Showing posts from March, 2017

ESPeriments with Nginx (Part II)

Aaaaaaand we’re back!
Right, so we’ll kick off from the last post, where we’d gotten the basic stuff up and running. The next thing to do was to secure the server with SSL. This was necessary because it was necessary to bulletproof some parts of the system,specifically the API endpoint. A hypothetical attacker could seek to compromise the API-bound authentication process by performing a man-in-the-middle (MITM) attack where he’d/she’d have a machine pretend to be the auth server, and would configure the fake machine to respond favorably to any tag of their choice, and possibly even deny other tags. With SSL, the client would be able to verify the identity of the remote auth server, which would be a huge plus. Note that there are other ways of attacking such a system, but I will not enumerate them here.
This scenario naturally provided two salient points: one, the API endpoint absolutely needs SSL. It then stood to reason that (at least initially) the API endpoint would need to be conf…