Hello,
I’m building a flash application using a three-tier environment and amazon web services (EC2) for hosting. I have three server instances of ubuntu; let’s call them Server A, Server B and Server C. Server A hosts my flash application with Apache and thus is the presentation tier. Server B contains the AMFPHP files and web services and is hosted on its own apache server. Since this is a three-tier environment, Server A is open to all HTTP requests from the internet. However, Server B is behind a firewall and is set to only accept HTTP requests from Server A. This provides protection for my application since the web services are not accessible outside of the network. But… there is a problem.
While tailing the apache2 access log on Server B, I ran a curl command from Server A to view the crossdomain.xml file on Server B. I was able to view the contents of the xml file without any problems. Moreover, the log indicated a GET request from the IP address of Server A. At this point, everything looks good so far. Now, in my browser, I go to the flash file on server A. As it loads, it sends a GET request to Server B. However, looking in the apache log file, the GET request is coming from my computer’s IP, NOT the IP of Server A. Since Server B is behind a firewall, which is blocking my computer’s IP, flash is NOT able to read the crossdomain.xml file on Server B. This means I would have to put server B outside of the firewall in order to send any requests from Server A to Server B, which defeats the whole point of three-tier architecture. By doing this, I open myself to all sorts of security issues.
I must be missing something fundamental here. Does anyone have information on how to properly setup three-tier architecture with flash? I am very hesitant to allow Server B to be open for others to connect to. Thanks in advance!
Regards,
Will
