The company that I work for is partnering with another organization and they want to white-label our Django app (which is hosted on Heroku). We currently have an EV certificate and SSL endpoint. The new goal is to secure both domains and avoid any certificate nags/warnings each time a user goes to the page via the new domain name.
I believe that I should be able to accomplish this with a SAN/UCC certificate. I've found a couple of very similar question posted. See here. However, while the page referenced in the previous answer still exists, the anchor for "serving-multiple-domains" is no longer on the page. And doing a search on the page doesn't find anything (maybe I'm missing it).
My question is does Heroku still support this functionality? If so, is a SAN/UCC cert the best way to accomplish this? Are there other options?
Related
We have a page on our site that uses Google's reCAPTCHA before allowing the user to download a file.
It works great and we totally stopped all the evil bots from spamming our servers.
Now we want to allow a specific entity (user, domain, whatever) to be able to automatically download files without solving the challenge. Or maybe solving it once per session (which will be longer than 2 minutes) and not once per file.
Is there some way we can issue them a multi-use token or have them get a token from Google that will allow them (temporary?) unfettered access to our file downloads? Can we whitelist their domain in the Google admin settings?
Or is this something I need to build myself?
EDIT: It turns I didn't get all the requirements for this assignment. Whitelisting will not satisfy the requirements since it is apparently multiple entities, and that will indubitably change in the future.
reCAPTCHA does not provide specific whitelisting for users or domains.
Instead, you should be looking at making this dynamic on your side. For example, disable reCAPTCHA for signed-in users or generate a token on your server with an expiry time, set that as a cookie on the client, and disable reCAPTCHA for valid tokens.
Can I use Let's Encrypt to generate SSL Certificate even if I don't own the domain name? The scenario is I have a site that lets user create their own sort of page inside my site which would be a subdomain under my main domain. Now, there's a feature that they can use their own domain name (using a different provider) that will point to the created page on my site so they can use any domain name that they want.
Will I still be able to provide SSL using Let's Encrypt to my user? Note: I'm new at this thing so I am not sure if I am asking the correct question, but I am asking as how I understand it right now.
Yes.
The validation occurs based on HTTP file retrieval or via DNS through TXT records.
I built Greenlock to be able to handle exactly that kind of use case. It will currently work for the scenario that you suggest and I plan to implement more DynDNS support in the future.
Locally on http://127.0.0.1:8000/ reCaptcha works as expected.
When deployed to PythonAnywhere ("production") on the form it is supposed to work, I get only "Verify" (the label) but nothing else.
I have used to keys from Google in db.py as:
from gluon.tools import Recaptcha
auth.settings.captcha = Recaptcha(request,
'6LeHlgMTAAAAAPMaNZSNaaYabmbr8amc6BzjAjsu', '6LeHlgMTAAAAAKCaa8nUQsmDPjpAAh_CIR40o7G')
I have added the script from Google in layout.html
And another script from Google at the end of the form where reCaptcha is supposed to be.
I know that locally reCaptcha is not really checking the public/private keys, and that may explain why it works locally, but still - what am I doing incorrectly ?
Ok...So the issue was on PythonAnywhere side.
Once they took care of the whitelist - reCaptcha works as expected from the website hosted at PythonAnywhere.
And....this feature is now also part of the free option (it used to be available only for paid sites).
Thanks Giles and Conrad !
If you look at the documentation for reCaptcha, you will see that
you need to set up an API key pair specifically for your pythonanywhere site, and
the verification process involves getting your webapp to talk to the google reCAPTCHA server to verify.
This second part means that you will have to get a paying account for this to work as PythonAnywhere restricts external internet access to whitelisted sites only.
I've have some authentication scenario that I'm not sure how to approach. I'll appreciate any advice on the subject.
Requirement:
Website will contain one section
that will be only available to
specific computers.
Website needs to be aware which PC is currently making request (I need to be able to tie this PC to other tables in Database)
We have full access to PCs that will be accessing website
Website cannot require login, user should be just presented with content pages without need for logging in.
Solution needs to be secure since, it will have to pass security audit
Assume that every PC is on different network.
My ideas so far:
use client certificates but I'm
not sure whether you can issue
different certificate per client? If
the answer is 'you don't know who is
making the request' than it's failing
requirement number 2 and therefore is
not an option.
Windows
Authentication with impersonation so
I can have different users logged in
on PC (I'm in control what will be
the user name/account logged in on
the machine)
Basic Authentication and set PC to remember username/password first time. I'm a bit afraid that this "remember me" can expire which would cause big chaos since someone would have to setup this PC(s) again...
Windows Identity
Foundation - never tried but if I can
implement this scenario here in some
nice way I appreciate if you can
point me in the right direction.
Thanks in advance for your help.
EDIT:
I would prefer not to use SSL if possible... (performance consideration)
EDIT2:
Currently I think that the best option would be to check whether PC is authenticated (whether it contains Forms Authentication cookie) and if it is not then redirect him to some https:// page that will check client certificate, set cookie if cert exists and redirect back to target page.
This shouldn't be slow since SSL will be used only in rare cases when cookie expires.
Please let me know if you see any flaws in this solution. If you know how to create server certificate and later generate different client certificates from it I would be grateful for guidelines.
I'm trying to move my web application to the Google Chrome store, and I want to charge for premium features. The problem is, to use the Chrome Web Store License API I need their Google OpenID identifier. I've read other similar questions, but none with code examples.
I found this example, but it seems to be for a different purpose.
So my question is, how do I use the Federated Login in a Sinatra / Rack environment to get that one parameter?
Thank you.
You need to authenticate users with OpenID. The link has an example that shows how to use Rack::OpenID.
With Google, instead of requesting the openid_identifier from the user you would need to hardcode https://www.google.com/accounts/o8/id as identifier (instead of params["opened_identifier"]) then run normal OpenID.