I need to block access to the API endpoints used by the android application for Uber Eats at a DNS level, but there's no public documentation available for the Uber Eats service.
What are the API endpoints or hostnames associated with the Uber Eats service for the android application, I've managed to block their web app but not the android app.
Blocking the following domains on my firewall has successfully stopped the uber eats app from functioning:
cn-geo1.uber.com
cn-dc1.geixahba.com
cn-dc1.shaipeeg.net
auth.uber.com
cn-dc1.oojoovae.org
cn-dc1.ooshahwa.biz
cn-dc1.naevooda.co
Related
I have asp.net core web api app which is hosted in Azure Kubernetes Service and the web api endpoints is secured with Azure Active Directory (AAD). Following the below article,
https://dotnetplaybook.com/secure-a-net-core-api-using-bearer-authentication/
Now I have another asp.net core web api application (Gateway) which is hosted as Azure App Service and this is a client application for above microservice which is hosted in AKS.
I have registered the client app (Gateway) also in AAD and using secret and using this gateway and microservices authenticated and works.
Since AKS hosted microservices talks with Azure App service, can I use Managed Identity so that I don't need to do secret management?
So just to clarify, your service deployed in Azure App Service is calling your application deployed in AKS.
If your Azure App Service is acting on its own behalf (ie: it is a daemon app, and users dont interact with that app), then yes, you can simply use a Managed Identity for that App Service and give that identity the API permissions for the app in AKS.
--an update to the above
I wrote some additional details that walks through all steps to achieve this, take a look at this post: https://blog.identitydigest.com/single-tenant-daemon-managed-identity/ . It also has a pointer to a very rudimentary code sample.
We have following structure for my application. currently we have used Any for both source and destination (on port 3389) while defining NSG rule for our Service Fabric to allow calls from mobile app. But our security team has raised concerns on Any-Any rule. Is there any way to optimize this?
Note: our mobile app is public and anyone can download from app store.
Any to Any rule open SF for attach really so you should limit the IP from your traffic manager given your current model.
Azure API management already have build in support for Service Fabric so my suggestion is to remove the traffic manager between then API management and SF. Then you can do is to limit the traffic to SF only from the API management which is much easier.
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-api-management-overview
Authentication requirement you can delegate that to the API management ie validate JWT token
Most of the document I found about GCP, the REST API needs a user interaction for authentication. Is there a possible way to access the GCP resource without an interaction from user.?
eg: I would like to implement a cron job in my local workstation to launch a GCP machine.
Yes, it's possible, this is that service accounts are for:
A service account is a Google account that represents an
application, as opposed to representing an end user.
Important: For almost all cases, whether you are developing locally or in a production application, you should use service
accounts, rather than user accounts or API keys. You can use a service
account by providing its private key to your application, or by using
the built-in service accounts available when running on Google Cloud
Functions, Google App Engine, Google Compute Engine, or Google
Kubernetes Engine.
All GCP APIs support service accounts. For most server applications
that need to communicate with GCP APIs, we recommend using service
accounts, as they are the most widely-supported and flexible way to
authenticate.
For more information, see getting started with authentication.
You'd have to create a service account representing your application (executed as the cron job) and in your application you'd authenticate the REST API calls using that service account's credentials.
We want to use a shared Bluemix org which contains a number of demo apps. Is there a way of detecting, which apps haven't been used (e.g few http requests) in order to stop inactive apps?
These cloud foundry docs state the following:
The Router emits RTR logs when it routes HTTP requests to the app. Router messages include the app name followed by a Router timestamp and then selections from the HTTP request.
You should get an idea of how many requests your apps are receiving by looking for RTR log entries.
Manually, you could check the console logs using the cf logs .. command, or by visiting the log page in the Bluemix console.
You could automate the check using the cloud foundry tools or using the cloud foundry apis to parse the applications logs.
https://docs.cloudfoundry.org/devguide/deploy-apps/streaming-logs.html#rtr
I want to expose a REST-ful service as an API to the outside world on Bluemix Public. Therefore I have a liberty app, containing a REST service implemented in JAX-RS.
Additionally I leverage the "API Management Service" to secure that app, via Plans, Authentication etc. So thanks to the API Management Gateway I have a secure proxy to my service exposed.
Yet, the app that provides my service remains accessible to the outside via the Bluemix route. So, it can be called without any credentials or whatsoever.
Is there a way, to only have my API Management gateway access the service implementation app?
One approach would be to delete the route of the service implementing app, but how would you then bind the API Management to the service?
Happy to hear your thoughts or alternative solutions.
If your API is running on Bluemix Public as a Cloud Foundry application, there is currently not a way to create a route such that it is only accessible by the API management service, but not the the outside world. You should implement security within your jax-rs application (easy to with web.xml security-constraint) and add those credentials to APIm service if you still want to use APIm to get monitoring, throttling, discovery, etc.
Another option would be to deploy the application in a VM and then use Secure Gateway to connect to it:
https://github.com/IBM-Bluemix/onprem-integration-demo