I'm experminenting by copying and pasting cookies from one browser to the other. I came to the conclusion that it's very easy for a attacker to log in to your account when he has your cookies.
This is a part of a highly secured website:
If a withdrawal is requested from a new IP address you will receive an
email asking you to check and verify the withdrawal. The 'untrusting'
period for IP changes is 24 hours. If the withdrawal is made more than
24 hours after the IP address change, this extra email check is not
triggered.
Question: If a attacker hijacks my session, can the website see that there are 2 sessions active with 2 different IP adresses? Or do they just see the new IP address when you manually log in using your credentials?
It's sure that the website can see the sessions active with different IP. If trying to bind IP with cookies because of security, it's not a wise choice. This question shows why. Hope it can help you.
Great day.
Related
I'm developing a web application using Laravel hosting on a public cloud. Now, the application can be accessed publicly on the internet via domain address. However, I want to restrict to only users who are connecting to the organization networks to be able to use the application since we do not want the application to be used at home or elsewhere.
At the moment, the organization has 2 places (2 public internet networks) where they must be able to access to the application. Both of them are using home-standard internet where IP address changes every time the internet reconnects. As we do not have static IP addresses, I cannot filter user by using IP address filter. The IP filter rule must be changed every time when the organization network reconnected.
My application already have solid authentication and authorization mechanism and, of course, the users must know this information since they must access the app for work. However, this doesn't meet the requirement.
I have thought about the VPN but it (probably) doesn't not work because if we allow user the access to the VPN, they still be able to access the VPN anywhere and use the application outside the work places. If we restrict the VPN client to access from specific IP address, then when the IP changes, the same problem occurs.
To sum up, I would like to ask for the advice on how to restrict the access of web application, hosted on public internet, to the users that are connecting from the public IP address that can change every time when the internet reconnected. The requirement may sound strange but it is as it is. Please feel free to ask for more details if you want to and have a discussions on the suggestions.
Thank you in advance.
You could setup a client for a dynamic dns service (e.g. dyndns) on the client-side.
Then you could use that on the server-side to always check against current IP using that dns.
As alternative you could bind the website to localhost only and only let it be accessed via an pubkey-enforced SSH tunnel (and make that get auto-established by a script/scheduler on the client side, on a permission level outside of the users' reach, so that they can't take the private key needed for the connection anywhere)
You can use different PHP methods and variables to detect from where the request has been originated. Just whitelist your domains and organizations, and allow only them by adding a middleware.
Additionally, you can generate a token using Laravel Passport or you can create your own mechanism, and then use that token to authenticate if the request is valid or not.
Since the IP changes, you can setup a dynamic dns or as suggested on the comment above.
I am desperately trying to connect my domain to something.parseapp.com. I have tried a few settings but none of them works. My settings are in the following picture.
I search around and find a solution for you here: http://blog.kchandrahasa.com/blog/2013/07/09/crazydomains-crazy-issues/
Below is a summary with my own experience, just in case the link is dead in future.
In order to change CNAME records in Crazy Domains, you have to pay for it. For a cheaper solution, you can change the nameservers of your domain to other free DNS management services like:
cloudns.net
freedns.afraid.org
CloudFlare
I suggest you to use CloudFlare since it's more powerful and support many features. Proceed as below:
Create an account in Cloudflare
Once you login, you will have to add your domain name.
It will scan your DNS settings.
After it finishes scanning, proceed with "I'm done entering my DNS records".
Take note of the 2 nameservers Cloudflare provides you at this step.
Now come back to Crazy Domains, login to your account.
Click on Domains and click Update Name Servers under DNS settings.
Delete the existing crazy domains name servers and enter the two nameservers given by Cloudflare. It will take up to 24 hours, but in my experience it will be just some hours.
Now come back at CloudFlare and enter your CNAME as instructed by Parse.
I am developing an app (RoR + Heroku) which allows users create their own websites either using my subdomain (pagename.myapp.com) or using their own domain (pagename.com).
An important point of this is that this option is the key of my business: subdomains are the free plans and custom domains are the paid ones. So I have a table where I store the custom domains of each user and check if this page is active (exists and has paid the quota).
For that I need to give users the capability of point their domain to my servers. All we know that Heroku don't recommend the use of DNS A-Records.
Also I would like to abstract as much as possible this feature to being able to switch my infrastructure (Heroku to AWS) in the future without having to ask all my users to change their DNS Zone. Taking this into account, I think that the best option would be run something like an EC2 proxy (using AWS Elastic IP) which give me the ownership of this IP. This proxy I think that should redirect to proxy.myapp.com, and I would resolve the request in the app level.
Due to I didn't find clear information about that, I am not sure if this hypotesis is the best solution and how to setup the proxy (which type of proxy use? Nginx maybe?).
Said that, I would like to ask recommendations/best practices to solve this "common" feature.
Thanks
What you are wanting to do is fairly straight forward to implement. Your assumptions are correct about setting up the proxy. Nginx or haproxy will both work great for this (I personally would use haproxy). Here are some of the gotchas that you will run into though:
Changing the host header at a proxy server can cause the end web application to generate incorrect links. You can use relative paths to fix this, but it requires that the web application developer to be aware of the environment that they are running in.
user connects to www.example.com (proxy server)
proxy server connects to www.realdomain.com (web app)
the web app has a link for a shopping cart. www.realdomain.com/shoppingcart
the end user clicks on the link but the link is www.realdomain.com/shoppingcart instead of www.example.com/shoppingcart
The cost of the host acting as the proxy server. This can spiral out of control really quickly. For example, do you want redundancy, if so how are you planning on implementing that? Do you plan on having ssl termination? If so you will have to increase the CPU count to accommodate the additional load. Do you want to have a secure connection to heroku from your proxy? If you do then you will need to increase the CPU count for that as well. You may have to add additional ram as well depending on the number of concurrent connections.
Heroku also changes their load balancers regularly. This is important because your proxy service will need to reload the config / update the ip addresses of the heroku instances every 60 seconds. In my experience they may change once or twice a day, but the DNS entry that they use has a 60 second TTL. That means that you should make sure that you are capable of updating your config up to every 60 seconds.
My company has been doing something very similar to this for almost a year now. We use haproxy and simply have it reload the config regularly. We have never had an outage or an interruption to our end users. Nginx is also a very good product. It has built in DNS caching so if you go that route you will need to make sure that you configure it correctly so that the DNS cache TTL is 60 seconds.
Will many of your clients want to use your app on their domain apex? E.g. example.com rather than theapp.example.cpm? If not, I would recommend having them CNAME to proxy.myapp.com which CNAMEs to myapp.herokuapp.com. Then, you can update proxy.myapp.com without customer interruption.
If you do need apex or A record support, you would want to set up Nginx as a reverse proxy for your Heroku app. Keep in mind that if you need HTTPS support for client domains, you will need to do some sort of certificate management on your proxy.
I like the answer dtorgo gave and that he mentioned the TLS termination, which many online tutorials on custom domains don't touch at all.
I'll go into more detail on how to implement the custom domains feature for your SaaS while also handling the TLS/HTTPS.
If your customers just CNAME to your domain or create the A record to your IP and you don't handle TLS termination for these custom domains, your app will not support HTTPS, and without it, your app won't work in modern browsers on these custom domains.
You need to set up a TLS termination reverse proxy in front of your webserver. This proxy can be run on a separate machine but you can run it on the same machine as the webserver.
CNAME vs A record
If your customers want to have your app on their subdomain, e.g. app.customer.com they can create a CNAME app.customer.com pointing to your proxy.
If they want to have your app on their root domain, e.g. customer.com then they'll have to create an A record on customer.com pointing to your proxy's IP. Make sure this IP doesn't change, ever!
How to handle TLS termination?
To make TLS termination work, you'll have to issue TLS certificates for these custom domains. You can use Let's Encrypt for that. Your proxy will see the Host header of the incoming request, e.g. app.customer1.com or customer2.com etc., and then it will decide which TLS certificate to use by checking the SNI.
The proxy can be set up to automatically issue and renew certificates for these custom domains. On the first request from a new custom domain, the proxy will see it doesn't have the appropriate certificate. It will ask Let's Encrypt for a new certificate. Let's Encrypt will first issue a challenge to see if you manage the domain, and since the customer already created a CNAME or A record pointing to your proxy, that tells Let's Encrypt you indeed manage the domain, and it will let you issue a certificate for it.
To issue and renew certificates automatically, I'd recommend using Caddyserver, greenlock.js, OpenResty (Nginx).
tl;dr on what happens here;
Caddyserver listens on 443 and 80, it receives requests, issues, and renews certificates automatically, proxies traffic to your backend.
How to handle it on my backend
Your proxy is terminating TLS and proxying requests to your backend. However, your backend doesn't know who is the original customer behind the request. This is why you need to tell your proxy to include additional headers in proxied requests to identify the customer. Just add X-Serve-For: app.customer.com or X-Serve-For: customer2.com or whatever the Host header is of the original request.
Now when you receive the proxied request on the backend, you can read this custom header and you know who is the customer behind the request. You can implement your logic based on that, show data belonging to this customer, etc.
More
Put a load balancer in front of your fleet of proxies for higher availability. You'll also have to use distributed storage for certificates and Let's Encrypt challenges. Use AWS ECS or EBS for automated recovery if something fails, otherwise, you may be waking up in the middle of the night restarting machines, or your proxy manually.
If you need more detail you can DM me on Twitter #dragocrnjac
Hi I am having my own domain mydomain.ac.in and i am having my own server (windows 2008) and a Public static IP.
Now i want to host my site in my own server.
Please give me the step by step information to get it done.
Thanks.
You need to register your domain with some DNS hosting service (DNS provider), there is such an astronomic number of these on the web that I do not want to spam the site. Google.
Also, collocation center where you keep this server (and from where you have probably obtained that public IP) may also provide DNS services.
From the other side, any computer can be configured as the name server but this will probably not work Internet wide and can be used inside the local network only (combined with DHCP service). If there is an easy way to make this Internet wide, I would also be very interested in, but I doubt.
Your operating system is not much relevant to this question.
I registered my domain already in ernet by indian Government and I got my Public Static IP from BSNL India. I hosted my site already and i am able to access my site already using the ip. Now i want to map my domain with the server that i have so that i can access my domain using a domain name.
I tried the steps in http://www.hosting.com/support/dedicated/dns/setdns#additional.. But when i add the name server information it says cannot resolve hostname??? that s why i want to know where i am making mistake..
I once again tried the steps at http://www.hosting.com/support/dedicated/dns/setdns and got it right..Now i have updated the name server info at my domain registrar ernet and waiting for it to be updated. Thanks fo the people helped me
I recently moved hosts with my blog and I have waited 72 hours for it t propergate properly. I just checked the site there and it's showing it on the old host. When i use a proxy, I can see the site perfectly on the new host. The problem seems to becoming from my PC.
EDIT: Tried to flush the dns and it's the same story, it's quite weird.
Any idea?
Your old DNS records will live in various DNS caches until their TTL (time-to-live) timers expire.
Best practice is to revise your DNS records well before the move, and pull the TTL (time-to-live) timeout values low, leaving enough time for the old records to timeout and get refreshed with the short-TTL records. Then after the move you put the TTL values up on the new records (for efficiency).
Now that you're in this situation, you'll have to put up with the inconsistency until all the cached records expire. If you have a way to put an HTTP redirect on the old web server, pointing to an IP URL, that could tide you over in the short run.
Your ISP is the one the one caching the record. Uses a hosts file http://en.wikipedia.org/wiki/Hosts_file to temporarily force your computer to use the new ip address.
Sounds like you have the DNS cached on your box. This could be cached on your PC or at your DNS server. Short term options; can try to flush your DNS cache, you can edit your hosts file to temporarily point at the right location.
Open a command prompt and type:
ipconfig /flushdns
then try your site again.
I see this:
www.keithdonegan.com [81.17.254.87]
My DNS changes always propagate in minutes, a couple of hours at the most.