AWS to host PostgreSQL

Tue Jan 1 16:33:57 EST 2019

Hi Alan,

We've worked like this for the past 7 or 8 years. We have one server with AWS and several other physical servers at data centres around Australia. Clients install Omnis as a desktop application. They still complain they want a browser solution even though there are as many cons as pros to that (and most of the pros don't really apply with software you only use in the office while behind your desk) but c'est la vie.

Filtering on IPs definitely gives some protection but it is far from a reliable option. A skilled hacker can get around that not to mention that a compromised router at one of your clients will expose you. Not a reason to not filter on IPs if your clients do use fixed IP ranges, it is one more hurdle that stops the less skilled hackers. We don't btw, too many of our clients are on dynamic IPs and some travel and access our system internationally.

Strong passwords are a must, besides the normal rules about characters and lengths we've added this service into our system when users chose passwords: https://haveibeenpwned.com/Passwords
It's a safe way to check whether the chosen password has been found in data breaches, the more hits it has, the more likely that password will be on brute force lists.

Doug posted an interesting suggestion awhile ago to not use the password as given by the user but use a hashing algorithm making even badly chosen passwords a lot harder to crack.

That all said, you mention you're not using SSL? If so then yes, you're at great risk, anyone spoofing your internet traffic can see all they need to see to wiggle their way into your system. Setting up Postgres to use SSL certificates is not hard, even a self signed certificate at least allows you to encrypt the traffic between client and server but you'll need a more proper certificate if you also want to check the identity of your server and protect yourself from a Man In The Middle attack (google MITM).

The problem with SSL is on the Omnis side. Due to the licensing requirement at the time Omnis does not provide OpenSSL capable copies of the libpq library. OpenSSL is now Apache licensed so it shouldn't be a problem anymore but you'll have to source the needed files from somewhere else. I take them from the pgAdmin copy installed along with a copy of Postgres, it tends to have up to date versions.

There is some good information about it here: https://omnis.net/technotes/tnsq0031.jsp

Kindest Regards,

Bastiaan Olij
Head of development - Instinct Systems: The JobBag People
Ground Floor, 48 Chandos Street
St Leonards NSW 2065
Australia

Phone +61 2 8115 8000
Mobile +61 4 321 44833
bastiaan.olij at instinctsystems.com.au
http://www.jobbag.com

 From:   Alan Grinberg <omnis at alangrinberg.com> 
 To:   OmnisDev List - English <omnisdev-en at lists.omnis-dev.com> 
 Sent:   1/2/2019 7:40 AM 
 Subject:   AWS to host PostgreSQL 

Happy New Year to Everyone! 

We have converted our program to SQL using Omnis Studio 8. 

We have been considering different distribution scenarios, and have been playing around with Amazon Web Services (AWS) hosting a Postgres database, and installing the Omnis/Library application on the user's computer. This gives the user a full desktop experience and it is easy for us to maintain the back end. It looks like this will work work well for us and many of our customers. 

I have 2 questions/requests for comments. 

1. Is anyone else doing this? Are there pitfalls for going down this path? Are there better ways of distribution? 

2. To provide security, we have been controlling access to the db using IP addresses. If the user has a fixed IP, this works nicely. Are there serious security issues with relying on this method? I suppose the data is passing over the internet unencrypted, including access credentials. A problem? 

One problem we have run into is that if a customer has a dynamic IP, they cannot connect. 

That has led us into looking into using a VPN (as AWS says - VPC - Virtual Private Cloud). There are AWS tools for this, as well as 3rd party tools (https://openvpn.net/, etc). These look quite complicated to set up. Any opinions on this solution? Is anyone here using the VPC tools on AWS (or other) to control cloud DB access? 

Thanks for any input! 

Regards, 
Alan 

---------------------------------------------------- 
Alan Grinberg 
AG Systems/ZOO-INK 
San Francisco, CA  

www.zoo-ink.com <applewebdata://523DA1BE-88B4-41B4-B277-552FEF26C4A7> 
www.perfectfit.net 
alan at perfectfit.net 
---------------------------------------------------- 

_____________________________________________________________ 
Manage your list subscriptions at http://lists.omnis-dev.com 
Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com  