Using Websocket in an other way

Leslie7 · 2016-02-21 09:56:08

AB,

I am thinking about a setup which could be more secure against hacking. Normally there is a client which initiates a websocket connection to the server and calls some service/interface published by the server. I would like to change one thing: it would be the server publishing the services initiating the connection.

This is the scenario:

- there is a frontend server with no knowledge at all about how to connect to the backend --> if hacked there is no information stored about the backend server.
- it is the backend server which initiates a websocket connection which the frontend uses to access data via interfaces/services.
- this way we could have a backend server storing the high value data with no open port to mess with.

mORMot seems to be not too far from this kind of usage. Do you think this is something I could do in the near future?

Cheers,
Leslie

Last edited by Leslie7 (2016-02-21 09:56:36)

ab · 2016-02-21 13:49:22

You have already everything you need to do this.
Just use a mORMot server for what you call a "client", and a mORMot client on the "server" side.

But, honestly, I doubt such a feature would be worth it.
There won't be any additional security IMHO. You are in fact multiplication the number of "servers", since each client is a server, so you are increasing security breach scope.
And it would be more difficult to manage on "client" side: the IP ports have to be opened on each firewall, which may not be easy to do - or even impossible, due to IT security reasons.
This is why you should stick with the standard client/server paradigm. You could trust how we handle out WebSockets connection: the authentication and authorization scheme is pretty secure.

Leslie7 · 2016-02-21 20:08:35

Ab,

"since each client is a server"

I think you probably have not understood the concept. I have not mentioned clients at all - clients are serviced by the frontend server, it is business as usual.
It is the server side which has two layers. One accessible from the outside word, but the other one -the backend - with the the sensitive data is not.

"Just use a mORMot server for what you call a "client", and a mORMot client on the "server" side."

This is the normal logic for a frontend server to connect to a backend server. The one thing I would like to change if possible is how the connection is initiated. Normally the frontend server would initiate the connection as a client to the backend server. I would like the backend server to initiate the connection which is used by the frontend server to call the published services of the backend server. From the connection viewpoint the backend is the client and the frontend is the server. But from the viewpoint of the services the frontend is the the client and the backend is the server.

This setup would shield the backend server from being hacked from a compromised frontend server.
I know this may seem an overkill, but there is data sensitive and valuable enough worth the extra mile.

ab · 2016-02-21 20:52:54

This is already supported by the framework.
See http://synopse.info/files/html/Synopse% … ml#TITL_93

edwinsn · 2016-02-22 07:54:24

ab wrote:

This is already supported by the framework.
See http://synopse.info/files/html/Synopse% … ml#TITL_93

Hi ab,

That sounds very useful! Does RemoteDataCreate() support FTS4/FTS5 records?

BTW, It seems that mORMot only supports FTS4, FTS5 is not added yet?

ab · 2016-02-22 09:06:02

I did not make any test specific to redirection with FTS support.
My guess is that it should work...
Feedback is needed!

FTS5 was experimental still 3.10 AFAIR...
See http://synopse.info/forum/viewtopic.php … 773#p17773
We did not include it yet, you are right.
Sounds like if it may increase the .obj file a lot.
We would make some tests.

edwinsn · 2016-02-22 10:06:09

hi ab,

I'm not using external FTS4 tables, but I'll provide feedback if I do in the future.

I don't think the .obj file size is a real concern nowadays, all after all, it'll still be in the "light" level. I just read the FTS5 document:

FTS5 has no matchinfo() or offsets() function, and the snippet() function is not as fully-featured as in FTS3/4...

That doesn't sound very interesting...

ab · 2016-02-22 10:12:08

... but FTS5 has its own query language, which may be pretty convenient...

mORMot Open Source

#1 2016-02-21 09:56:08

Using Websocket in an other way

#2 2016-02-21 13:49:22

Re: Using Websocket in an other way

#3 2016-02-21 20:08:35

Re: Using Websocket in an other way

#4 2016-02-21 20:52:54

Re: Using Websocket in an other way

#5 2016-02-22 07:54:24

Re: Using Websocket in an other way

#6 2016-02-22 09:06:02

Re: Using Websocket in an other way

#7 2016-02-22 10:06:09

Re: Using Websocket in an other way

#8 2016-02-22 10:12:08

Re: Using Websocket in an other way

Board footer