-
Notifications
You must be signed in to change notification settings - Fork 4
Security
Liesware edited this page Oct 1, 2019
·
3 revisions
Please HA and Load Balancing
Coherence is designed to be accessed by trusted clients inside trusted environments, there is not protocol to protect data between server and client, so that It is no a good idea to expose Coherence to an environment where untrusted clients can directly access it. For the most cases an application mediates access between Coherence and untrusted clients (It is completely feasible to create a proxy with a high level language between HTTPS and HTTP, for example a https proxy server for Coherence was created on Node.js with 58 code lines). In resume untrusted access to Coherence should always be mediated by a layer implementing access control.
The main point are:
- DoS because an attacker can exhaust the CPU: when a user makes requests, for example: a rsa key it consume CPU, if many unauthorized are done. THC TLS DoS
- DoS because an attacker can fill all the disk: when a user makes a request for example: encrypt a file, if coherence doesn’t delete any file, Coherence creates a new file with the encrypted content, so you will be ran out of disk if many requests are done.
Countermeasures:
- Never expose Coherence directly to internet.
- Never expose Coherence directly to internet.
- If you expose it, create a proxy with acl or something like that at least.
- Create its own user and its own work_dir
- Turn on selinux.
- Configure your firewall.