I'll be using swift as like S3, where it will host number of files for my site.
I've set my container as public, and so
Here is the URL for a file.
https://provider/v1/auth_1293kdfj/folder/file.mp4
There are two problems:
Is it correct in using above format uri in public setting? It feels kinda dangerous because it has the auth_bit.
If I visit https://provider/v1/auth_1293kdfj/folder/ it lists all files/bojects in container folder. I wish to turn this off, how would I do so? Should I make my container private and assign temp url to ALL objects?
Thanks for your help!
1 - Yes. It's correct. Probably your authentication server is protected behind a firewall. This is just the project id. However if you are really worried about security you can configure your webserver to hide this info.
2 - Probably your container has the following acl:
.r:*,.rlistings
If you set by yourself (what I believe is the most common) you should change it just to:
.r:*
Related
So first of all, I'm very new to NGINX, Docker etc..
But here is my scenario:
I've created a 2 docker images which display a simple website, website1 and website2.
Both of them are created in a dockerfile, using the nginx image.
I put them in 2 seperate containers.
By visiting localhost:8080 I got website1.
By visiting localhost:8081 I got website2.
Then I wanted just 1 entrypoint (localhost) and by using a /, going to my websites.
So I created a new container, called reverseproxy.
I used default.conf of NGINX to proxy pass to my containers.
I did the following:
in default.conf, I have 3 locations. localhost (which shows the default NGINX page)
localhost/website1, which proxy passes this to my website1
localhost/webiste2, which proxy passes this to my website2
I put all of this is a docker-compose.yaml file and it runs just fine.
Then for website1, I wanted basic authentication. With using apache-utils and adding basic authentication to my /webiste1 and /website2 end points, it works great.
But now I want to restrict access to my endpoints (website 1 and website 2) based on specific roles.
So when I visit website1, enter credentials using basic_auth, I want to be able to check whether this user has the role of user for example.
And when visiting /website2, I want to be able to login, but then restrict access because this user may not access this website, only with the "admin" role for example.
I've been stuck on this for a few days now...
Anyone have any idea?
Just some extra information: I don't want to use Kubernetes. I know this has RBAC (Role based Access Control) but I'd like to keep it more simple.
Thanks for your input in advance :)
Completely stuck..
You can use and leverage the OAuth-proxy : https://github.com/oauth2-proxy/oauth2-proxy
Here is the demo on Github if you are looking for same : https://github.com/deskoh/nginx-oauth2-proxy-demo
You can also use the ngx_openresty
I'm running two Play 2.3.x applications behind nginx. In nginx, application A is configured to be accessed at "/". Application B is configured to be accessed at "/appB/".
I'm having some problems resolving assets for application B when using the built in routes/assets functionality (<script src="#routes.Assets.at("someScriptfile.js")") type="text/javascript"></script>. The problem here is that the URL will be absolute, for example /assets/file.png. This will result in that the proxy forwards the request to application A.
I want to use relatives path instead. That would allow me to run the application B both with and without the proxy. I want the asset url to be assets/file.png.
What are my options? I know I can solve it by using content rewrite in the proxy, but we would
Assets.at returns a Call, which is converted to a String implicitly in Scala. The String it produces is just the URL the reverse router resolves to. If all you want to do is remove the leading slash, you can drop the first character.
#routes.Assets.at("someScriptfile.js")").drop(1)
Or to be super sure that what's removed is only a leading slash, you could use stripPrefix.
#routes.Assets.at("someScriptfile.js")").stripPrefix("/")
Try something like this:
For your Application B use absolute URLs but prepend them with the "/appB/"
package misc;
import controllers.routes;
public class BAssets {
public static String at(String path) {
return "/appB" + routes.Assets.at(path).toString();
}
}
Then every time you want to serve some asset for application B, you will write it like this:
<script src="#misc.BAssets.at("javascripts/hello.js")"></script>
If you want, you can even include more logic in the method which calculates the path to the asset - for example based on if your application is in dev mode or in prod. Or even based on the proxy configuration (you can decide to change the path to appC tomorrow).
I just found a solution that works.
Edit application.conf and add the following: application.context="/appB/".
This will translate <script src="#routes.Assets.at("someScriptfile.js")" type="text/javascript"></script> to url /appB/assets/someScriptfile.js
I just created a PR to have relative paths added to Play. Looks like it will be released with 2.6.7
https://github.com/playframework/playframework/pull/7839
I am trying to send activation mail to the currently registered user.In mail body,I need to send a link like http://example.com/account/activation?username=d&email=g.Now, for debugging on local machine, I manually write it as localhost:30995/account/activation?username=d&email=g. But, when my port number changes, I need to rewrite it.
I tried another question
on this website,but, compiler gives error like url.action doesnot exist.
Please give me fresh solution as I am confused with that solution.
Use a Url.Action overload that takes a protocol parameter to generate your URLs:
Url.Action("Activation", "Account", new { username = "d", email = "g" }, "http")
This generates an absolute URL rather than a relative one. The protocol can be either "http" or "https". So this will return http://localhost:XXXXX/account/activation?username=d&email=g on your local machine, and http://example.com/account/activation?username=d&email=g on production.
In short, this will stick whatever domain you're hosting your app on in front of your URL; you can then change your hostname/port number/domain name as many times as you want. Your links will always point to the host they originated from. That should solve the problem you're facing.
Try using IIS / IIS-Express instead of Casinni web server that comes with visual studio.
You could add bindings to have the right URL (with host entries of course).
This will avoid the port numbers in your links.
I'm running a Symfony2 web application on AWS, and am using an Elastic Load Balancer.
In a controller method, I need to do the following to get the IP of a user requesting a web page:
$request->trustProxyData();
$clientIp = $request->getClientIp(True);
Does this present any security risks? I'm not using the client IP for privilege escalation, I'm just logging it.
Is there some way to force trustProxyData() always, or otherwise reconfigure $request->getClientIp() to DWIM? My app will always be behind a load balancer (except while I do development on my desktop).
Related: http://fabien.potencier.org/article/51/create-your-own-framework-on-top-of-the-symfony2-components-part-2 (but it doesn't say if there's some global config so I don't have to call trustProxyData() everywhere).
You can configure the framework bundle to do this: http://symfony.com/doc/2.0/reference/configuration/framework.html#trust-proxy-headers
framework:
trust_proxy_headers: true
I am not sure about any general security risks, but I can give you a tip how to avoid calling this method in each controller action.
In your app.php just before the $kernel->handle(...); you should set:
Request::trustProxyData();
Cheers ;)
Note:
The trust_proxy_headers option is deprecated and will be removed in Symfony 2.3.
See a trusted_proxies and a Trusting Proxies for details on how to properly trust proxy data.
I used
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));
in web/app.php to solve the problem.
See my answer here: https://stackoverflow.com/a/28793609/2030937
In modern symfony versions: https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly
If your elb is behind a cloudfront proxy you should take a look at this package too:
https://packagist.org/packages/fmaj/cloudfront-trusted-proxies
I have an error...
The container specified in the connection string does not exist
Basically, I am using Active Directory authentication in ASP.NET.
I have set up my connection string.
I am still very new to AD.
I appritate any help
thanks
You'll probably be better off specifying the root NC name in your connection.
LDAP://YourADServer/DC=cene,DC=edc,DC=CompName,DC=com
Unless there is a good reason why you don't want searches to be done domain-wide, I'd set it up like that.
You can try ldp.exe to connect to the AD server you have specified in the path and see if that works
One thing you might want to be aware of is that Active Directory and Forms Authentication are not the same thing. You will use one or the other to Authenticate and Authorize.
I think your LDAP string should be formatted thus:
"LDAP://DCServer.BUSINESSPLUSPLUS.com/CN=Users,DC=BUSINESSPLUSPLUS,DC=com"