Oberhauser Global Launch - The Technical Highlights

Oberhauser Global was launched as umbrella organization for Networld and other initiatives. This triggered a set of security improvements and internal changes. This article outlines the technical highlights.

As part of this launch Networld will be officially the technical arm of Oberhauser Global. Supporting other initiatives, projects and companies under the Oberhauser Global umbrella.

Improved static website hosting

Nearly all the public facing websites with either static content or that can be generated via a static site generators are now hosted by Cloudflare Pages, migrated over from Github and Gitlab Pages.

This change was made for the following reasons.

  • Source code of these pages can be hosted as private Github or Gitlab repository
  • Comes with preview deployments to a subdomain of pages.dev, automatically deployed from feature branches
  • Protection of preview deployments via Cloudflare Access, see section below for increased security configuration
  • DDoS protection and other security features and page hosting at the same provider
  • Global CDN from the market leader
  • Single point of management across Gitlab and Github sourcecode hosted website
  • All TLS certificates are valid and signed by a trusted certificate authority (CA), see Cloudflare configuration below.

Cloudflare Full TLS

Cloudflare and Google Workspace integration

In order to allow Oberhauser Global members to access internal resources Google Workspace was integrated as identity provider for Cloudflare Access.

This change was made for the following reasons.

  • Single identity for all internal services
  • Central management of all members, across all internal services
  • Leveraging increased security functionality of Google Workspace, such as 2-FA authentication with hardware tokens and improved monitoring. Enforcing of members using the Google Advanced Protection Program.

Increased security for on-premise hosting

As outlined previously in Hosting This Website - The Hard Way the on-premise website hosting is proxied via Cloudflare. The security between Cloudflare and the on-premise reverse proxy was improved by forcing the use of mTLS (mutual TLS). Meaning, each call from Cloudflare is authenticated via a client TLS certificate, without it requests are failing. This increases the security even further by limiting only access from authorized clients.

The hosting architecture below was updated accordingly.

Hosting Architecture

Securing all the internal as well as public facing resources is an on-going effort and it is important to keep on top of it. By decreasing the attack surface and leveraging available services this task is more managable.

Author

Alex Oberhauser

Alex Oberhauser is a tech-entrepreneur, innovator and former C-level executive. He is currently working on user controlled identities and the empowerment of the end-users, with privacy and security as part of the value proposition, not as an afterthought.