I downloaded ngrok so i can test my site for http and https requests (if someone is trying to get in my site specific url and it will be a simple http request, i will deny it),
first, my localhost is working in 8080 port
I start ngrok, it gives me the following:
both at the same port, it's a problem i think, because if i do such simple route configuration in laravel:
Route::filter('force.ssl', function()
{
if( ! Request::secure())
{
return 'unsecured';
}
});
and i have this route:
Route::get('survey/payment/secured', array('before' => 'force.ssl', function(){
return 'secured!';
}));
and i do the following request:
https://75fdaa96.ngrok.com/survey/payment/secured
it thinks it unsecured and returns 'unsecured', how can i fix this?
Request::secure() relies on $_SERVER['HTTPS']. As the HTTPS is being provided by the proxy, not your webserver, Laravel doesn't know it's being served as HTTPS.
ngrok does pass the X-Forwarded-Proto header, but Laravel doesn't trust it by default. You can use the trusted proxy middleware to trust it.
Related
I have the following code in my Fastify server hosted on Heroku:
this.server.addHook('preHandler', async(req, reply) => {
const isHttps = req.headers['x-forwarded-proto'] === 'https';
if (isHttps) {
return;
}
const {
method,
url
} = req;
if (method && ['GET', 'HEAD'].includes(method)) {
const host = req.headers.host || req.hostname;
reply.redirect(301, `https://${host}${url}`);
}
});
The idea is to prevent access to the server through HTTP and force redirection to HTTPS at the application-level, since it is not possible otherwise on Heroku.
My question is: if the first request to the server via HTTP (before the redirection happens) contains sensitive information such as a username/password, wouldn't that still be "dangerous" or compromising somehow?
You have probably mis-configured something on Heroku.
Heroku domains (.herokuapp.com) are by default HTTPS enabled. The same page has a guide for custom domain SSL setup guide. Since you are talking about (username + password), I am going to assume this is a website. All you need to do is setup CORS with fastify-cors. Your website should ALWAYS be served over HTTPS.
Also you should not use the logic above. Fastify isn't meant to be used as a proxy server. The docs strongly suggest using a front-facing proxy server like nginx. With Heroku you don't need all these. It already handles this for you.
In the future you could also use Cloudflare as a "proxy server" outside Heroku.
I have developed an api in laravel and then there is no ssl certificate installed and all working good. But after some time, I have install ssl certificate but now the api's not working in my mobile app but it's working in postman.
the response getting from you have not passed any header but in actual I have passed header.
I have just made one changes http->> https in url.
You would need to update the code in your mobile app to point to https, instead of http.
If you are hosting your API with Nginx, you can redirect HTTP -> HTTPS requests by modifying your config such as:
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
This will automatically redirect any HTTP request to its SSL equivalent.
I am a beginner in website hosting please consider if my question is too silly or this is not the right place to ask this question and direct me to the right place.
I have website (hosted on a subdomain) already running on HTTP (perfectly). I am moving to HTTPS using Let's Encrypt. I have generated the certificate, configured my application and then deployed it using AWS lightsail. I have pointed the domain name using A record, where my lightsail instance IP is pointed by my subdomain.
Problem: When ever I go to my website using the URL https://subdomain.mywebsite.com:80 it works perfectly fine with no privacy error. My HTTPS server listens on port 80. But, if I try any other URL like subdomain.mywebsite.com:80 or subdomain.mywebsite.com I get a privacy error in google chrome saying "Your connection is not private".
I think I am missing some fundamental, which I not able to understand on my own.
My application is nodejs based below is a snippet of my server
const options = {
cert: fs.readFileSync('./sslcert/fullchain.pem'),
key: fs.readFileSync('./sslcert/privkey.pem')
};
app.listen(function () {
console.log("Live");
});
https.createServer(options, app).listen(80, function() {
console.log("From HTTPS");
});
What you need is to redirect all requests to port 80 to port 443, that way browsers apply automatically https protocol.
This means that if someone uses "subdomain.mywebsite.com", it is by default http and port 80, i.e, "http://subdomain.mywebsite.com:80" and you want it to be redirected to "https://subdomain.mywebsite.com", that is listening by default on port 443.And you configure your https service on port 443, which is the standard port for https.
You have two approaches:
Do the redirection in node.js: have a look to this answer for guidance: Automatic HTTPS connection/redirect with node.js/express
Use a proxy to do the redirection:have a look to this blog post for guidance (I am not related to that blog, just did a quick google search): https://serversforhackers.com/c/redirect-http-to-https-nginx
I hope this helps. Provide some comment if you need more clarifications.
I am running a local webserver, which runs an XHR request to an ngrok server, also run from my PC.
I'm getting XMLHttpRequest cannot load http://foo.ngrok.io/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
It appears the ngrok FAQ mentions CORS headers, but only in relation to basic auth - it doesn't mention how to set the headers so I could test my app in development.
How do I change ngrok's CORS options to allow loading requests from localhost?
UPDATE: different use case. BOUNTY FOR THIS SOLUTION:
I am getting the following error:
login.php:1 Access to XMLHttpRequest at 'http://localhost/lagin/public/login.php'
from origin 'http://062b-96-230-240-153.ngrok.io' has been blocked by CORS
policy: The request client is not a secure context and the resource is in more-
private address space `local`.
I've looked at Configure ngrok's CORS headers but still not sure how to proceed. When I tried ngrok http -host-header=rewrite 80 it says header not defined.
I've looked at 10 or 12 youtube videos and they all do a great job explaining what CORS is but an awful job explaining how to fix it.
I'm running virtualbox on a windows 10 machine and create a linux virtual machine. On the linux side I am running xampp as a local server.
I am happy to provide more details but I just don't know what additional information is needed.
I am able to see the login page of my site on ngrok but as soon as I make a axios call I get the above error.
Also, I tried //flags/#block-insecure-private-network-requests in chrome and set to disable. When I do that I no longer get the error but the site doesn't work.
ADDITIONAL INFORMATION:
I spoke to ngrok and they say: ...it sounds like your app is trying to call localhost somewhere in a ajax request. You will need to adjust that call to ensure it is being routed through ngrok.
here's what I'm doing:
responseData = sendData2('http://localhost/lagin/public/login.php',emailPass);
and here’s sendData2 (just for completeness)
function sendData2(url,emailPass){
let bodyFormData = new FormData()
for (const [key, value] of Object.entries(emailPass)) {
//console.log(key,value)
bodyFormData.append(key,value)
}
return axios({
method: 'POST',
url: url,
data: bodyFormData,
headers: {'Content-Type': 'multipart/form-data'}
})
.then(function(response){
return response.data
})
.catch(function(response){
return response
})
}
UPDATE: Each time we tunnel into ngrok we get an address like https://2634-96-230-240-153.ngrok.io If we change the send2() call to
sendData2('http://96-230-240-153.ngrok.io/lagin/public/login.php',emailPass);
it works but this requires I change the code each time I have a new tunnel. Would adjusting the CORS policy get around this problem?
I just stumbled across this issue today and was able to resolve it by starting ngrok and including the -host-header flag.
ngrok http -host-header=rewrite 3000
From the docs:
Use the -host-header switch to rewrite incoming HTTP requests.
If rewrite is specified, the Host header will be rewritten to match
the hostname portion of the forwarding address.
First of all ngrok is just a tunnel and not a server so configuring CORS header in ngrok is not at all possible. So any kind of CORS configuration needs to be done at the server level.
For example if you are using a nginx server, you need to configure header in the nginx conf file like:
location / {
/*some default configuration here*/
add_header 'Access-Control-Allow-Origin' '*';
}
By adding this header, you say that cross origin access to your address is allowed from any address as the value of the header is '*'. You can also specify a particular address for which the access to your address is allowed by replacing the value.
For me, in addition to setting up the server, you also need to add to the header on each request sent from the client side
"ngrok-skip-browser-warning": true
With Webpack / react, I used the 'requestly' Chrome extension and set up a rule from the Bypass CORS template. Note that after selecting Templates > Bypass CORS, you need to click Create Rule in the top right of the dialog.
Then fill in the section at the top, "If domain contains <your domain" and make any other configuration changes, then you can save your rule.
If you are using ngrok with nodejs/express.js .
Use this code:
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "YOUR-DOMAIN.TLD"); // update to match
the domain you will make the request from
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-
Type, Accept");
next();
});
Replace "YOUR-DOMAIN.TLD" with "*" to give access to all urls OR your specific website url.
Refer to https://enable-cors.org/server_expressjs.html for more details
Getting ngrok to work took a little time to figure out but it's actually quite easy.
In chrome there is an option to turn off CORS. In the chrome address bar go to
chrome://flags and look for Block insecure private network requests.
This needs to be disabled.
Second, in my ajax request I had used an absolute path and this needed to be changed
to a relative path.
REMEMBER:This is for running localhost and exposing it to the web
I'm using Laravel 4.2 and I'm using a Flexible SSL from Cloudflare.
I have this code on filters.php for example:
App::before(function($request)
{
if (Request::secure())
return 'False';
});
and when I try to run this on my secured server, I get the False Response.
Did I do something wrong here?
The reason the secure() function returns false is because the site doesn't really have an SSL Certificate, CloudFlare has. so when the clients connect to the site, the actually connect to CloudFlare (SSL) and CloudFlare connects to the site (Not SSL). So in conclusion, the Request between CloudFlare and the Site is not secured.
Did I do something wrong here?
Yes. You’re returning a string rather than a boolean. Try this instead:
App::before(function($request)
{
if (Request::secure())
return false;
});
I’m not sure what you’re trying to achieve, though? If you want to enforce access via SSL, then redirect to the HTTPS version. Returning false will just give the user a blank page.