Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 4 years ago.
Improve this question
i was thinking of having 2 websites, and i'd write all my stuff (not using wordpress hosts for example). As far as i understood i can "link" several urls with a single web-hosting server. (Let's suppose i'd use a windows host, just because i'm more comfortable with windows than Linux).
But how do i make that actual server work? Before spending money i'd like to know what i'm getting into.
All i can think of is i'd run the server program (like "node server.js"), but how does the url connect someone to that program instead of another "server.exe" in the same host? How does it all work? Everytime i look for tutorials or examples i get stuff that aims to non-programmers to "make your website easy using our templates". I dont want that.
As i said, this question has nothing to do with relative vs absolute urls. I've no idea where the one that flagged it has read something like that in my words.
Let's split it in parts, shall we?
As far as i understood i can "link" several urls with a single web-hosting server
If by that you mean that you can have more than 1 domain name for your web-server; yes you can.
A domain name is something like "www.google.com" for instance.
So I understand that you're asking if you can have two different domain names, like "www.myweb.com" and "some.other-domainname.org" to point to your machine that will be hosting your website.
Yes you can. You should take a look on what a Domain Name System is.
But basically, what a DNS does is translate these names into actual IP addresses. This is done by having something called a name table that could look like:
"www.google.com" -> XXX.XXX.XXX.XXX (for IPv4 as an example)
"www.youtube.com" -> AAA.AAA.AAA.AAA
Since this is done by some kind of mapping you will also need a static IP address.
Both, static IP adresses and domain names must be bought or rented.
The way the things are connected, they also have to do with the ports where they operate. For instance, http requests operate in port 80 and SSH typically in port 22 if I remember correctly.
So what your web-server would do something similar to this:
listen to port 80 -> read the requested file (specified within the URL request) -> send it through that port 80 along with the http headers and payload as a response.
After that the browser requesting the file would read that http response, parse it and show that info into the actual window of the browser.
And you can also rent a webhosting service.
A webhosting service is basically somebody that already dealt with all of this gibberish and has machines that are ready to serve web content. You only have to upload your website into their webserver.
You can also buy a domain name and make it to point to that rented service
To host your own webserver you need to decide which webserver to use:
You basically have two options: Apache or nginx
As you are hosting on windows and are only using the server for developing I can recommend XAMPP, it contains Apache, MariaDB(SQL Database based on MySql),PHP and Perl. Installation is usage is straight forward but if you want here is a tutorial to use it.
As Tripp Kinetics pointed out, you should probably check out some HTML tutorials or buy a book.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
For years I’ve used /etc/hosts to adjust IP address. Sometimes it’s for prototyping, or adding an address for development purposes that isn’t ready to go into public DNS. And sometimes I block certain domains that I don’t want to visit by redirecting them to incorrect IP addresses. Some are invasive tracking websites, e.g., connect.facebook.net. Others I keep blocked as an anti-procrastination measures, for example news sites such as politico.com which I might otherwise spend all day reading when I meant to be working.
But now on macOS 11 Big Sur, I notice that some /etc/hosts entries are ignored by Safari. DNS lookups with gethostbyname() correctly show the block/override address, but Safari displays the public site anyway.
What on earth is going on? What’s changed with /etc/hosts and can I keep using it to override DNS entries when doing development work?
macOS 11 added support for what is officially called “Service binding and parameter specification via the DNS (DNS SVCB and HTTPSSV)”.
Now, when you visit a website, it’s not just the typical DNS A host-to-ip-address record that’s consulted, but a brand-new HTTPS DNS record is checked too. It’s not just a name entry; it’s a brand-new record type (#65), to go along with the more familiar A and CNAME and MX.
These new HTTPS DNS records can indicate that the site supports HTTPS, including protocol versions and IP addresses. That way, typing in a bare domain name gives the https:// version of the site right away, maybe even on HTTP/2 or HTTP/3, skipping the old-fashioned HTTP redirect. There’s even a draft option for domain operators to tell your computer to bypass any local DNS settings and use a specific server for all future DNS queries involving their domain.
There are many pro-performance intentions here, and some pro-privacy ones too.
But there is a fatal privacy and security flaw in both the specification and implementation: it removes the ability for users to override domain name lookups in /etc/hosts, even when faced with actively malicious domain name operators.
To see how this is working in action:
The version of dig that comes with macOS doesn’t directly support these new records, but you can see whether they exist with
$ dig -t type65 www.politico.com
…
;; QUESTION SECTION:
;www.politico.com. IN TYPE65
;; ANSWER SECTION:
www.politico.com. 53806 IN CNAME www.politico.com.cdn.cloudflare.net.
www.politico.com.cdn.cloudflare.net. 300 IN TYPE65 \# 58 0001000001000302683200040008681210CA681211CA000600202606 47000000000000000000681210CA2606470000000000000000006812 11CA
…
I don’t know how to parse that, but wireshark does if I packet-capture it
Domain Name System (response)
Queries
www.politico.com.cdn.cloudflare.net: type HTTPS, class IN
Answers
www.politico.com.cdn.cloudflare.net: type HTTPS, class IN
Name: www.politico.com.cdn.cloudflare.net
Type: HTTPS (HTTPS Specific Service Endpoints) (65)
Class: IN (0x0001)
Time to live: 300 (5 minutes)
Data length: 58
SvcPriority: 1
TargetName: <Root>
SvcParams
SvcParam: ALPN
SvcParamKey: ALPN (1)
SvcParamValue length: 3
ALPN length: 2
ALPN: h2
SvcParam: IPv4 Hint
SvcParamKey: IPv4 Hint (4)
SvcParamValue length: 8
IP: 104.18.16.202
IP: 104.18.17.202
SvcParam: IPv6 Hint
SvcParamKey: IPv6 Hint (6)
SvcParamValue length: 32
IP: 2606:4700::6812:10ca
IP: 2606:4700::6812:11ca
So that’s what’s happening:
Safari on Big Sur can load some websites you’ve blocked in /etc/hosts, because it gets their IP addresses from these new HTTPS records
It can only do that for some sites, because most domain name operators haven’t set this up yet. It looks like Cloudflare has done this for everyone on their platform; fortunately most domain name operators, including the advertising/tracking/malware giants, haven’t caught on to this yet.
For now, you can keep using /etc/hosts for domain names that you fully control.
In the meantime, for other domains, you have some options:
you could run a local DNS server or firewall on your home network that blocks these requests
you could configure a local DNS resolver daemon on your mac, and use it to
block these requests
you could switch to a Linux distribution where a configurable local resolver daemon is the default
you could stop using Safari, although other apps using the default macOS networking stack may continue silently bypassing /etc/hosts
Chrome has run some trials for this but does not appear to have implemented it yet. Firefox has started implementing it but doesn’t seem to have gotten too far.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
The community reviewed whether to reopen this question 12 months ago and left it closed:
Not suitable for this site This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I would like to block all connections to my server that use a VPN or Proxy. Is there anyway to detect that a VPN or proxy connection is being used? If not, is there anyway that I can check the likelihood that a VPN or proxy is being used? Lastly, is there anything that I can query or prompt the user with to check if they are using a VPN or Proxy so that if anyone does get through, I can try and perform additional verification? I do not need any information from the user such as location, true IP, or anything like that. I just want to entirely bar connections from VPNs or Proxies.
Edit: I've been thinking that I could potentially run a test to see if there is consistent discrepancies between ping to the VPN IP and the detectable latency of the client, but that sounds pretty unreliable.
Edit2: A proxy or VPN server would likely have many more ports open than a standard home connection so I could use the number of ports open to help gauge the likelihood of a connection coming from a VPN by running a port scan of the person connecting.
Unfortunately, there's is no proper technical way to get the information you want. You might invent some tests, but those will have a very low correlation with the reality. So either you'll not catch those you want, or you'll have a larger number of false positives. Neither can be considered to make sense.
Generating any kind of traffic backwards from an Internet server in response to an incoming client (a port scan, or even a simple ping) is generally frowned upon. Or, in the case of a port scan, it may be even worse for you, eg when the client lives behind a central corporate firewall, the worst of which is when the client comes from behind the central government network firewall pool...
Frankly, IP-based bans (or actually, any kind of limiting focusing on people who do not exclusively possess their public IP address: proxy servers, VPNs, NAT devices, etc) have been unrealistic for a long time, and as the IPv4 pools have been getting depleted in many parts of the world, ISPs are putting more and more clients behind large NAT pools (it's this week's news in my country that the largest ISP, a subsidiary of Deutsche Telekom, has started handing out private IPv4 addresses as a standard way of business to its customers, and people have to ask the provider explicitly to get a public IP address), so there's even less and less point in doing so. If you want to ban clients, you should ban them based on identity (account), and not based on IP address.
At IPinfo we offer a privacy detection API, which will let you know if a connection is coming from a VPN, an anonymous proxy, a tor exit node, or a hosting provider (which could be used to tunnel traffic). Here's an example:
$ curl ipinfo.io/43.241.71.120/privacy?token=$TOKEN
{
"vpn": true,
"proxy": false,
"tor": false,
"hosting": true
}
If you wanted to block connections to your site from VPNs then you could make an API request to get this information, and reply with an error if it's detected as a VPN. In PHP that would look something like this:
$ip = $_SERVER['REMOTE_ADDR'];
$url = "http://ipinfo.io/{$ip}/privacy?token={$IPINFO_API_TOKEN}";
$details = json_decode(file_get_contents($url));
// Just block VPNs
if($details->vpn) {
return echo "VPN Access Blocked!";
}
// Or we could block all the other types of private / anonymous connections...
if($details->vpn || $details->proxy || $details->tor || $details->hosting) {
return echo "Access Blocked!";
}
The simplest way to do this is to use an external service like an API to block VPN or proxy users.
MaxMind and GetIPIntel both offer it via API, you might want to give it a try. GetIPIntel provides free API service so I suggest you try that first.
For OpenVPN, someone used unique MSS values to identify VPN connections but the setup is complicated and it might be "patched" now.
The strategies you've mentioned in your edits don't seem like a very good idea because you'll run into many false positives. Sending out port scans whenever they connect to your service is going to take a lot of time and resources before you get the results.
List of Tor exit nodes is publicly available. You only want "exit nodes" and it's available as CSV. This should be 100% complete and accurate as it's generated directly from Tor directory.
A free list of open proxies is available from iblocklist.com. A free list that incorporates open proxies, Tor nodes and VPN endpoints from ip2location.com.
The last two have most likely limited coverage and accuracy, especially as it comes to VPN exit nodes - there's just too many of them. Some providers take another approach and consider all "hosted subnets" (subnets from which ISPs assign their clients IPs for hosted servers) as some kind of VPN or proxy, as end-users should be connecting from "consumer" subnets.
Yes, you can detect whether an IP belongs to a VPN/ proxy using Shodan. The following Python code shows how to do it:
import shodan
# Setup the API wrapper
api = shodan.Shodan('YOUR API KEY') # Free API key from https://account.shodan.io
# Lookup the list of services an IP runs
ipinfo = api.host(VISITOR_IP)
# Check whether the IP runs a VPN service by looking for the "vpn" tag
if 'tags' in ipinfo and 'vpn' in ipinfo['tags']:
print('{} is connecting from a VPN'.format(VISITOR_IP))
You can also look at the list of ports to determine the likelihood that the visitor is connecting from a HTTP proxy:
if 8080 in ipinfo['ports']:
print('{} is running a web server on a common proxy port'.format(VISITOR_IP))
Btw you can do this now using our new, free InternetDB API. For example:
import requests
VISITOR_IP = "5.45.38.184" # In production this would be the IP of your visitor
info = requests.get(f"https://internetdb.shodan.io/{VISITOR_IP}").json()
if "vpn" in info["tags"]:
print(f"{VISITOR_IP} is connecting from a VPN")
You can download a list of known proxy IP addresses and lookup locally to see if it is VPN, open proxy etcs.
There are several commercial products in the market. IP2Proxy LITE is a free one you can try immediately.
Get (somehow) list of IP of proxy servers.
Measure round trip ping time to user. Helps in online websocket games. Games are playable with ping under 50ms, so you can disconnect users with ping about 100ms and greater with a message "Sorry, too large ping".
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
On Windows 7 I have an SSH tunnel running on my local 127.0.0.1:34567 address that I need to access so I can access 12.34.56.78:8080 with the help of SSH proxying for me as I cannot access that IP directly (due to not being on the whitelist).
My basic simple goal therefore is that on Windows whenever I request 12.34.56.78:8080 from anywhere (my browser for instance), I would like the request to instead be diverted to 127.0.0.1:34567 transparently, and I would like a software solution to this instead of a hardware one if possible. I think this is what's usually achieved in Linux by something called iptables, but I'm looking for something I can use on windows.
Does anyone know how this is possible? If I need to use any external Windows program for this, that is fine, but I prefer it to be free.
EDIT: please do not present me with reverse tunnel solutions. My goal is to request the same ip:port that I'm blocked from, but to be able to get to that ip:port successfully through the means of my existing SSH tunnel. Reverse tunnels involve requesting a different ip:port which is not what I'm looking for (I already have a forward tunnel I can use if I wanted to make requests to a different ip:port).
Example scenario: Pretend that you have an C-compiled .exe file whose source code you don't have access to that is hardcoded to request 12.34.56.78:8000 for SOAP webservices. The problem is, your IP is blocked from that ip:port, but you do have access to an SSH server which isn't blocked by 210.212.239.117:8080 and also have an SSH tunnel set up for that SSH server to access that ip:port... but your .exe has the original ip:port hardcoded, so you can't just tell it to request the SSH tunnel ip:port, as it's not possible to change the ip:port to be requested in any way due to it being hardcoded! You would have to have the request to 210.212.239.117:8080 on your computer somehow diverted to your SSH tunnel on the OS level. So how would you get that done?
EDIT 2: I'm not looking for routing tables either (I think). I don't want to modify the route my request goes through to reach target ip:port; I actually want to have the requested ip and port themselves silently changed. I kind of want to achieve something like the hosts file, except instead of resolving hostnames to ips, I want ip:ports to be reresolved to different ip:ports.
Bounty: Sorry, it appears this stackoverflow question of mine counts as Offtopic and isn't eligable for offering a bounty, so sorry to anyone who put in extra work and would have potentially received the bounty!
I haven't found a ready executable, but WFPSampler seems to be promising. It uses the new Windows Filtering Platform API (available since Windows Vista) to manipulate packets.
To use it for redirecting outgoing packets, give a look at Q&A section, there are many examples.
Check out BarbaTunnel: http://barbatunnel.codeplex.com/
TCP-Redirect mode is probably what you're looking for.
You can use a reverse shell. It can mirror a remote port. Use ssh to connect with -R option. For example ssh -R xxxx:localhost:xxxx user:pass#www.server.com. Check this out:http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html.
This is a "Blocked Port 80" related question, but maybe something a bit unique. I've yet to find a good answer. It's more academic than anything as I know running a production server at your house is a ridiculous idea.
I'm running a development server (LAMP) at my home but my ISP blocks port 80. The DNS for my domain is set up to "URL Redirect" to my IP and port number. My router is port-forwarding to my server, and I have Apache set up so it's listening on port 8081.
The issue is that when you access the domain, the URL in the browser is resolved from my domain name to the IP and port number, and is displayed as such. For example, you type "www.banana.com" into the browser, the site is displayed but now the URL is shown as "12.23.456.11:8081".
Is there any way to fix this so that the domain name does not become IP and port number?
Can you use Apache proxy functionality somehow?
Could you use mod_rewrite to change the IP and port number back to the domain name?
Thanks in advance!
This question has three parts. First the issue of the domain: in order to substitute a domain name in place of an IP address you need some name server that can map your desired name to an address. This is at the host level and not the port level so a domain name will encompass all ports you might host from it. If you are using your home Internet connection (which I suspect you are since you talk about a blocked port) then you need to take into account that from time to time your public IP address can change. Your options are to pay for (or request) a static IP from your ISP or use a dynamic DNS service that can rapidly update their records as your IP address changes.
As for your port number. Mod_rewrite only handles the path part of a URL, for using different ports internally you want mod_proxy. The Apache web sever with mod_proxy would be configured to listen on the public port you want (that I assume is port 80) then mod_proxy would take incoming requests and send them to another web server on a different port (or even different server). To the outside user this happens invisibly. The problem is if your ISP wont let you host your site on port 80 then it logically won't let you proxy from port 80. To get around this would be a little harder. Personally I would look at a virtualized server from people like Rackspace or Linode. You would get (for relatively little money) a fully configurable server on the open Internet with no restrictions on port usage and a static IP. Even better if you mess something up you can just virtually delete your server and start over with a fresh OS image.
Finally the clean URLs your question title suggests. It's possible this wasn't part of your actual question but just in case, mod_rewrite is a smart module that can let you map clean URLs like /cars/Toyota/1997 and turn them into more ugly requests like /cars.php?make=Toyota&year=1997. Clean URLs not only look better they make it easier to reorganize web code behind the scenes as your web site evolves.
One last thing, and its amazing to me that this question has gone so long without even a comment about this but, this question is really not a good fit for StackOverflow. Possibly ServerFault.com. Good luck! :)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I want to make an transparent chain-proxy
using a redirect server and chain proxy client written in Qt for Windows.
I've tried ndis+tdi but it's too complicated for me.
I've started to break through the openVPN code.
So the task is to start dummy tap device even if there no need in OpenVPN connection and redirect packets to some addr:port on wich my redirect server will be bound.
Maybe it is better to implement new plugin functions ??...
You can use OpenVPN's TUN/TAP driver ("TAP-Win32") as-is to implement a network device backed by software. I'm not sure what you mean by "rewritten OpenVPN tun/tap driver"; you don't need to modify any existing code - just write your own program which opens TAP-Win32 and reads and writes frames/packets. You don't need any other part of OpenVPN, just TAP-Win32.
However, if you use the TUN/TAP driver, you will have to deal with individual frames/packets. If you will be redirecting just TCP (i.e. you'll redirect connections not packets), it may be useful to have your redirection program only provide a local SOCKS server. With SOCKS you get to work with connections and not packets. If a given network program supports SOCKS, you can simply tell it to use your SOCKS server.
On the other hand, if you want to be able to redirect for all applications, not just those which understand SOCKS (or you don't want to configure each application for SOCKS), you can use a program which will allow you to forward raw TCP connections (on packet level) through your SOCKS server. See my program tun2socks.
Once you have a program operating a TAP-Win32 device, update the routing table to get packets routed into it. You probably want to make it the default route, overriding any previous default routes. But be aware that the routing table applies to the redirection program itself too, so you need to add specific routes for hosts that the redirection program connects to, or they will end up going back into the TAP device. The tun2socks page expains how to do that when using SSH forwarding.
Update: tun2socks deals only with the TUN device and simply forwards all incoming connections. It doesn't decide what you want to forward. Even if it had some policies (like port numbers), it couldn't do anything useful with that info. For example, if it responds with a reject packet, the connection will simply fail - and the OS will not look for an alternative route. (it could forward connections to different SOCKS servers - but I think that would be of no use in your case)
The feature you seem to need is called "policy routing", and it needs to be offered by your operating system. Unfortunately, it appears that Windows does not provide policy routing. If you really need it, you may want to use Linux instead, which provides many more network-related features than Windows (policy routing being one).
Alternatively, instead of using tun2socks, some userspace socksification tool may work for you. These are programs that hook network-related system calls when launching a specific application, in order to make the connections go, for example, through SOCKS. If such an application supports routing rules, it may fit your needs.
An example of such a tool for Windows is ProxyCap (commercial software), which claims support for "flexible routing rules".