I have stripe successfully working in a framework of:
mydomain ,
mydomain :call to stripe
a)stripe :redirecttocheckout
b)mydomain :success, or
c)mydomain :cancel
Problem:
if i setup another domain with a single landing page / containing an iframe embeding mydomian or using httpaccess. everything works fine up to the point of a), b) or c)
i.e a) redirecttocheckout loads stripe as the main url, and b or c have to be hardcoded the urls. Nb. there could be multiple other domains so hardcoding each entry into the success or cancel is not an option.
i.e
steps:
processing:
address bar:
otherdomain
load mydomaininto iframe
otherdomain
mydomain
various
otherdomain
mydomain
call to stripe
otherdomain
stripe
redirecttocheckpout
stripe
mydomain
success
mydomain
mydomain
cancel
mydomain
whereas what i would like:
steps:
processing:
address bar:
otherdomain
load mydomaininto iframe
otherdomain
mydomain
various
otherdomain
mydomain
call to stripe
otherdomain
stripe
redirecttocheckpout
otherdomain or stripe
mydomain
success
otherdomain
mydomain
cancel
otherdomain
1)
if i embed the stripe components into an mydomain.iframe i thought that the redirecttocheckout, success or cancel calls would only post into the iframe and i could manage with that.
however that doesn't appear to be the case as they redirect the main url and are not restricted to the iframe.
2)
As a worst case i can carry the 'otherdomain' as a passed parameter and then in success, cancel pages redirect to the otherdomain, but that would be fairly messy.
I guess the question here is opion 1) above correct in terms of stripe always redirecting the main page vs iframe and secondly is there any other option other than option 2 to consider.
Thanks. M
Related
I've tried to put an Application Gateway V2 before my website to have some kind of security through the WAF for my website.
The normal way: Listener - Http Setting - Backendpool kind of performs the job perfectly.
However when I try to add my CNAME's to the app gateway I get some issues.
Listener - (multi-site) - cname-website.com
http setting
overide backend path: /randompath
overide backend hostname: Pick host name from backend target
Backendpool: FQDN of my website (no Azure web app) website.com
As I navigate to my cname-website.com my browser does show me the page of the path.
However some css scripts and pictures are not coming through.
The error messages point out that the browser is trying to navigate to cname-website.com/assets/img/logo.svg. The developers have mentioned that this is normal as these css scripts and images have relative path's and should work with every hostname. But somehow the browser is not showing them.
However when I try to navigate to the backend pool myself website.com/assets/img/logo.svg It seems that the logo can be captured (this is also the case for each css script error).
In some way the overide hostname does not uses the backendpool as the new hostname. But it kind of sticks with the cname-website.com.
Anyone who had this kind of problem or knows what I have done wrong ?
I have an application which is accessed via HTTPS, but is "reverse proxied" to the server using plain HTTP. It is set up on AWS as follows:
[BROWSER] --(https)--> [ELB] --(http)--> [SERVER]
Everything works fine except when a page is being accessed by an unauthenticated user, the server responds with a HTTP 302 redirect using the whole protocol://server/path string. Like so:
Location: http://my.server.com/Account/Login?ReturnUrl=%2F
The problem is, it specifies HTTP as the protocol (presumably because it is being connected to by the ELB using HTTP. So the browser redirects the request using HTTP and now an error occurs. Is there a way to customize the redirect such that it redirects using just the path, so irregardless of protocol or hostname, it is redirected properly? Like so:
Location: /Account/Login?ReturnUrl=%2F
If this is not advisable, what can be done?
(note: I've checked other solutions posted on SO. All I've seen so far involve customizing the Path, not removing the protocol://hostname)
My production setup is as follows:
M1 – ASP.NET Website
M2 - IIS URL Rewrite 2.0 + ARR 3.0
Using IIS URL Rewrite, any request to M2, say http://m2/app/login.aspx will be redirected to M1 as http://m1/app/login.aspx.
On M1, ASP.NET Open Auth has been implemented on the website to use Google external authentication. When user clicks the Google button, the browser will be redirected to the Google login page to allow the user to authenticate.
But when the website is accessed from M2, the redirection url generated by .net oAuth(https://accounts.google.com/[query-string]) to redirect to Google, is being replaced by URL Rewrite as http://m2/[query-string].
So just to be clear; when the request is made to authenticate via an external authentication provider a 302 redirect is returned. Often the form of this may look like:
Response Headers:
...
Location: https://accounts.google.com/o/oauth2/auth?big_long_query_string
...
This redirect is created by a server (M1) that sits behind the proxy server (M2 - IIS URL Rewrite 2.0 + ARR 3.0). So the rewrite server rewrites the Location header to:
Response Headers:
...
Location: http://M1/o/oauth2/auth?big_long_query_string
...
What we need is a rule that does not rewrite the location URL on redirection. It can only target certain redirects as well. Most of the time the behaviour mentioned here is wanted as all redirects are redirected to the main proxy server. Can someone suggest a solution or workaround for certain redirects?
Check out Application Request Routing settings under IIS > [SERVER] > Application Request Routing and on Actions side bar Server Proxy Settings > for Reverse rewrite host in response headers. For the behavior you desire, uncheck the checkbox. That's is a server level setting, use responsibly.
You can also edit %WinDir%\System32\Inetsrv\Config\applicationHost.config. Basically insert/update the following line in the file between <system.webServer> tags.
<proxy enabled="true" reverseRewriteHostInResponseHeaders="false" />
I would assume this setting to be available per site too, but my attempts on web.config files for proxy settings didn't confirm that.
I was able to solve the same issue with an outbound rule in IIS. So You have to create an outbound rule in IIS in URL rewrite module to modify the location header. You have to check for the 302 status header as a condition and provide match URL and action URL for Location header. Below is the steps from referred article.
Modifying Location Header with IIS URL Rewrite
Go to the URL Rewrite feature for your site and click Add Rule(s)…
Select from the Precondition drop-down.
Click Add in the dialog that appears
Enter {RESPONSE_STATUS} in the Condition input field and 3[0-9][0-9] in the pattern field.
Click OK.
Select Server Variable from the Matching scope drop-down.
Enter RESPONSE_Location as the Variable name.
In the Pattern field enter a regex to match the URLs your backend system is producing (e.g. http://local/page)
In the Action Value box enter the correct URL (e.g. http://example.com/page)
Click Apply and your done!
Reference: Handling 301 and 302 redirects with IIS 7 URL Rewrite
Check out global.asax. it is a HTTPModule. All requests go through this file and other modules before they reach your page handlers. Use this to perform certain tasks on your request or response, like url routing, global error handling etc. This file is used to implement application and session level events, such as:
Application_Init - fired when an application first initializes
Application_Start - fired when the application first starts
Application_End - the final event fired when the application ends or times out
Session_Start - fired the first time a user’s session is started
Application_BeginRequest - fired with each new request
Application_EndRequest - fired when the application ends
Application_AuthenticateRequest - the event indicates that a request is ready to be authenticated.
Application_Error - fired when an unhandled error occurs within the application
Session_End - fired whenever a single user Session ends or times out.
I have noticed that GET requests for nonexistent paths don't return a 404 response. Instead, the client gets a "200 Ok", AngularJS renders the main view, and rewrites the path to /. A request for a nonsense URI is logged as successful in the server logs. If I understand correctly, the problem is that since AngularJS handles routing, the server has to accept a GET request for any URI and always respond by serving the client side of the app ("200 Ok" or "304 Not Modified").
For example, using the project scaffolded by the angular-fullstack Yeoman generator, requesting a nonexistent /unicorn goes like this:
GET /unicorn 200 31ms - 3.29kb
GET /partials/main 304 36ms
GET /api/awesomeThings 304 5ms
The Express route that handles the request looks like this:
// server, last route:
app.get('*', controllers.index);
// controllers:
exports.index = function(req, res) {
res.render('index');
};
and index.jade is the root of the whole client side of the app.
After a quick look at the server side code of other AngularJS / Express projects on Github (AngularJS Express seed, AngularJS login), I see that this is a common pattern. I am wondering if there is a better way to handle requests for nonexistent paths, so that the client gets a real HTTP 404 response?
The angular documentation has a section about the routing. Also, this question and this question have some information that pertains to IIS but could easily be adapted to express.
Html link rewriting
When you use HTML5 history API mode, you will need different links in different browsers, but all you have to do is specify regular URL links, such as: link
When a user clicks on this link,
In a legacy browser, the URL changes to /index.html#!/some?foo=bar
In a modern browser, the URL changes to /some?foo=bar
In cases like the following, links are not rewritten; instead, the browser will perform a full page reload to the original link.
Links that contain target element
Example: link
Absolute links that go to a different domain
Example: link
Links starting with '/' that lead to a different base path when base is defined
Example: link
When running Angular in the root of a domain, along side perhaps a normal application in the same directory, the "otherwise" route handler will try to handle all the URLs, including ones that map to static files.
To prevent this, you can set your base href for the app to <base href="."> and then prefix links to URLs that should be handled with .. Now, links to locations, which are not to be routed by Angular, are not prefixed with . and will not be intercepted by the otherwise rule in your $routeProvider.
Server side
Using this mode requires URL rewriting on server side, basically you have to rewrite all your links to entry point of your application (e.g. index.html)
You can use $route.otherwise() function
In order to decide what to do with undefined
Routes.
If you want to still show a 404 message,
You could simply set a /404.html route both in this Function and in express.
This is actually express handling routing--not angular. Remove the app.get('*', ... that you found to disable that.
I have spent many days on google with this now, my wordpress problem is this.
I would like to turn on https for a couple of pages on the site for a checkout page and a my-account page.
What i have done so far is tried with htaccess and also tried the wordpress https plugin.
Using wordpress 3.4
What happens is i get blocked content errors, as it is unable to load the css images etc in the template (headway) when in the https page. I can see on chrome inspect element it will show blocked contents error (the css files etc) as they are http not https links
I believe the WordPress Address (URL) should have https in it but not sure as when i do this, the homepage even on http wants to display a certifcate.
This a developement domain so the certificate is not correct yet so just using a server wide cert.
Do i need extra rules in htaccess as i believe wordpress struggles with https from googling around and experiencing every error so far (redirect loop errors etc)
Firewall allows port 443 so not a firewall issue.
Hoping somebody has good knowledge on wordpress https ssl
I thought i would post my answer to my problems with wordpress https for those that maybe stuck like i was for days.
You must when using https on a wordpress have a vaild ssl certificate we bought one from rapidssl for £16 per year.
Without the valid ssl certificate we were constantly getting 310 errors from browswrs like google complaining about redirect loops. Once ssl was installed these went away.
The wordpress site url and wordpress home link did not have to be changed from http at all.
Using the wordpress https plugin for the secure pages that we needed, ticked the boxes in edit page to force ssl and with everything ticked in https settings except admin ssl login.
We then after installing the certificate got security warnings and errors about partially encrypted content which means in your secure page there are some http links that the browser does not like.
What we then did was using chrome inspect the element of the page and click on the console tab to find these http links. In our case there were 3 images which in the headway theme i had to insert as a https:// url (url of image) in the header or media boxes in the grid (for those of you using headway).
We also had a link from google web fonts that had to be made https in the secure pages
once that was secure our errors went away. Eg in firefox only the padlock displays.
If you then have a return url set in paypal which gives you a partially encrypted message like this - Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could be easily read by a third party - the page which you are returning to has to have a padlock in the https if not you will keep getting this error from firefox etc. So return page has to be no errors, best way is to have a thankyou page with no calls to images etc but the just the order details etc.
One thing that has been driving me nuts was that the call to google we fonts was being affected by headway cache so it was sticking to http sometimes in the https page causing an error, so disabled that now, just off to post a question about making a plugin to disable wordpress headway theme cache on ssl pages see if any can help me on that.
Good luck with your ssl pages folks its great fun!!!!!!!!
oh and heres javascriipt i use for google fonts if anyone wants it for the header
<script type="text/javascript">
WebFontConfig = {
google: { families: [ 'Lato:300,400,700' ] }
};
(function() {
var wf = document.createElement('script');
wf.src = ('https:' == document.location.protocol ? 'https' : 'http') +
'://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js';
wf.type = 'text/javascript';
wf.async = 'true';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wf, s);
})();
</script>
but there are other ways of calling it in https using // instead of http:// google bla is another
I can see on chrome inspect element it will show blocked contents
error (the css files etc) as they are http not https links I believe
the WordPress Address (URL) should have https in it but not sure as
when i do this, the homepage even on http wants to display a
certifcate.
That’s the answer. ssl protected webpages delivering content need to have 100% all of their content delivered via https. Maybe 10 years ago mixed https/http pages existed, but nowadays browsers are extra security aware. So you need to figure out how to make sure all content has URLs set with https. This site seems to have a decent set of answers.