Security appliance passthru?

h0n3ym4k · June 17, 2019, 2:45am

Hi guys,
I am new here and new to tus. Just wondering if tus is capable of passing through security appliance, e.g. WAF, IPS or else?..I mean…em…security appliances used to treat partial HTTP requests as attack and things like slowloris…so is there any mechanism in tus that has a thought of that?
Nice day.

marius · June 17, 2019, 7:47am

Hi there, welcome to the tus community!

I don’t have much experience with WAF or similar but what would be necessary from tus’ side to work properly with security appliances? Is it not possible to configure the firewall to let tus traffic through?

Kind regards,
Marius

h0n3ym4k · June 17, 2019, 8:07am

then how to label tus traffic? i mean if tus has any specific design/tag or something like that so the appliance can recognize?

marius · June 17, 2019, 8:27am

There are three basic ways how you can label tus traffic:

Match the traffic by destination URL (e.g. if your tus server lives as example.com/files/, you can mark traffic going to example.com/files/ as tus).
Every tus request and response must contain the Tus-Resumable header.
Every tus request with upload data (i.e. a partial upload) must contain the “Content-Type: application/octet-stream+offset” header.

h0n3ym4k · June 17, 2019, 10:03am

hm…but is it possible to make-up a request using these?..
i mean if i write a sloworis attack using these header values…hm…will i be still successful?..

marius · June 19, 2019, 11:38pm

Yes, those headers can also be faked, as can happen for any HTTP request. Frankly, I am not sure what solution you are looking for? I haven’t worked a lot with WAF, so maybe you can describe how other API services are usually solving these problems.

h0n3ym4k · June 20, 2019, 12:25am

hm…i mean tus is great because it can ‘resume’…just ‘attacks’ are bad that they trigger like ‘resume’…just wondering if i can have something best of both worlds…because big websites are always under attack…and those websites would like to have upload functions…hm…

marius · June 20, 2019, 2:02pm

I can understand that you want to secure your servers. However, I believe that this is not a tus-specific problem but something that every upload server has to deal with. Do you know how other upload servers are dealing with their firewalls?

h0n3ym4k · June 21, 2019, 12:35am

hm…i don’t know much about ‘specifics’…the options in my mind is just ‘drop’ or ‘allow’…that’s why i don’t know how to figure out ‘fake’ or ‘dirty’ attacks…hm…

marius · June 24, 2019, 11:26am

I can’t help you with setting up your firewall, that’s up to you. Maybe you want to get in touch with your firewall supplier and talk to them about what’s the best solution. Or maybe you want to use IP rate limiting to detect attacks.

launchpad · January 31, 2022, 1:19pm

@h0n3ym4k I am just curious what authentication mechanism you have on top of the tus protocol? And if they can help you secure the server?

Topic		Replies	Views
Authentication for accessing files Tus	1	2242	November 13, 2018
New Open Source TUS implementation Tus	1	1384	January 9, 2022
TUS plugin seems to ignore end point with https (sends to http instead) Uppy	5	2342	March 7, 2020
Security Extension Tus	5	997	February 16, 2022
The tus.io/demo does not meet the protocol specification Tus	3	926	February 10, 2021

Security appliance passthru?

Related Topics