Is there a Wakanda way to:
expose a Wakanda application only to a specific IP address or IP range
validate a login request (custom login) against an IP address or IP range
I will answer the questions one by one :
1-
This should be done using your OS' firewall (using iptables for instance if you are on Linux)
2-
If you restrict access to the app using the firewall, you might not need to do this. But if you really need to :
Today there is no good way to do this, because you can't disable the authentication REST API. The workaround I propose is as follows (but I don't think it will work if you are using active directory ):
Add a custom request handler for authentication /login where you do something like :
function login(request,response){
var ip = request.remoteAddress;
if( ! isIPAuthorized(ip)){
response.statusCode = 403;
return;
}
sessionStorage["login-request"] = true;
/*
* Your login code here
* For instance you can use loginByPassword, createUserSession ..
*/
sessionStorage["login-request"] = false;
}
Inside your Login Listener you can check if the login request came from you custom login function or not by checking the sessionStorage :
if(!sessionStorage["login-request"]){
return {
"error" : 1024,
"errorMessage" : "Unautorized Login Attempt"
}
}
This way any login attempt using the default REST authentication API where IPs are not checked will be refused.
The best way to expose any application to a specific range of IP addresses (while blocking all others) is with a firewall; whether it be a software-based firewall (such as iptables or windows-firewall) or a hardware-based firewall (such as a Cisco ASA). Using a firewall completely alleviates the need for the second part of your question.
For the first question, enable the Cross-origin resource sharing in the Project Settings file ( Settings.waSettings ), and you need to define the list of Domain name or IP address from where external pages are allowed to send data requests to the Wakanda Server via CORS. Multiple domain attributes can be added to create a white list.
Related
I'm using a Google Login component in my website that calls Google OAuth API. Is it possible to somehow define an IP whitelist together with the domains whitelist?
The expected result is that even if someone successfully identifies with a whitelisted-domain google account, it will still be rejected if their IP isn't whitelisted
When a domain is used on the consent screen or in an OAuth client’s configuration, it must be pre-registered. If your app needs to go through verification, up need to the Google Search Console to check if your domains are authorized.
Domains used for a redirect uri when the app is set to production must also be verified domains.
You cant set a domain as an ip address and you wont be able to set your redirect uri as an ip address either.
I have been following the facebook bot setup guide and have setup a callback url that is running on an EC2 instance.
I am getting an error (see title of this) when trying to validate the callback url and verify token.
https://360.finance:1337/webhook is my webhook and the verify token is the same in my environment variable and in my facebook setting.
I set up SSL using LetsEncrypt and from what I can tell, the SSL is not showing as self signed so it looks to be working correctly (please note I'm new to all of this)
Checked at https://www.ssllabs.com/ssltest/analyze.html?d=360.finance&hideResults=on and all looks correct.
I have also included the facebook page token as an environment variable and included in my index.js file
I have tested netcat / telnet into that port on my ec2 ip and it is succeeding
You must return an http response of the hub.challenge token as a plain text.
We need to update the following on Facebook app settings page before adding The Callback URL or Verify Token.
Privacy Policy URL
Category
App Icon (1024*1024)
Its weird that facebook doesn't point our exact error.
check you callback server, if it is running or not ?
the callback and token comes from your server.
For python users you need to use a dot not underscore. I don't get it when I use the underscore version Facebook API cant access challenge but when I replicate the same GET request with postman I can access the challenge.
# Wrong way
challenge = request.GET['hub_challenge']
# Right way
challenge = request.GET['hub.challenge']
return HttpResponse(challenge)
Do not use ngrok or localtunnel.
I tried both, with no luck.
If you really want your local dev server to authenticate - you can port forward over ssh to your public faced server.
ssh -R 4000:localhost:4000 root#your-server-ip
This way you can setup nginx to reverse proxy 443 to 4000 and handle ssl with certbot
sample config for nginx reverse proxy (before running certbot)
server {
server_name my-own-domain;
root /usr/share/nginx/html;
index index.html index.htm;
listen 80;
location / {
proxy_pass http://localhost:4000/;
}
}
So you "only" need:
Your own domain
Your own server
nginx
certbot
SSH Server
And now you have your own private ngrok replacement
My PC is behind a corporate firewall/proxy. I would like to use Fiddler, or some other simple Forwarding Proxy, to make internet requests without the client application having to respond to proxy authentication requests. I.e. I want Fiddler to authenticate using the logged-in user's credentials on behalf of the client application.
In my specific case I have a locally running ASP.NET website that needs to call out to an internet service through the proxy but I don't want to have to set up the user that it is running as to be me or some other domain account. I want it to use Fiddler as a proxy and for Fiddler to authenticate with the upstream proxy.
This could be useful for many other applications such as command line tools for git, npm etc that need similar access.
Do you know if and how Fiddler can be configured to achieve this?
Perhaps there is some well known method of achieving this?
Just found a related question and answer: Configuring Fiddler to use company network's proxy?
But the answer I used was in a comment on the accepted answer. In summary you need to add two code sections to the CustomerRules.js file (Rules > Customize Rules...):
...
class Handlers
{
...
//[[insert:
public static RulesOption("&Automatically Authenticate")
var m_AutoAuth: boolean = false; // true if you want that as a default on startup
//]]
...
static function OnBeforeRequest(oSession: Session)
{
...
//[[insert:
if (m_AutoAuth) {
// Automatically respond to any authentication challenges using the
// current Fiddler user's credentials. You can change (default)
// to a domain\\username:password string if preferred.
//
// WARNING: This setting poses a security risk if remote
// connections are permitted!
oSession["X-AutoAuth"] = "(default)";
}
//]]
}
...
}
You can then turn on and off this automatic proxy authentication from the Rules > Automatically Authenticate menu option.
I'm developing an application that uses the Youtube Data API from the server (with node.js) so I have my server side credential key already set up but when I try to get data is always refusing my requests with this message.
Access Not Configured. The API is not enabled for your project, or there is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your configuration.
I've my app hosted in Heroku with the add-on Quote Guard Static that gives me two static IP's that I have whitelisted in the Credentials section of the google developers console. I also have the app hosted in modulus.io and whitelisted the IP range 54.0.0.0/8 that is what they gave me for their AWS region... Any of both deployments are working only in my local machine with my home external IP whitelisted.
The funny thing is that yesterday 15 minutes approximately after I whitelisted the 54.0.0.0/8 range, the app API started working in my Heroku host, but today it stopped again (this might be because it has changed to another IP inside their AWS region or something...).
Is there any way to check what IP is doing the requests to the Youtube data api? I can see in the developers console the request reaching the API and been rejected as "errors" at least I know that their are getting the requests...
Any ideas??
Thanks
EDIT:
Partially solved. See my answer below.
There's a simple service I found that returns your public IP:
http://api.ipify.org?format=json
You could add a route to your application that you can hit from your browser. The route handler then makes a request to this service and returns the result. You could then periodically check what your app's actual public IP is and adjust whitelist accordingly.
// Example express + request
app.get('/ip', function(req, res) {
request({ uri: 'http://api.ipify.org?format=json' }, function(err, response, body) {
res.send(body);
});
});
The problem with the app hosted in Modulus.io is solved now. The app was running by default in Joyent servers but I changed it to the Amazon AWS region and with the IP range 54.0.0.0/8 whitelisted google is accepting all my requests to the API.
Nevertheless, the app in heroku still not working but as is working in one service I'm going to stop investigating in the other one.
I'm stuck trying to get an API call to Google Places working. I'm using a server-side PHP proxy for the request - not because I want to, but because it's part of JQuery-POI-Mapper.
The server I'm using is an Amazon EC2 server without a static IP address. I'm out of stactic IP addresses at the moment, but I'll take the time to request more if people think that's the problem. I identified the current public IP address of my EC2 server by running this command on the server:
curl http://169.254.169.254/latest/meta-data/public-ipv4
Next, I went to https://code.google.com/apis/console and created a new API key. I selected a server-side API key and used my EC2 server's public IP address.
Under the services tab, I enabled every related API I could think of, including:
Google Maps API v2
Google Maps API v3
Google Maps Gelolocation API
Places API
Static Maps API
Here's a screen capture of my Services:
The proxy code running on the EC2 server is part of a commercial package, so I shouldn't post the entire code, but it's very short, and the important part is:
$json = file_get_contents($url);
The $url variable in my case was:
https://maps.googleapis.com/maps/api/place/search/json?location=-37.7133771,145.14891620000003&radius=2000&types=bakery&sensor=false&key=AIzaSyCCUV...
The response I get is:
{
"html_attributions" : [],
"results" : [],
"status" : "REQUEST_DENIED"
}
I checked to see if I had gone over my quota already, but everything looks OK. What's interesting is that Google is showing that I had made requests to the Places API today, so Google definitely knows that the requests are coming from me.
Here's a screen capture of my API Traffic Report, which is all from testing:
Any advice would be much appreciated.
Thanks,
Bret
You need a Static IP address to successfully use IP Locking with a Server API Key.