Our app sends a request to Facebook API endpoint.
https://www.facebook.com/ads/api/preview_iframe.php
It works from our team's local machine but when the app gets deployed to lambda, the requests fail. We've tried logging into an EC2 and test it and the requests fail there as well.
Is this something we can rectify on our end?
Related
So I've deployed my WSO2 APIM instance to an Azure VM, changed the hostname to be the same as the VM, also the gateway.
I'm then having problems during requests execution, I'm getting CORS Problem
I do have a Stripe webhook which is successfully caught and processd in Stripe's TEST MODE, on http local host server.
However, when switching to Stripe's LIVE MODE DATA, the webhook returns status code 500, while the EC2 instance is untouched, no logs being generated.
There is no issue with Signing secrets or Stripe keys, the event never reaches the HTTPS endpoint of the EC2 created using a Load Balancer.
Stripe's support cannot pronounce to this so any suggestions of why this could happen or how to handle it is very welcome.
The error displayed on Stripe is:
HTTP status code 500 (Internal Server Error)
Response Failed to connect to remote host
I have added a whitelist middleware to the express server running on EC2:
app.use((req, res, next) => {
console.log('Always inside ', req.originalUrl);
next();
});
before handling the stripe webhook URL
app.use('/afterpayment', bodyParser.raw({ type: 'application/json' }), afterPaymentRoutes);
in order to see if Stripe event reaches the server, which is not happening.
However, if i manually enter into browser the Stripe Webhook URL, domain/afterpayment, the result is as expected: whitelist middleware prints the message and webhook handler takes over.
I was having a similar problem, and watching this thread. In my case, the issues were a few different things. I'm forcing https to my site (elb is redirecting any traffic from 80 to 443). The app on my ec2 was accepting connections over port 80. Access to the site was working. I thought maybe stripe sending the webhook data to the elb was breaking because of the redirect. This wasn't the case. However, I had a security group that was only allowing access from my IP address (for testing). Changing this to 0.0.0.0/0 from the internet (actual production access) didn't completely fix the problem but I wanted to get things set up to as close as real-world as possible. In the stripe dashboard I created a new webhook pointing to the app endpoint I exposed for testing. From the Stripe dashboard I hit the "Send a test webhook" button. This time instead of getting a timeout the error was invalid signature. So, I knew that exposing the site to the internet was part of the problem., (Yes, I could have created a security group that only allowed access from the IP addresses where the webhook data originates from, but again - I wanted to keep this as close to production as possible thanks #justin-michael for the nudge in the right direction). My app was still using the test webhook I set up for development. When I created the new webhook it also created a new signing secret. I pulled this new webhook signing secret into my app then ran the "send test webhook" again and it was successful. So, allowing the correct access from Stripe and making sure the signing secret was correct fixed the problem for me.
The problem was that the domain was not properly exposed on the internet.
So I have Elastic Beanstalk environment running a node.js server app on which I set a Load Balancer and exposed the server over HTTPS.
While trying to catch a webhook sent by a 3rd party app, like Stripe, nothing arrived on the server, even though I could successfully simulate POST request to the domain endpoint. The domain was also accessible through browser (or so it seemed).
The issue was that the domain name linked to load balancer was not resolvable publicly on the internet. Here are 2 useful links:
https://www.ssllabs.com/ssltest/index.html
https://dns.google.com/query?name=&rr_type=ALL&ecs=
Running tests on them unveiled problems related to DNSSEC configuration of my domain, which was not enabled on my domain.
While following this instructions i did:
On Hosted Zones, under DNSSEC signing -> Enable DNSSEC signing.
Created KSK and Customer managed CMK
Under DNSSEC signing, copied the information from View information to create DS record
On Route 53, on Registered Domains -> on the domain -> DNSSEC status, created a new key with info from previous step
After this, all tests passed and the webhook was successfully handled.
I'm fairly noob and new to AWS, but I've been stuck on a bug.
I have a React App hosted as Static Website on A S3 Bucket with a Cloudfront distributions setup for it so it is secured with SSL. I also have a NodeJS/express Backend hosted on EC2 with a SSL certificate that I made myself and the EC2 is all set up to receive HTTPS request(I added a load balancer to handle HTTPS request).
Here is the twist. So basically in React project config, I have the Backend URL like this :https://long-url-to-ec2..... , you get the vibe.
So I basically have 2 environments, the React App in the S3 bucket (the unsecured app) and the React App in Cloudfront which is secured. But the problem is that in the S3 Bucket version of my app, all of my request are sent to https://my-backend but in the Cloudfront version, the request are only sent to http://my-backend . Cloudfront seems to not care about the URL and just send all of my request through HTTP even if https is specified in the URL!
Does anybody know what do I have to setup In Cloudfront so it sends my request to the good HTTPS URL and not just HTTP?
Whether you use the S3 url or the CloudFront url, it's the same React app which is hosted in S3. The issue is when your react app calls the backend, which is just an ALB url, correct? So it must be an issue with your react code. You define in your react app how you call the backend. It's got nothing to do with CloudFront.
Although I'm a bit confused how you could have different results when using the S3 url and the CloudFront url. Ultimately it's the exact same react app that calls the backend. You should start with the question of how you call the backend from your react app. The exact piece of code you're using. That should give you a clue.
I have setup Cloud IAP on a development environment (spun up with Kubernetes and using Let's Encrypt) and everything is working fine.
The setup is pretty basic for this app:
1) An API that has a number of REST endpoints and a persistent data store, in project A
2) A SPA front end app that utilizes said API, in a different project B
In my browser (tried Chrome and Firefox), I can authenticate my Google user in both apps via the IAP screen (by going to each domain in a browser tab), but once I try to use the SPA and it attempts requests to the API, I see the network requests 302 redirect to the Google IAP sign-in page.
Question:
Is there a header or cookie that needs to be sent over via the API requests on behalf of the user so that IAP allows pass-thru?
Note
I see these two cookies btw GCP_IAAP_AUTH_TOKEN and GCP_IAAP_XSRF_NONCE.
What's protected with IAP, "API" or "SPA"? If it's SPA, IAP should work as normal. If it's API, your best option today is to use https://cloud.google.com/iap/docs/authentication-howto to have SPA authenticate to API, and maybe also have it pass down https://cloud.google.com/iap/docs/signed-headers-howto so that API can separately verify the end-user's credentials.
Passing down GCP_IAAP_AUTH_TOKEN from SPA to API won't work, we strip that before passing the request to the end-user application for security reasons (in case the transport between the load balancer and the application is HTTP, just to make life a little harder for an attacker.)
When I call an external web service from Amazon EC2 server I get a 404 response for the request. When I call the same web service locally it works fine. Can anyone tell me why this happens?
It is entirely possible that the owner of the service has been seeing too much abuse from Amazon's IP range and that they have blocked access to the API from EC2. Normally however I would expect them to send back an Access Denied rather than a 404 Not Found.