supposed that I want to build an app like google doc or a multi-player online game with k8s. clients (like a web browser or an app installed on a user's phone) who hit the service endpoint are most likely to be load-balanced to separate pods (where the web server is deployed; the web server might use something like WebSocket to sync with clients). what is the best practice to sync to pods together without introducing a single point of failure?
Related
I am new to Cloud Foundry.
Is there any way that only specific users can view and update an app deployed in Cloud Foundry?
1.I deployed an app in Cloud Foundry using “cf push”command.
2.After entering “cf push “command I’ve got an message below.
Using manifest file /home/stevemar/node-hello-world/manifest.yml
enter Creating app node-hello-world-example...
name: node-hello-world-example
requested state: started
routes: {route-information}
last uploaded: Mon 14 Sep 13:46:54 UTC 2020
stack: cflinuxfs3
buildpacks: sdk-for-nodejs
type: web
instances: 1/1
memory usage: 256M
3.Using the {route-information} above,I can see the app deployed via browser entering below URL.
https://{route-information}
By this way ,anyone can see app from browser, but I don’t want that to be seen by everyone and limit access to specific user.
I heard that this global IP will be allocated to {route-information} by default.
Is there any way to limit access to only between specific users?
(For example,is there any function like “private registry” at Kubernetes in Cloud Foundry which is not open to public)
Since I am using Cloud Foundry in IBM Cloud it would be better if there is solution using IBM Cloud.
I’ve already granted cloud foundry role to the other user.
Thank you.
The CloudFoundry platform itself does not provide any access controls for applications. If you assign a public route to your application, where the DNS is publicly resolvable and the foundation is on the public Internet, like IBM Bluemix, then anyone can access your app.
There's a number of things you can do to limit access, but they do require some work on your part.
Use a private DNS. You can add any domain you want to Cloud Foundry, even ones that don't resolve. That means you could add my-cool-domain.local which does not resolve anywhere. You could then add a record to /etc/hosts for this domain or perhaps run DNS on your local network to resolve this DNS domain and direct traffic to the CloudFoundry.
With this setup, most people cannot access your application because the DNS domain for the route to your application does not resolve anywhere. It's important to understand that this isn't really security, but obscurity. It would stop most traffic from making it to your app, but if someone knew the domain, they could add their own /etc/hosts header or send fake Host headers to access your application.
This type of setup can work well if you have light security requirements like you just want to hide something while you work on it, or it can work well paired with other options below.
You can set up access controls in your application. Many application servers & frameworks can do things like restrict access by IP address or require user access (Basic auth is easy and it is OK, if you're only allowing HTTPS traffic to your app which you should always do anyway).
You can use OAuth2 to secure apps too. Again, many app servers & frameworks have support for this and make it relatively simple to secure your apps. If you don't have a corporate OAuth2 solution, there are public providers you can use. Exactly how you do OAuth2 in your app is beyond the scope of this question, but there's plenty of material out there on how to do this. Google information for your application language/framework of choice.
You could set up an access Gateway. This would be an application that's job is to proxy traffic to other applications on the foundation. The Gateway could be something like Nginx, Apache HTTPD, or Spring Cloud Gateway. The idea is that the gateway would be publicly accessible, and would almost certainly apply access controls/restrictions (see #2, many of these proxies have access control options that only take a few lines of config). Your actual applications would not be deployed publicly though. When you deploy your actual applications, they would only be on the internal Cloud Foundry domain.
CloudFoundry has local domains, often apps.internal (run cf domains to see if that shows up), which you can use to easily route traffic across the internal container-to-container network. Using this domain and the C2C network, you can have apps deployed to CF that are not accessible to the public Internet, except through your Gateway.
Again, how you configure this exactly is outside the scope of this question, but check out the docs I linked to for info on using the C2C network & internal routes. Then check out your proxy server of choice's documentation.
I am working with an iPhone application which interacts with a Web API. Since the endpoints are HTTPS, the data which communicates in-between the device and the Web API are suppose to be encrypted.
I am in need of finding every End-Points and the Data which communicates (Headers, Body Content) for each business scenario & for negative testing-flows.
Since the data which transmits are encrypted, I was unable to trace from the Fiddler which I tried while referring so several on-line tutorials.
(The reason why I am in need is because of I have got assigned to make a API Automation tool to simulate all the testing scenarios (happy-path, negative test-cases, etc))
Is there any better approach I can take to trace these API calls?
OR, is there a tool which I can try to trace these Web API calls which sends and receives from the iPhone?
TIA
Managed to get the Certificates for the HTTPS endpoints and added to the Certificate Manager (in a windows pc). Afterwards configured the proxy ports with fiddler echo service from the mobile device and was able to trace the HTTPs calls.
With the help of installing the certificates the HTTPS, intercepting the HTTPS is possible.
I'm planning to build an application that will include users registration and so on.. I want to build a kind of social network application and i wonder how should I build my server and what is the right way to connect between the application and the server?
I know to build clients and servers in python and connect between them with sockets, but I realise that this is not the right way to do it in mobile applications..
someone told me I should learn something called SOA or web application server , I did not understand him so well,
I hope that you understand what I search for, thanks!
A good start is to create a REST-based backend service that exposes methods/operations via HTTP. Host the service on your server, and allow the app to communicate with the service. This service can send and receive data, typically in the JSON format, between the service and your app(s). Try looking here for some examples:
Python: https://www.sitepoint.com/building-simple-rest-api-mobile-applications/
.NET: https://learn.microsoft.com/en-us/aspnet/web-api/overview/older-versions/build-restful-apis-with-aspnet-web-api
I'm working on a web application that will use Rhino Service Bus to send messages that are then consumed by a windows service on the app server. I've been able to test this on my machine (hosting the web app and the windows service) and it works fine. I was also able to test this in our dev environment, which has one web server and one app server, without any problems. However, our staging environment has two web servers and two app servers, so I'm not sure how to configure the endpoint to which the messages are sent.
I know I can edit the config section for each web server to point to one of the app servers. I can also put the windows service on only one machine and send everything to a queue on that machine. Neither of these sounds like a good option. What's the best practice in a scenario like this?
Any help would be appreciated.
It depends on which transport you're using. If you're using Rhino.Queues you can leverage hardware based load balancing + DNS. If you're using MSMQ, then you would need to use the MSMQ load balancer in RSB. You can find tests in the source that demonstrate this. Your workarounds that you mentioned would also work.
This question may be a bit subjective but I think will offer some valuable concrete information and solutions to proxying to heroku and debugging latency issues.
I have an app built using Sinatra/Mongo that exposes a REST API at api.example.com. It's on Heroku Cedar. Typically I serve static files through nginx at www and proxy requests to /api through to the api subdomain to avoid cross-domain browser complaints. I have a rackspace cloud instance so I put the front-end there temporarily on nginx and setup the proxy. Now latency is horrible when proxying, every 3 or 4 requests it takes longer than 1 minute, otherwise ~150ms. When going directly to the API (browser to api.example.com) average latency is ~40ms. While I know the setup isn't ideal I didn't expect it to be that bad.
I assume this is in part due to proxying from rackspace - server may well be on the west coast - to heroku on amazon ec2 east. My thought at the moment is that getting an amazon ec2 instance and proxying that to my heroku app would alleviate the problem, but I'd like to verify this somehow rather than guessing blindly (it's also more expensive). Is there any reasonable way to determine where the long latency is coming from? Also, any other suggestions as to how to structure this application? I know I can serve static files on Heroku, but I don't like the idea of my API serving my front-end, would rather these be able to scale independently of one another.
Since you're using Heroku to run your API, what I'd suggest is putting your static files into an Amazon S3 bucket, something named 'myapp-static', and then using Amazon Cloudfront to proxy your static files via a DNS CNAME record (static.myapp.com).
What's good about using S3 over Rackspace is that:
Your files will be faster for you to upload from Heroku, since both your app and storage are on the same network (AWS).
S3 is built for serving static files directly, without the overhead of running your own server proxying requests.
What's good about using Cloudfront is that it will cache your static files as long as you want (reducing multiple HTTP requests), and serve files from an endpoint closest to the user. EG: If a user in California makes an API request and gets a static file from you, it will be served from them from the AWS California servers as opposed to your East Coast Heroku instances.
Lastly, what you'll do on your application end is send the user a LINK to your static asset (eg: http://static.myapp.com/images/background.png) in your REST API, this way the client is responsible for downloading the content directly, and will be able to download the asset as fast as possible.