I want to run diaspora without ssl in my home based webserver in production mode. How can I do that? Are there any switches/options that I can turn off?
Yes, you can just set require_ssl to false in your config/diaspora.yml. Then restart Diaspora and make sure to clear your browsers cache, since redirects are cached by most browsers.
If you're using a reverse proxy also make sure you don't blindly follow the example configurations Diaspora provides, they do redirect from HTTP to HTTPS.
However we strongly recommend to not do that, you can get a free certificate from startssl.com.
Related
I have recently hosted my site which intends to use wildcard subdomains in its general use. A user would go to account.website.com to access their part of the site. The site is a rails app hosted on heroku and domain is through 123-reg. DNS is set up as per heroku - * , cname , wildcard.app.heroku...
At first i thought 123-reg couldnt handle wildcard routing and i would have to change dns provider as whenever i go to account.website.com it will send me to www.account.website.com which is extremely irritating, but then i found that this does not happen on my windows machine, only on my dev machine (macbook pro). In both cases i am using Chrome. Firefox works as desired, only chrome is messing up.
Any insight into why this is happening would be fantastic.
Thanks
Obviously i immediately solve it after asking and look like a fool - Apparently the cache remembers the redirect from when i assume i hadnt yet set up dns correctly. If you get the same problem, clear browser cache
I created a simple web-based email client like gmail. I want to display images, but in order to do it with my ssl site, I need all images served over ssl (otherwise I get "mixed-content" warnings). So I need a reverse proxy like gmail has to serve those images.
I will rewrite all image urls in the email to point at the reverse proxy. For example:
My reverse proxy is https://myreverseproxy.com
original image url http://stuff.com/image1.jpg
I will rewrite the url to be https://myreverseproxy.com?image-url=http://stuff.com/image1.jpg
When the reverse proxy gets the request "https://myreverseproxy.com?image-url=http://stuff.com/image1.jpg" it will get the original image from the query parameter image-url (http://stuff.com/image1.jpg), fetch the image, and return it to the requester of https://myreverseproxy.com?image-url=http://stuff.com/image1.jpg.
Are there any services that do this out of the box? Could I write one that's simple? Are there any libraries or solutions already for this that I could just install somewhere?
I'm open to any language and any platform...I just want this issue resolved.
I would suggest the same thing as Tudor: a proxy written in node.
However, I would advise using a more broadly used and tested library such as node-http-proxy. It is really simple to setup, and will achieve what you need in less than 20 lines of code.
var httpProxy = require('http-proxy')
httpProxy.createServer({
target: {
host: 'stuff.com',
port: 80
},
ssl: {
key: fs.readFileSync('./ssl-key.pem', 'utf8'),
cert: fs.readFileSync('./ssl-cert.pem', 'utf8')
}
}).listen(443);
If a client then accesses https://reverseproxy.com/image.png, the process would go as follows
I have assumed in this schema that the reverse proxy runs on a different server as the webserver serving the images, but this does not have to be the case. If they both run on the same server, just use host: 'localhost' in the target section.
--
Just in case you are not familiar with Node, here's what you need to do in order to quickly run this setup.
Install Node
Create a new file containing the code in yourprojectpath/index.js
Generate a package.json file by running npm init in your project's directory
Run npm install --save http-proxy to install the http-proxy library and be able to use it in the code
You should now be able to run the reverse proxy by running
node index.js
If you are planning on using this in production, I highly recommend you take a look at PM2. It is a process manager for node which basically ensures that your application is always running, no matter what. In particular, it will restart it if any kind of exception is thrown from the application and would have caused it to terminate.
Installation:
npm install -g pm2
Usage:
pm2 start index.js
A few more notes:
make sure that your .pem files have appropriate permissions and owner. chmod 400 is usually a good option (only readable by owner). The user running the Node application should be able to read them, though.
if your server runs behind a (software or hardware) firewall, you may need to open your port 443 to incoming traffic
depending on your SSL certificate provider, you might need to convert the files it will provide you to the PEM format
if needed, node-http-proxy supports additional options such as adding headers when a request is proxied
the script I presented above assumes you have ssl-key.pem and ssl-cert.pem in the same directory as it
Hope that helps! And just ask if something looks unclear to you
Here's how to create self-signed certificates, if you don't have any
Nodejitsu docs
Now for the code, which is written in node.js:
HTTPS proxy
...and a screenshot :)
It can be done easily with nginx. Btw, it can be done like you ask and it is also possible to make urls exact same like origin url. For example cdn.xxx.com/img.jpg - www.xxx.com/img.jpg.
Richard, You can resolve the issue of mixed content easily by enabling CORS in nginx config file, here is a example http://enable-cors.org/server_nginx.html. In this it is alllowing cors for everyone, you can set for a particular domain or ip, you need to look in more details.
i'me working on a web server using play framework 2.0, where the login is executed by a android device software we're also making. And are main concern is that we can't find any support for HTTPS in play 2.0. Sense this is a school project we can't aford clouds nor other proxy to solve the HTTPS for us.
Our main problem is the password and email going in plain sight in the request's body, encrypting and decrypting in the mobile device and on the server looks costly in performance and sense HTTPS takes care of this we wanted to avoid it. Is there any way we can use HTTPS to protect the users login data, or any other suggestion.
If not we might have to migrate all are application to another framework, because it wont look good important confidential data going through the internet without encryption.
Historically, I've seen most folks run the Java/Scala application server behind a reverse proxy of some kind. Setting up HTTPS in apache isn't too hard, and then just use ModProxy to send requests internally to your Play application.
Any one of the reverse proxy systems can likely do this, nginx is popular too, and generally has easier configuration than apache, but I've never used it with HTTPS.
The number one reason normally to do this is security. You can't start a Java program as a non privileged user on port 80. If you start your Java program as root running on port 80, then any hole in your application has root privileges! As a result, starting the Java app on another port, then reverse proxy from an web server that can run as a non-priveleged user on port 80.
(*) This is a slightly over-simplified, but a discussion of this weirdness is beyond the scope of this I think.
It's now possible to use Play and https directly. This was added in Play 2.1
Simply start the server with:
JAVA_OPTS=-Dhttps.port=9001 play start
I'm facing an little issue here. At the place I live, they shape the download speed by extension (using delaypool). Is there any script that I can run on my web that will let me enter the URL of files that I wanted to download, then it will download the file and rename it to "originalfilename.abc" (because .abc is not shaped)then save it on my web where I can download it. By the way, I have a paid webhosting service.
Thanks
I tried the SSH (my web hosting does indeed provide me with shell access) but all I get is a blank page in my browser. No error. Please advice.
Also, reason I choose script on the server instead of SSH because I though that SSH would be slower than direct HTTP download from my webserver. Can anyone point that out if I'm right or wrong with my thinking.
Thanks
You can write a vbs script or even batch file script that will go to a designated URL, and then download the file, then rename it. Then you can script FTP commands to upload to your webhosting service (I'm sure it has an FTP site for access). You could load this as a scheduled task, or run it manually.
I'd do either one of these routes.
A simpler (once its set up anyway ;) option I can think of is going through a secure tunnel. Whilst this is not quite answering your question I believe this to be simpler while achieving the same thing.
Get an SSH Client (Putty) and get a free Proxy. If your web-server has an SSH-server you can use it as Proxy as well of course, I am using my modified router at home as proxy via DynDns, but the Tor-Network will work, if very slow, so do other official free and paid proxy servers. If you are using an application to download that does not have the option to specify a proxy, get Proxifier Portable.
Use Putty to create the tunnel. Here some how-tos:
http://oldsite.precedence.co.uk/nc/putty.html
http://www.techrepublic.com/blog/security/use-putty-as-a-secure-proxy-on-windows/421
http://kimmo.suominen.com/docs/proxy-through-ssh/
And set your application to use your proxy (or actually to use putty which connects via SSH to your proxy) by entering 127.0.0.1:1080 into the proxy settings. Alternatively, if the app does not have an option to enter proxy settings, add 127.0.0.1:1080 to your Proxifier proxy list and add the applications that are supposed to use that connection to Proxifier.
Now you can do pretty much everything without anyone eavesdropping your connection stream being able to tell what it is, as the connection stream is SSH encrypted. This includes surfing websites that your provider/company/mother has blocked, download anything - even if blocked by IP/name/whatever-filters and even play MMORPGs from work (something which I do not recommend because it will get you fired and there is always some way for someone to figure it out, just saying it is possible to do even in secured company/school networks as Port 22 (SSH) is usually one of the 2 Ports which are open on pretty much any network (the other one being port 80)).
Its a wee bit of a pain to set up. Once it is working though, you can even put it on a usb-stick and use it pretty much anywhere as long as you remember what proxy to connect to. And you wont have to rewrite scripts to try to circumvent the delaypool thingy.
I want to setup proxy server on our office. I have two proxy server's available i.e. (SQUID for Linux and WinProxy for Windows). I have following requirement.
All the rule's which I define in proxy server like block some specific sites etc. should likely to work.
The "Evolution Mail Client" for linux and "Outlook Express" for windows also should work.
So, can you tell me the guidelines how to achieve both the task especially no.-2 .
Thanks in advance.
Squid is a very good option for a caching proxy. It has a configuration file to block some specific sites, IPs, domains... and to tell him which files has to cache. Making a smart proxy is not easy. But you can find great configurations and tutorials in Google or in his wiki.
There are two ways for setting up a proxy:
Direct proxy: you have to manually configure every computer to use your proxy server.
This is the easiest option. I recommend you using this.
Please note, computers that don't use the proxy can access all pages (even if they're blocked).
Transparent proxy: this is the most secure, ideal option for most cases (including yours). You have to configurate your network and the proxy server to forward any requests to it. This is a hard option and very difficult to achieve in your case.
About your Evolution and Outlook problem, there can't be any problems related to the proxy, don't worry about that.