PageKite 0.5 - soliciting feedback on .rpm and .deb policy
35 views
Skip to first unread message
Bjarni Rúnar Einarsson
Jul 24, 2012, 1:38:03 PM7/24/12
to pagekite...@googlegroups.com
Hey everyone!
In case you hadn't noticed, we released version 0.5 of pagekite.py last Friday:
http://pagekite.net/2012-07-20/Pagekite_py_0_5_0_released
There are a bunch of new features and improvements in this release
over 0.4.x, but there is one in particular which makes this release a
little different - we've added a very basic request firewall to keep
folks from shooting themselves in the foot by exposing things like
insecure Xampp, phpMyAdmin or WordPress installations to the public
web. You can read more about this feature and why we felt it was
necessary, here:
http://pagekite.net/support/security/
As we realize that some folks using the RPM or DEB packages may
actually be relying on the ability to reconfigure e.g. their WordPress
blogs over PageKite, we are pondering what the default configuration
should be for people who are using the OS-level integration.
It boils down to this: Should we disable the firewall for people whose
pagekite's start up on boot?
If we disable the firewall, then that becomes an insecure-by-default
policy for anyone using the .deb or .rpm package. This is not
necessarily a good thing, we prefer to be "as secure as is reasonable"
by default.
If we enable the firewall, some users will be surprised and their
current websites may "break" without them really understanding why
(especially if automatic apt or yum updates are enabled). Of course,
it will be easily fixable by adding the "insecure" keyword to their
/etc/pagekite.d/80_httpd.rc file, but until people figure that out the
new behavior could be quite confusing.
Any opinions?
--
Bjarni R. Einarsson
Founder, lead developer of PageKite.
Make localhost servers visible to the world: https://pagekite.net/
In case you hadn't noticed, we released version 0.5 of pagekite.py last Friday:
http://pagekite.net/2012-07-20/Pagekite_py_0_5_0_released
There are a bunch of new features and improvements in this release
over 0.4.x, but there is one in particular which makes this release a
little different - we've added a very basic request firewall to keep
folks from shooting themselves in the foot by exposing things like
insecure Xampp, phpMyAdmin or WordPress installations to the public
web. You can read more about this feature and why we felt it was
necessary, here:
http://pagekite.net/support/security/
As we realize that some folks using the RPM or DEB packages may
actually be relying on the ability to reconfigure e.g. their WordPress
blogs over PageKite, we are pondering what the default configuration
should be for people who are using the OS-level integration.
It boils down to this: Should we disable the firewall for people whose
pagekite's start up on boot?
If we disable the firewall, then that becomes an insecure-by-default
policy for anyone using the .deb or .rpm package. This is not
necessarily a good thing, we prefer to be "as secure as is reasonable"
by default.
If we enable the firewall, some users will be surprised and their
current websites may "break" without them really understanding why
(especially if automatic apt or yum updates are enabled). Of course,
it will be easily fixable by adding the "insecure" keyword to their
/etc/pagekite.d/80_httpd.rc file, but until people figure that out the
new behavior could be quite confusing.
Any opinions?
--
Bjarni R. Einarsson
Founder, lead developer of PageKite.
Make localhost servers visible to the world: https://pagekite.net/
Bjarni Rúnar Einarsson
Jul 27, 2012, 12:55:43 PM7/27/12
to pagekite...@googlegroups.com
OK, since nobody seems overly concerned, we have pushed new .deb files which enable the request firewall by default. Check the new /etc/pagekite.d/80_httpd.rc.sample file for details on how to turn it off if it gets in the way.
Christoph Witzany
Jul 27, 2012, 3:12:02 PM7/27/12
to pagekite...@googlegroups.com
I think it is good. Even if I don't rely on request host based security (which also means that it doesn't affect me).
2012/7/24 Bjarni Rúnar Einarsson <b...@pagekite.net>
Bjarni Rúnar Einarsson
Jul 27, 2012, 3:16:20 PM7/27/12
to pagekite...@googlegroups.com
On Fri, Jul 27, 2012 at 7:12 PM, Christoph Witzany <chri...@web.crofting.com> wrote:
I think it is good. Even if I don't rely on request host based security (which also means that it doesn't affect me).
Thanks for chiming in. :-)
That leaves the more fun question, of which things we should be firewalling! We have some sensible defaults, but I am pretty sure this 1st draft will need some revising over time.
If anyone on the list has web server logs that show what the script kiddies are after these days, that would be super useful for compiling a better built-in firewall.
Reply all
Reply to author
Forward
0 new messages