I’ve just installed backendless standalone server via bitnami.com on my aws account. Surprisingly noticed that anyone can register a new(admin) account and manage its own app with my server! how can i disable the registration form? Is there somewhere a documentation what needs to be done to secure the server? Also , I can find a lot of resources for the sdks on different platforms but no documentation for the standalone server? Feeling a little bit lost here… or did i search at the wrong places?
Hi Philip,
Basically, you just need to restrict the access to the console port, which is 8080 by default. This way the users will be able to use the API on 9000 port (or any else you confiure), but won’t be able to even see the developer’s console, and thus to register.
Hi Sergey!
Thanks for the quick response! Seems that the bitnami instance is configured to port 80 on both the api and console 
i tried to change the console and server port by modifying the entries in the backendless.config file like:
<server>
<ipHeader>X-Real-IP</ipHeader>
<httpAddress>http://api.myserver.com:9000/api</httpAddress>
...
but this won’t work - my app tells me it doesn’t find the server after i changed the entries.
any ideas which configs i have to change additionally to make this work?
I’m of the opinion it should be not possible to create new accounts without having the owner credentials/being invited.
If you need to add collaborators you can do so via backendless console (send an invitation email).
if you set up a new server anyone can register a new account for his own app (like you can register on backendless.com) by clicking on “register” at the login form. i actually don’t understand why this option is available. Normally if i setup a standalone version i don’t want anyone to create accounts for backends except i want to earn money to provide this service (which would need another license fro backendless)…so this seems a little bit strange to me…
You mentioned right - of course this doesn’t mean you can login/register for the app the i created with my password- this would need to send the invitation mail…but you or anyone who has the ip of the server can create his own app…
Philip,
The majority of customers who run Standalone Backendless use it on internal networks which are not exposed to the public internet. Disabling that option is definitely possible by making a change in Apache configuration. We will simplify it in the future so you can disable it in an intuitive manner. Meanwhile, I will get the instructions from our sysadmin team on what configuration change is required to disable registration.
Regards,
Mark
Hi Mark!
thanks for your answer!
After the “Parse disaster” we thought a lot about what model/service we should do this time…The main question was: how can we reduce risk(services shutting down), reduce cost(we are a startup) and avoid time wasting (develop our own backend).
Our approach is now to setup the own free “standalone version” on one aws instance and when the time comes (which is hopefully soon), switch to a bigger license package of backendless to scale our app/backend. We think this would be the best option at the moment to have enough control over our backend and avoid the same scenario we are experiencing now with parse. (By the way do you have any price list for the multi-server licenses?)
Back to the question: anything new on this here? Today i reinstalled the bitnami version on my aws account and noticed that they have changed the port… so the solution sergey pointed out works now!
Nevertheless it should be possible to disable the “register account” function on the login screen 
regards
Philip
“Nevertheless it should be possible to disable the “register account” function on the login screen :-)”
I strongly agree!
Maybe add a button to Flightcontrol or something?
Hi Phillip,
The option to disable registration is on the roadmap. We will make it easier to disable it.
The plan you described seems reasonable. Please keep in mind that the Standalone releases lag behind the main production site. Also, the updates (for now) would need to be handled manually by patching the server with the bits we’ll be releasing.
As for pricing, please contact sales@backendless.com.
Regards,
Mark
Hi Mark,
I would like to ask you, if is there any news regarding this topic ?
Many thanks in advance
Josef
Hi Josef,
We have not implemented it yet. There is a backlog of support fixes and features we working through.
Regards,
Mark
Hi Mark,
many thanks for quick reply ! I got it. But may I ask you for temporary solution as you mentioned here "Disabling that option is definitely possible by making a change in Apache configuration. "
Is it possible to give us short guide how to proceed it in Apache ?
Many thanks in advance !
Josef
Hi Josef,
I will check with the dev team for specific instructions and will let you know.
Mark
Hi Mark,
I really appreciate your help ! Will be waiting.
Many thanks again
Josef
Hi Josef!
To configure authenticated access to registration page you should:
1). in file httpd-app.conf ( located in /Applications/backendless-3.0.0-16/apps/backendless/conf )
add following section:
RewriteRule ^/registration$ /registration/ [R]
<Location /registration/ >
AuthType Basic
AuthName "Register form authentication"
AuthUserFile "/Applications/backendless-3.0.0-16/apps/backendless/htdocs/conf/.htpasswd"
Require valid-user
</Location>
2). in folder /Applications/backendless-3.0.0-16/apps/backendless/htdocs/conf
add document .htpasswd with line like this (user and encoded password):
user@example.com:$apr1$miCQyMza$41EzDZj6EKwI3fRy9jPTE0
Additional information you can find here:
https://wiki.bitnami.com/Components/Apache#How_to_create_a_password_to_protect_access_to_apache.3f
Hope it will help.
Regards,
Kate.
Hi Kate / Mark,
I would like to say a BIG thanks for your guideline ! I think this will appreciate many people here !
Thanks
Josef