I have an environment where a few Sitecore servers are behind a firewall & the reverse proxy in different AWS-VPCs (internet & intranet) with AWS Gateway. I need Geo-IP to be enabled and updated to the Sitecore host node for the device analytics dashboard (access via intranet or internet). Any possible suggestion? Thank you.
Reverse proxies typically forward the IP address from the connecting client via an additional http header X-Forwarded-For. See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For . You might need to enable this on AWS, I'm unfamiliar with their services.
However, also on the Sitecore end, you then need to enable reading of the header. This has been support for quite a while, and the documentations seems to have changed barely (if at all) since version 9.0:
https://doc.sitecore.com/xp/en/developers/90/sitecore-experience-manager/set-up-sitecore-ip-geolocation.html
The interesting bits are at the bottom, though:
When requests come from a reverse proxy server to your Sitecore instance that you want to track as the valid IP addresses of a client (not as the IP addresses of a proxy), use the following setting.
In Sitecore.Analytics.Tracking.config change the Analytics.ForwardedRequestHttpHeader setting to the value: X-Forwarded-For
Related
I have built a basic web application using html, css and php (it is a library with query, modify etc. capabilities). I have built the databases containing the books information, subscribers information etc. with phpMyAdmin from Wamp server. On localhost (C:\wamp\www) everything works ok (I can add, modify, make queries etc.).
Now I would like to make this web application available online, but I have no idea how this can be done. The access to the database must be also available online (for search, queries etc. from the databases).
Can somebody support me?
The access to your database can be local since the php files that use yourdatabase run in the same machine.
You only need to accept online access to your apache server, if it's not accessible yet, and have no firewall active. In this case you should be able to connect to your server by ip. And you'll need a domain and a dns server if you want not having to write the public IP to connect.
You need a public IP address or routing the outside web traffic to your own web server.
Most routers have an advanced section called IP/Port Forwarding: find yours. If you don’t have this, I’m afraid you cannot be reachable by the outside.
Besides that, find your private IP with:
C:\>ipconfig
take note of the IP address: that’s your private address, which uniquely identifies you in your local network.
In httpd.conf change:
ServerName localhost:80
With:
ServerName <private IP>:80
Also find this line:
Require local
And change it to:
Require all granted
Restart your web server. Find out what’s your current public IP address (the public address of your router: https://www.whatismyip.com ) and visit:
http://<public IP>:<port>/
Or, in case you have not changed the default http port (80) just visit:
http://<public IP>/
I've been thinking of the concept of an ad blocker that runs at the OS level, rather than as a browser extension. I know that I can place x.com in Windows' %windows%\system32\drivers\etc\hosts file and point it to the IP of y.com, and on y.com I can serve up content that says, "This ad blocked by Example Ad Blocker". However, the domain list I have is quite large -- like literally a thousand domains and growing, and so this wouldn't work well in file lookups. Does Windows permit some way to programmatically, like Qt/C++, add a DNS reroute rule in a more speedy way?
There's a risk of doing domain intercepts and DLL hooks using APIs because AV products and/or Microsoft would have to whitelist you and certify you so that your activity doesn't look like a virus. And the odds of them doing that are not only low (unless you're a multimillion dollar company), but they want to protect their ad marketing too.
The best option is to make a browser extension for each of the browsers. You can even check the source code of the AdBlock Chrome extension to see how it works. The trouble with that in 2017, however, is that there's no common browser extension platform just yet. It's getting much closer, but it's still not standardized yet. The new standard uses the Chrome standard. Opera, Firefox, Edge, and of course Chrome support this new standard to some degree, but it's kind of unsmooth still. And for anyone outside of that, such as IE11 or earlier, they're not going to have your Chrome-style browser extension and you'll have to go the seriously hard route to make one just for those earlier browsers or ask the customer to upgrade when your adware product installs.
If you want something that doesn't require a browser extension, then the option you want is to add another DNS server connection in the user's DNS client settings. I don't know how to do this yet via C#, Qt/C++, or C++. However, you can shell out from those languages and use the "netsh" command to create those DNS connections. Probably a good strategy would be to find the user's default gateway IP. Then, make the DNS priority like so:
your DNS server that redirects x.com to y.com so that you can do ad blocking from y.com via a web server
the user's default gateway IP
Google's DNS (8.8.8.8) in case the default gateway IP has changed for the user
So, it would be something like these 4 netsh commands:
netsh delete dnsserver "Wireless Network Connection" all
netsh interface ip add dns name="Wireless Network Connection" addr=1.1.1.1 index=1
netsh interface ip add dns name="Wireless Network Connection" addr=192.168.254.254 index=2
netsh interface ip add dns name="Wireless Network Connection" addr=8.8.8.8 index=3
Change "Wireless Network Connection" to "Local Area Connection" if they are using a cable for their computer instead of wireless. (Few do that these days.)
Change 1.1.1.1 to the IP address of your special DNS server.
Change 192.168.254.254 to the IP address of their default gateway.
The third rule (8.8.8.8) tells the computer to use Google's DNS if all else fails. This is important because they could disconnect their laptop at home and go to a café or something, and we need their DNS stuff to still work.
Now, once you get the DNS client settings right, you need a cheap Linux cloud host to serve up the DNS server and web server. You might even need more than one in case one goes down for maintenance, and possibly on a different cloud zone or even cloud hosting provider.
For the DNS product, if you have Linux skills, you can install and configure dnsmasq pretty easily to get a cheap and easy to manage DNS server on Linux. Or, if you search your Linux repositories, you can find other DNS servers, some more robust than others, some harder to use than others.
For the web product, you can install NGINX or Apache on each of the two DNS servers. Then, you can make a configuration where any domain connection can come to it and it will load a web page for that domain. The web page can say something like, "Ad Blocked By X Ad Blocker" or whatever you want in very small font (small enough to fill the ad spot).
Once this is all in place, you'll have to reboot the Win PC client and also clear their browser cache and history so that DNS will route through the new arrangement.
The end result is that when people on that Windows PC surf the web and load an ad, their OS will make a DNS request to translate domain name to IP address. The first DNS server they'll reach will be your private DNS server. It can then say that x.com ad domain (as an example) is the IP address of your private DNS server. That private web server will then be contacted and it will display the ad block message. For all other requests not served up by your DNS servers, they'll go to their default gateway. If that's not serving up DNS as needed, then they'll failsafe to the Google DNS on 8.8.8.8. So, web browsing will work fine, minus ads.
As for a bad domain list, there's a community-maintained bad domains list here on Github.
The trouble with the private DNS server that you host is that you're now having to pay a bandwidth bill for gobs of connections to it. That's probably undesirable unless you've got a proper way to monetize that. A better strategy would be to NOT use a private DNS server on the web and use a local DNS server and a local web server. You'd have to code both of those or use some third-party product for that. The trouble there, however, is that you may have some commercial licensing problems with that, or increased costs, and it won't work for some web developers who already use a web server on their workstation.
Therefore, as you can see from the added costs, hassle, and workstation configuration nuance troubles, the best strategy would be to use the browser extension for ad blocking.
However, even at that, how are you going to differentiate your product from the free ad blockers out there that are doing a sensational job already?
I have Shibboleth configured on an IIS server and am using it protect a .NET application.
I need authenticated access for users accessing the application over the web and for that Shibboleth is working fine.
The application also hosts web services which need to be accessed by other applications in the same server and for that working with Shibboleth is a challenge since web service clients cannot deal with the log in page.
Is it possible to configure Shibboleth to ignore requests coming from the same server for example by checking the IP address?
It won't directly answer your question, but I can share a workaround I found and hope it can help with your problem too.
Define another website in IIS pointing to the same folder as the initial one, and make it only respond to a different domain (like something.local). Then in IP Address and Domain Restrictions, make sure only 127.0.0.1 is allowed to access it.
In C:\Windows\System32\drivers\etc open the file "hosts" in Notepad (running with Administrator privileges). Add the line "127.0.0.1 something.local" (no quotes; make sure the domain is the same one you defined before)
Now, make the webservices call the application by the new domain.
So we all know that with wamp we can create dummy domains to test scripts on for example mysite.imo instead of using localhost. Can I use this function to allow people to connect to mysite.imo instead of what ever my ip is.. So in other words can I host my own custom domain with wamp instead of buying into a domain or using my ip to get traffic.
Unfortunately it's not as simple as that.
You can, however, provide your computer's name to people on your local network, and they can use that to connect to your localhost root as they would a standard website.
When it comes to external access, you'd need to look into forwarding port 80 on your router.
You'd also need to ensure apache is set to allow external access.
You can also find free to use domain names here.
Im working on some JSON-based web service that is supposed to work with Android application.
I would like to encrypt data transport between client (android) and server (virtual server in datacenter).
I don't have to make sure that my server is my server, just data encryption.
I have no idea how to use HTTPS.
Do I just put my PHP files in private_html and use https://example.com url?
To use HTTPS, you don't have to do anything in the coding of your web service - it's all in your hosting. Here the are steps you can follow. The specific instructions differ in your hosting (IIS, Apache, AWS/Azure, etc), but you can google specifics on how to accomplish any of these steps for whatever host and application framework you decide.
Buy an SSL certificate (there are many different vendors, but expect between $75-$200 for the certificate) based on the vendor, reputation, and level of security you need.
Generate a certificate signing request (CSR) from the server you'll be hosting.
Upload the CSR to the SSL vendor who will validate and provide the certificate for your use.
Import the SSL certificate into your application server, and configure the site to use the certificate. For instance, if you're hosting Microsoft IIS, you'd import the SSL certificate and then add HTTPS bindings on 443 to the specific website hosting your web service.
Another point of security. Since you are deploying SSL, you don't have to do any application level encryption (assuming you are not putting sensitive information in query strings - use POST if you think you need to). You probably would want to implement some security to restrict access to your web service so only your app can access it. Best practice is some level of OAuth, but at a minimum some type of pre-shared key in the header of the request is a lot better than nothing.
Here are some additional sites for more information:
https://www.digicert.com/ssl-certificate-installation.htm
https://support.godaddy.com/help/category/742/ssl-certificates-installing-ssl-certificates?prog_id=GoDaddy
If you don't want to pay for a certificate, you can use certificate signet by your own CA and add the root certificates into your application using HTTPClient and keystores
Here there's some guides
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
http://developer.android.com/reference/org/apache/http/client/HttpClient.html
KeyStore, HttpClient, and HTTPS: Can someone explain this code to me?
http://blog.antoine.li/2010/10/22/android-trusting-ssl-certificates/
You can limit users to use JUST and only HTTPS in apache, IIS or whatever do you use. If your client connects to your server, his communications will be likely to encrypted, because he is already using HTTPS. And for responsing in HTTPS you virtually cannot send HTTPS responses, as far as I know, unless that other side isn't also a website (for example, if you have your website, you could send such a response e.g. to Google). You should be okay to send data like http status codes (OK, NotModified, PageNotFound, ...), or if you want something more, or if it is a requirement, then there you still have JSON and you could encode it as well, with some encoding algorithms, or use binary JSON format.
Check if your hosting company provides a free public shared https address. Most of them do.
If you want to understand how to do it right, follow this thread
Warning: Don't stick with the solution below for production.
If you plan o use an https endpoint without a certificate you have to make sure to disable peer verification, check this answer