Am trying to use asterisk by posting via http to get the peers, and i keep getting permission denied and then the remote server is not accessible or disconnected, though the login action is working fine and the manager.conf persimission is set correct to allow read and write.
Here is the request:
http://[ServerName]:8088/asterisk/mxml?action=Sippeers&actionid=SipPeersAction&SuppressEvents=True
I found the problem. It turns out that one of the extensions/trunks set inside the SIP file is causing reading the peers to crash, so the users is disconnected, and that's why you get permission denied afterward. So first comment all the extensions inside the sip file then try to run the sippeers actions, make sure it works, then start enabling extension gradually until you identify the extension that is causing the problem.
May be you are using a custom code (http client) instead of browser and your client is not handling cookies properly! after the login request you must get cookie from asterisk response and save it for further use.
read more about ajam here
http://www.voip-info.org/wiki/index.php?page_id=3578
and here is php based example that how to use cookies in custom request (http client)
http://coderscult.com/php/php-curl/2008/05/20/php-curl-cookies-example/
Related
It might be a dummy question on security.
I'm working on a file access service, trying to do authentication for it.
For example, I should be able to know who's the request issuer, and whether he/she has the permission to access the file he/she requests.
I'm using grpc to do communication, and grpc seems to natively support a bunch of authentication methods. I tried one of them (https://grpc.io/docs/guides/auth/#using-google-token-based-authentication). The client side code is exactly the same as in the doc. I'm using C++.
But I get the error
E0812 19:03:32.173663955 3576491 ssl_transport_security.cc:1509] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
I'm wondering what else should I do?
I use nginx as my reverse proxy server to fetch image from the file server, which is also a web server.
It works well. but I want add permission check based on the url before send request to my file server. If has permission, just forwarding to my file server, or else just return 404.
BTW, I can't add the check in my file server for some reason.
I think I got the answer.
The module "http_auth_request_module" is what I want. https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/
I may be barking up completely the wrong tree here but what I would like to do is protect my .js pages by having them return a 403 Forbidden http error status page if someone tries to access them directly via http. I use them to support my index.html page but would like for them to remain hidden.
The helpdesk guys at my ISP basically say they don't know if it's possible but it may be something you could do with a web.config file (which is not something I have used before).
Any help at all would be gratefully received - I am a bit out of my comfort zone with this one
I would like to […] protect my .js pages by having them return a 403 Forbidden http error status page if someone tries to access them directly via http.
Please note that if you include some resource, for example a script via the <script>-tag in HTML or an image via the <img>-tag, the browser does nothing else than simply run another HTTP request to get that resource. The whole communication already happens over HTTP.
While a browser may include additional details in its HTTP request when requesting additional resources, like the Referer-header, it definitely is not required to do so. So if you look out for the Referer-header, be advised that you may lock out other valid clients which do not send the Referer-header in their requests.
Also note that this will not give you any protection whatsoever. One can simply construct HTTP headers when requesting things, so “faking” requests your server would allow (because it thinks they are correct) is not a problem at all. And even without that; every resource you tell the client to use to make your website work will be downloaded by the client. And after that, the client can do whatever he wants with it. It can cache them on the hard disk, or allow the user to quickly look at it without having to run another request.
So if you want to do this for protecting your code, then just forget about it, and make it easier for everyone by just not adding a non-optimal protection. Code you put on the web can be made difficult to read, but if you want the user to see the end result, then you also give out your code in the same step.
In php you can do this with:
header("HTTP/1.0 403 Forbidden");
I have a asp.net website which is supposed to upload files to a handler from a different application / domain. I'm using jQuery Form plugin. When trying to make an example on the same domain (uploading to the same domain) this setup works with success. When trying to upload file with from siteA to siteB I see in firebug that response from handler has been returned (in the Network tab) and is valid, however, the code never enters the 'success' handler, instead giving me such errors in the firebug console:
[jquery.form] Server abort: Error: Permission denied to access property 'document' (Error) log:
[jquery.form] cannot access response document: Error: Permission denied to access property 'document'
[jquery.form] aborting upload... aborted
In chrome it is:
Unsafe JavaScript attempt to access frame with URL http://domainB/handler.ashx from frame with URL domainA. Domains, protocols and ports must match.
Now, I am aware of the fact that there are some policies about ajax calls between domains, but it seems that jquery form plugin simply tries to access some url that is forbidden.
Does anyone have a workaround for it? Any solution please!:)
UPDATE:
I ended up hacking jquery.form so it doesn't throw cross-site exception and since I don't need actual result of upload - it works for me!
Check this and yes, this is a same-origin policy. There are ways to work this around using flash, iframes, jsonp etc but this will require editing a plugin.
I'm playing with HTTP Basic Authorization. As we all know, when a client gets a 401 error on requesting a page, the client must collect authorization credentials from the users (typically in the form of a pop-up window).
Subsequent requests for resources under that part of the URL will be accompanied by "Authorization: Basic [hash]" where [hash] is the username/password mashed together and hashed.
What I'm interesting in is getting the client to not send the Authorization header even when requesting a resource that previously asked for it.
Three important questions:
Is this possible?
If possible, does this violate the HTTP/1.1 standard (I'm unclear that this case is covered by the spec)?
What browser support this?
Thanks for your time, Internet.
UPDATE: Apparently, this is an apache FAQ and I am SOL. Still, if you've got thoughts on this question, I'd love to hear about it. Thanks.
I don't think this is possible. The authenticated session lasts until the user shuts the browser window, and the browser will keep on blindly passing the credentials with each request under the same path.
Is there any specific reason why you want this functionality?
You can set the user and password in the URL:
http://user:password#example.com
If you use this syntax, the browser will generate the header for you.