- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
So, apparently some forms when inspected that utilize Heroku will display "cowboy", then via "vegur" so I was like wtf is this?
Vegur:
superuser.com
So, ultimately it looks like Heroku forked cowboy:
github.com
Which they forked over to https://github.com/heroku/cowboyku
Also, they proxy their server also - think NGINX and NGINX Reverse Proxy? https://github.com/heroku/vegur
So basically the web server is called Cowboy (like Apache), then their proxy is Vegur (think NGINX reverse proxy).
For a full-blown summary of Heroku's Vegur, just read their blog https://blog.heroku.com/vegur-free-software
As mentioned in one of my last postings about email spamming due to insufficient (no) rate limiting; https://ciphers.pw/threads/email-sp...setup-for-email-confirmation.9261/#post-77240 - we can also immediately realize that people using Heroku seemingly just want to develop a project quickly and may easily overlook security similar to when everyone started making PHP file uploading and image uploading scripts. If you just uploaded a PHP file to a PHP uploading script and could execute, you just "shelled a box" that easy.
In this case, the exploitation seems more along the lines of bad (or no) rate limiting, allowing for service abuse. Not as critical as "shelling boxes" but still sloppy.
I am curious to further inspect Heroku typical Heroku stack deployments to assess their overall stability and posture in terms of security.
Lunch break is almost over - getting food.
There is a few negatives to using Heroku that I can see - ultimately you still need to tie back into their enterprise platform when using all features, this drains the enterprise-ish features from being self-hosted and forces you into a life of their hosted APIs thus centralizing your app deployment.
If you are in search of alternatives:
"Heroku is a container-based cloud Platform as a Service (PaaS)", just a fancy way to have everything managed for you. Makes it easier for a developer to just focus on the app and have to worry less about everything else (platform). I would suspect in a deployment you may typically find less IT staff, less security staff, and such. While this could be a generalization or stereotype - this is my gut instinct that when someone is using Heroku, they are likely cutting corners. To me this feels similar to when an app developer chooses to get 100% the framework route to save cycles on code development by dropping in modules/libraries/templated code - it speeds up dev but can also hinder optimization (performance).. think RAM-heavy apps or apps that make high use of CPU utilization for no apparent reason. This is ugly crap, and this is likely the future.
So just watch out for dev laziness coming to town - it is all over the place, lol.. people like easy and Heroku makes it easier for a developer to not require IT security, IT infrastructure, and more. This is the 1-click-go solution for a developer to go from a team of 10 guys down to 1 person to say "I run all the IT here, we use PaaS."
my $0.02 overview
This blog hits the nail on the head: http://sleekrule.blogspot.com/2015/11/why-paas-sucks.html
If you want full control and care to manage your own containers 100%, then IaaS makes more sense. PaaS just adds middle-men somewhere typically (think Heroku APIs and such). It might make everything work together easier but at the expense of providing full control of your own stuff. Not end of the world, just not practical if you want to truly own something in entirety. This is why whenever I find Heroku apps, somewhere I see calls to Heroku servers usually.
</rant>
Vegur:
What is vegur appearing in HTTP headers?
On some websites there are the following headers which consist vegur, e.g. Via: 1.1 vegur In here (check the headers) and also in that post. I've tried to look for it, but I couldn't find it. Is...
superuser.com
So, ultimately it looks like Heroku forked cowboy:
GitHub - ninenines/cowboy: Small, fast, modern HTTP server for Erlang/OTP.
Small, fast, modern HTTP server for Erlang/OTP. Contribute to ninenines/cowboy development by creating an account on GitHub.
github.com
Which they forked over to https://github.com/heroku/cowboyku
Also, they proxy their server also - think NGINX and NGINX Reverse Proxy? https://github.com/heroku/vegur
So basically the web server is called Cowboy (like Apache), then their proxy is Vegur (think NGINX reverse proxy).
For a full-blown summary of Heroku's Vegur, just read their blog https://blog.heroku.com/vegur-free-software
As mentioned in one of my last postings about email spamming due to insufficient (no) rate limiting; https://ciphers.pw/threads/email-sp...setup-for-email-confirmation.9261/#post-77240 - we can also immediately realize that people using Heroku seemingly just want to develop a project quickly and may easily overlook security similar to when everyone started making PHP file uploading and image uploading scripts. If you just uploaded a PHP file to a PHP uploading script and could execute, you just "shelled a box" that easy.
In this case, the exploitation seems more along the lines of bad (or no) rate limiting, allowing for service abuse. Not as critical as "shelling boxes" but still sloppy.
I am curious to further inspect Heroku typical Heroku stack deployments to assess their overall stability and posture in terms of security.
Lunch break is almost over - getting food.
There is a few negatives to using Heroku that I can see - ultimately you still need to tie back into their enterprise platform when using all features, this drains the enterprise-ish features from being self-hosted and forces you into a life of their hosted APIs thus centralizing your app deployment.
If you are in search of alternatives:
- https://caprover.com/ - kinda neat
- http://dokku.viewdocs.io/dokku/getting-started/installation/ - seems okay
- https://convox.com/pricing - looks pretty awesome, a single developer gets most functionality but there is pro pricing supposedly for a nicer UI (dashboard), more users in the dash, and such
"Heroku is a container-based cloud Platform as a Service (PaaS)", just a fancy way to have everything managed for you. Makes it easier for a developer to just focus on the app and have to worry less about everything else (platform). I would suspect in a deployment you may typically find less IT staff, less security staff, and such. While this could be a generalization or stereotype - this is my gut instinct that when someone is using Heroku, they are likely cutting corners. To me this feels similar to when an app developer chooses to get 100% the framework route to save cycles on code development by dropping in modules/libraries/templated code - it speeds up dev but can also hinder optimization (performance).. think RAM-heavy apps or apps that make high use of CPU utilization for no apparent reason. This is ugly crap, and this is likely the future.
So just watch out for dev laziness coming to town - it is all over the place, lol.. people like easy and Heroku makes it easier for a developer to not require IT security, IT infrastructure, and more. This is the 1-click-go solution for a developer to go from a team of 10 guys down to 1 person to say "I run all the IT here, we use PaaS."
my $0.02 overviewThis blog hits the nail on the head: http://sleekrule.blogspot.com/2015/11/why-paas-sucks.html
If you want full control and care to manage your own containers 100%, then IaaS makes more sense. PaaS just adds middle-men somewhere typically (think Heroku APIs and such). It might make everything work together easier but at the expense of providing full control of your own stuff. Not end of the world, just not practical if you want to truly own something in entirety. This is why whenever I find Heroku apps, somewhere I see calls to Heroku servers usually.
</rant>
Last edited: