I am trying to change my site to https (port 443). Everything works correctly except for one thing, on my site i'm using a service call Yawcam which allows to stream a webcam (I'm using port 8081 to that end).
It is working when I use for my Apache server port 80 (http://myip:8081), but when using port 443 it doesn't respond (https://myip:8081).
All ports mentioned are opened to Public (80,443,8081) through my Windows Server firewall.
I'm out of ideas, do you have any?
This is nothing to do with your firewall, this is to do with the fact that you are using mixed content.
Chances are you are using http:// for the external service and this will be blocked by browsers as they do not like it when you try to load a less secure resource than the loaded page.
Try changing your external content URLs to https:// if possible.
You can see here for a little more info on what you could try: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content
Related
I am looking for a way to implement a captive portal for the windows 10 - mobile hotspot. The idea is to redirect all devices that connect to the hotspot to a webpage.
I was able to find this article which shows how to do it in linux.
But I have been unsuccessful in finding a similar one for windows. Posts like this one proved to be dead ends.
I am okay with using a simple nginx server to give 302 redirect response to clients if needed, but prefer not to use any existing software that implements a captive portal.
UPDATE
I have succeeded in triggering a captive portal on clients (linux laptop, android device etc) using a workaround.
Whenever a device connects to the hotspot it sends a request to some predefined websites to check if the wifi connection has internet access. If it gets a 302 response it generates the captive portal window.
So I added the following entries to the hosts file on windows machine.
127.0.0.1 clients3.google.com #android
127.0.0.1 connectivitycheck.gstatic.com #android
127.0.0.1 nmcheck.gnome.org #ubuntu
These requests will then be resolved locally using the hosts file entries and sent to the nginx server which gives a 302 redirect to all http requests.
The setup I mentioned in the UPDATE above was tweaked finally to get where I wanted. I used dnschef, an open-source dns server that works perfectly as a command line client.
The steps followed.
Start windows mobile hotspot.
Go to Network adapters => Select hotspot adapter => Change IPv4 settings => set 127.0.0.1 as DNS server.
Start dnschef with --fakeip = 192.168.137.1
Start an http server on 192.168.137.1 and give 302 redirect response to all requests.
And that's it! Whenever a device connects to the hotspot, it will attempt to connect to any one of the preset websites used to determine internet connectivity. These requests will be resolved locally by dnschef to our Nginx server. The Nginx server then gives a 302 redirect which triggers captive portal on the client.
I tried a similar approach using dnscrypt-proxy which provides dedicated captive-portal support. Since, this is nothing more than dns cloaking there are several ways to achieve, that requests to certain "connection-checking" domains are directed to a local webserver.
Unlike in the accepted answer, I figured out an even easier and more flexible way by using the windows hosts file without any third-party dns proxy. Instead of associating the connection-checking domains with localhost, I mapped them with the physical wifi accespoint ip address (which is 192.168.137.1). This causes wifi clients to directly send their connection-checking requests to the webserver, that is running on the local pc and listens to all connections on port 80.
hosts file:
192.168.137.1 captive.apple.com
192.168.137.1 clients3.google.com
192.168.137.1 nmcheck.gnome.org
192.168.137.1 connectivitycheck.gstatic.com
192.168.137.1 connectivitycheck.android.com
192.168.137.1 www.msftncsi.com
192.168.137.1 dns.msftncsi.com
192.168.137.1 www.msftconnecttest.com
192.168.137.1 ipv6.msftconnecttest.com
192.168.137.1 ipv4only.arpa
This webserver (in my case asp.net core) redirects clients to a login page, unless they are already registered. In this case the webserver may answer to the calls just like the "real" servers do, that sit behind those connection-checking domains, in order not to redirect clients, that have already been logged in successfully.
I have a web page to control a thermostat on a raspberry pi, and I'm running into difficulties when trying to get websockets to work from a remote client. It seems to work fine when on LAN however. I'm obviously missing something (and likely something basic), but I can't seem to figure out what it is.
The pi's local ip is 192.168.1.134. The web page (served from apache server) has the URL http://192.168.1.134:8010/thermostat.html. The page starts up some javascript, which then tries to connect to the pi's main program using websockets via ws://192.168.1.134:9000. (the server on the pi is running libwebsockets). The websocket comes up, and it seems to work fine. I then tried to connect via a remote client (a cell phone, where wifi was turned off) from http:\\23.239.99.99:8010\thermostat.html. The html/js files load fine, but the web socket attempts to connect to uri ws:\\23.239.99.99:9000, and this fials.
As far as I can tell, the NAT seems to be configured properly:
name ext ext protocol int int ip addr interface
port port port port
start end start end
Thermostat3 8010 8010 TCP 8010 8010 192.168.1.134 eth3.1
Thermostat5 8000 8000 TCP/UDP 80 80 192.168.1.134 eth3.1
Thermostat_ws 9000 9000 TCP/UDP 9000 9000 192.168.1.134 eth3.1
I checked, and the router does not have any firewalls set up, neither does my modem. I didn't install a firewall on the pi (I checked, and there's no odd iptables rule). Does anyone know what I'm missing?
--- EDIT ---
I'm still stuck on this. I called my ISP and they assure me there are no firewalls on their servers. Is there any way to tell if port 9000 is being blocked, and by who?
Bind your apache server to 0.0.0.0 address to make it accessible from remote machines
Try this tool to determine if the port is inaccessible (use the custom port): http://www.whatsmyip.org/port-scanner/
Everything else looks fine. As a sanity check I would try putting the ws port to 8010 to see if that works. I would also recommend using a tool like Advanced Web Client to isolate networking issues.
This is interesting. I once had a similar problem. I set up a WebSocket (I was using a nodejs ws) and once I tried to access it from remote client I was not able to reach it with ws://yourip:port but instead I had to use http://yourip:port. I don't know if you have the same problem, mine was due to a proxy I was using.
I still have an advice for you how you might be able to solve your problem. I don't know how concerned you are about security but as far as I understood your idea you basically connect to your raspberry pi through a WebSocket and tell it to change the temperature.
Back when did a similar project I found it rather hard to secure my WebSocket connection. I was basically sending a password plus command through the WebSocket to my server which then checks wether the password is correct. Otherwise everyone on the internet could heat your house. Not cool...
But therefore, I had to tunnel the connection through https to prevent a middleware attack.
I quickly threw the towel and decided to go with a completely different solution. Basically I set up a nodejs express server (can easily be configured with a self signed certificate to use https or used behind a nginx/apache https server) and authenticated with username and password. When someone made a POST request to /api/thermostats?id=0 with a temperature request, the server checks if the user is authenticated and then executes a terminal command from within node.
Maybe this idea also fits your demands.
All,
I have a web application running on tomcat on an amazon ec2 instance and I have a DNS name on godaddy which redirects to this web app on ec2 with an elastic ip.
Everything works fine when I open the port number 80 to all inbound traffic but recently I received an email from Amazon support saying Denial of Service (DoS) attacks were launched from my instance to IP(s) xxx.xx.xx.xxx via UDP port(s) 80.
How can i make the application accessible by closing port 80 to outside world?
Thanks in advance,
keran
http is over TCP. Only open TCP on 80, keep UDP on 80 closed. The webapp should work.
I have a web application running on tomcat on an amazon ec2 instance and I have a DNS name on godaddy which redirects to this web app on ec2 with an elastic ip.
A re-directs is an HTTP thing (and not very effecient, nor good for bookmarking). Do you mean your web app has an A record?
Everything works fine when I open the port number 80 to all inbound traffic
Yup, you need to open port 80 to serve traffic.
but recently I received an email from Amazon support saying Denial of Service (DoS) attacks were launched from my instance to IP(s) xxx.xx.xx.xxx via UDP port(s) 80.
There are 2 possible explanations:
1) Your software is buggy and trying to send data to their box via UDP. This isn't that likely, but is possible if you accidentally enabled/misconfigured collectd, syslogd, statsd, or some other package.
2) Your software is buggy and let a hacker take over your box. It could have been your web application, or it could have been some other service (if you have other ports open to the world).
Either way, a good system administrator could use TCPDump to figure out where the problem is.
How can i make the application accessible by closing port 80 to outside world?
You Can't. If you want to serve traffic to the world, you need an open port. Blocking port 80 TCP will not fix your problem because "incoming traffic on TCP port 80" (used for web servers) has nothing to do with "outgoing UDP port 80". If your box is sending UDP traffic, then it's a broken/misconfigured program running on your box.
That said, you can use a proxy service like CloudFlare to "hide" your servers behind their load balancers. But that won't fix your fundamental problem, which seems to be that your box insecure. If you are going to put a server on the Internet, you need to level up your security knowledge, or hire a system administrator.
If your content is "static" (i.e. not constantly changing, like a simple blog that's updated a few times per day), you should look into serving it from S3. S3 doesn't require a System Administrator, while EC2 does.
This is a "Blocked Port 80" related question, but maybe something a bit unique. I've yet to find a good answer. It's more academic than anything as I know running a production server at your house is a ridiculous idea.
I'm running a development server (LAMP) at my home but my ISP blocks port 80. The DNS for my domain is set up to "URL Redirect" to my IP and port number. My router is port-forwarding to my server, and I have Apache set up so it's listening on port 8081.
The issue is that when you access the domain, the URL in the browser is resolved from my domain name to the IP and port number, and is displayed as such. For example, you type "www.banana.com" into the browser, the site is displayed but now the URL is shown as "12.23.456.11:8081".
Is there any way to fix this so that the domain name does not become IP and port number?
Can you use Apache proxy functionality somehow?
Could you use mod_rewrite to change the IP and port number back to the domain name?
Thanks in advance!
This question has three parts. First the issue of the domain: in order to substitute a domain name in place of an IP address you need some name server that can map your desired name to an address. This is at the host level and not the port level so a domain name will encompass all ports you might host from it. If you are using your home Internet connection (which I suspect you are since you talk about a blocked port) then you need to take into account that from time to time your public IP address can change. Your options are to pay for (or request) a static IP from your ISP or use a dynamic DNS service that can rapidly update their records as your IP address changes.
As for your port number. Mod_rewrite only handles the path part of a URL, for using different ports internally you want mod_proxy. The Apache web sever with mod_proxy would be configured to listen on the public port you want (that I assume is port 80) then mod_proxy would take incoming requests and send them to another web server on a different port (or even different server). To the outside user this happens invisibly. The problem is if your ISP wont let you host your site on port 80 then it logically won't let you proxy from port 80. To get around this would be a little harder. Personally I would look at a virtualized server from people like Rackspace or Linode. You would get (for relatively little money) a fully configurable server on the open Internet with no restrictions on port usage and a static IP. Even better if you mess something up you can just virtually delete your server and start over with a fresh OS image.
Finally the clean URLs your question title suggests. It's possible this wasn't part of your actual question but just in case, mod_rewrite is a smart module that can let you map clean URLs like /cars/Toyota/1997 and turn them into more ugly requests like /cars.php?make=Toyota&year=1997. Clean URLs not only look better they make it easier to reorganize web code behind the scenes as your web site evolves.
One last thing, and its amazing to me that this question has gone so long without even a comment about this but, this question is really not a good fit for StackOverflow. Possibly ServerFault.com. Good luck! :)
Does anyone know how (or even if it's possible) to change the port on a Billion BiPac 7800NXL?
I can't find anything about it in the documentation or web management.
I want to be able to forward port 80 through to a machine on my network, but it doesn't seem to allow me to do that.
It appears you can forward port 80 without having to change the management port, any external requests to the port are forwarded through and internal requests are redirected through to the web management.
A dyndns on the external IP always seems to redirect through to the correct machine, even from the internal network.