https://ankitmaurya.pages.dev/tags/infrastructure/ Recent content in Infrastructure on Ankit Maurya Hugo en Thu, 20 Jun 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/securing-cloud-infrastructure/ Thu, 20 Jun 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/securing-cloud-infrastructure/ <p>Cloud security is often viewed as complex, but fundamental practices can dramatically improve your security posture. Here&rsquo;s what I&rsquo;ve learned from building secure cloud architectures.</p> <h2 id="identity--access-management">Identity &amp; Access Management</h2> <p>The foundation of cloud security starts with IAM. Too many organizations grant broad permissions &ldquo;for convenience&rdquo; which creates significant risk.</p> <h3 id="least-privilege-principle">Least Privilege Principle</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Version&#34;</span><span class="p">:</span> <span class="s2">&#34;2012-10-17&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Statement&#34;</span><span class="p">:</span> <span class="p">[{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Effect&#34;</span><span class="p">:</span> <span class="s2">&#34;Allow&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Action&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;s3:GetObject&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Resource&#34;</span><span class="p">:</span> <span class="s2">&#34;arn:aws:s3:::my-bucket/*&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Condition&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;IpAddress&#34;</span><span class="p">:</span> <span class="p">{</span><span class="nt">&#34;aws:SourceIp&#34;</span><span class="p">:</span> <span class="s2">&#34;10.0.0.0/8&#34;</span><span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>This policy only allows GetObject from the internal network range, not from anywhere else.</p> https://ankitmaurya.pages.dev/projects/cloudflare-tunnel/ Mon, 20 May 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/projects/cloudflare-tunnel/ <p>A comprehensive guide to exposing self-hosted services securely using Cloudflare Tunnel and Nginx reverse proxy.</p> <h2 id="why-this-setup">Why This Setup?</h2> <ul> <li>No need to open ports on your firewall</li> <li>Automatic SSL/TLS encryption</li> <li>DDoS protection from Cloudflare</li> <li>Access control via Cloudflare Access</li> </ul> <h2 id="architecture-overview">Architecture Overview</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">User --&gt; Cloudflare --&gt; Tunnel --&gt; Nginx --&gt; Service </span></span></code></pre></div><h2 id="configuration-steps">Configuration Steps</h2> <ol> <li>Create a Cloudflare account and add your domain</li> <li>Install cloudflared on your server</li> <li>Configure the tunnel with your services</li> <li>Set up Nginx as a reverse proxy</li> <li>Configure SSL certificates</li> </ol> <h2 id="nginx-configuration">Nginx Configuration</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server_name</span> <span class="s">service.example.com</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate</span> <span class="s">/etc/ssl/certs/cert.pem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate_key</span> <span class="s">/etc/ssl/private/key.pem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">location</span> <span class="s">/</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://localhost:8080</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h2 id="security-considerations">Security Considerations</h2> <ul> <li>Enable authenticated origin pulls</li> <li>Use Cloudflare Access for sensitive services</li> <li>Implement rate limiting</li> <li>Log all access attempts</li> </ul>