ...
    location        "Effect": "Allow",
            "Principal": / {
                "AWS": "arn:aws:iam::[account_id]:root"
            },limit_conn addr 10;
            "Action": "kms:*",# ...
            "Resource": "*"
        },
        }
}

More can be found directly in Nginx documentation .

Configuring HTTPS

To configure an HTTPS connection needs to be prepared SSL certifications for the current domain or IP, here is example only for localhost.

Code Block
server {
            "Sid": "Allow use of the key",
  
	  listen          "Effect": "Allow",443 ssl;
        server_name    "Principal": {localhost;
                "AWS": "arn:aws:iam::[account_id]:[role/user]/[role_id/user_id]"
            },
            "Action": [keepalive_timeout   70;

        ssl_certificate        "kms:Encrypt",certs/localhost.crt;
        ssl_certificate_key  certs/localhost.rsa;
      "kms:Decrypt",
  ssl_protocols       TLSv1       "kms:DescribeKey"
            ],TLSv1.1 TLSv1.2;
		
        ssl_session_cache    "Resource": "*"shared:SSL:1m;
        }
    ]
}

Create kms key with aws cli

Save the policy specified above into a file called policy.json, fill in the [ account_id ] , [ role/user ] and  [ role_id/user_id ] details and execute (inside the same folder where the policy file was created):

Code Block
languagebash
aws kms create-key --policy file://policy.json --description "Aspire Encryption key" > newKey

on the file newKey you will see a json with the details of your new key. Copy the Key ARN and configure it as Aspire Properties

Optionally, you can create an alias for your key to help AWS administrators to know what this kms key is for

...

languagebash

...

ssl_session_timeout  5
...
}

More can be found directly in the Nginx documentation.

Aspire app with HTTPS after Nginx proper setup:

Image Added


Response after too many requests:

Image Added


Interesting Articles:

First Line of Defense: Blocking Bad POST Requests Using NGINX Rate Limiting.

The three most important AWS WAF rate-based rules

Example nginx.conf: 

localhost.rsa

localhost.crt

nginx.conf