Crossbar - Using TLS connections with self-signed certificates - wamp

I have a WAMP configuration which works flawlessly until I add TLS encryption to communications (following instructions given on docs). Below is my configuration:
{
"version": 2,
"controller": {},
"workers": [
{
"type": "router",
"realms": [
{
"name": "realm",
"roles": [
{
"name": "anonymous",
"permissions": [
{
"uri": "",
"match": "prefix",
"allow": {
"register": true,
"publish": true,
"call": true,
"subscribe": true
},
"cache": true
}
]
}
]
}
],
"transports": [
{
"type": "websocket",
"endpoint": {
"type": "tcp",
"port": 8080,
"tls": {
"key": "MyKey.key",
"certificate": "MyCertificate.crt"
}
},
"url": "wss://localhost:8080/ws"
}
]
}
]
}
As said, it works fine when not using TLS. However, when I add encryption and try to connect to wss://localhost:8080/ws, I keep getting
connection closed unreachable
The certificate has been generated with OpenSSL (again, as per docs) and Docker is exposing ports. I've been trying to find solutions around but docs are not so explicative, examples on the repo are not working either and I'm out of ideas. Tried to connect to ws:// and it raises an SSL error:
SSL error: http request (in ssl3_get_record)
The code to connect from client is
const autobahn = require('autobahn');
const connection = new autobahn.Connection({
url: `wss://localhost:8080/ws`,
realm: 'realm'
});
connection.onopen = () => {
console.log('Connected');
};
connection.open();
There are no meaningful errors in logs, the only one related to TLS is a warning saying DH ciphers will not be active (because I'm not providing DH parameters). Any idea? Thanks in advance.

Related

Get errorType:OK when trying to deploy function

I'm struggling to deploy my cloud function. I'm unsure what information to provide. My set up:
# main.py
def callRequest():
print("bla")
return(1)
Entry point for the function is callRequest.
After failing to deploy I see this red highlighted message under details:
Deployment failure:
Build failed: {"metrics":{},"error":{"buildpackId":"","buildpackVersion":"","errorType":"OK","canonicalCode":"OK","errorId":"","errorMessage":""},"stats":[{"buildpackId":"google.utils.archive-source","buildpackVersion":"0.0.1","totalDurationMs":47,"userDurationMs":46},{"buildpackId":"google.python.runtime","buildpackVersion":"0.9.1","totalDurationMs":9487,"userDurationMs":6307},{"buildpackId":"google.python.functions-framework","buildpackVersion":"0.9.6","totalDurationMs":53,"userDurationMs":52},{"buildpackId":"google.python.pip","buildpackVersion":"0.9.2","totalDurationMs":5832,"userDurationMs":5822},{"buildpackId":"google.utils.label","buildpackVersion":"0.0.2","totalDurationMs":0,"userDurationMs":0}],"warnings":null,"customImage":false}
In the logs I see a notice related to the attempted deploy:
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "myname#bla.com"
},
"requestMetadata": {
"callerIp": "152.170.106.184",
"callerSuppliedUserAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0,gzip(gfe),gzip(gfe)",
"requestAttributes": {
"time": "2023-01-11T13:15:30.667011Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "cloudfunctions.googleapis.com",
"methodName": "google.cloud.functions.v1.CloudFunctionsService.UpdateFunction",
"authorizationInfo": [
{
"resource": "projects/my-project/locations/us-central1/functions/ga4-to-s3-1",
"permission": "cloudfunctions.functions.update",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/my-project/locations/us-central1/functions/ga4-to-s3-1",
"request": {
"updateMask": "entryPoint,sourceUploadUrl",
"#type": "type.googleapis.com/google.cloud.functions.v1.UpdateFunctionRequest",
"function": {
"name": "projects/my-project/locations/us-central1/functions/ga4-to-s3-1",
"runtime": "python39",
"serviceAccountEmail": "my-project#appspot.gserviceaccount.com",
"availableMemoryMb": 256,
"maxInstances": 3000,
"timeout": "60s",
"eventTrigger": {
"eventType": "google.pubsub.topic.publish",
"resource": "projects/my-project/topics/ga4-daily-extract-complete"
},
"secretEnvironmentVariables": [
{
"version": "latest",
"key": "PAT",
"secret": "PAT-GA4-S3-Extract",
"projectId": "1234567"
}
],
"sourceUploadUrl": "https://storage.googleapis.com/uploads-1234567.us-central1.cloudfunctions.appspot.com/123-456-789-abc-def.zip?GoogleAccessId=service-123456789#gcf-admin-robot.iam.gserviceaccount.com&Expires=12345&Signature=kjhgfghjkjhg%iuytfrghj8765467uhgfdfghj",
"entryPoint": "callRequest",
"ingressSettings": "ALLOW_ALL"
}
},
"resourceLocation": {
"currentLocations": [
"us-central1"
]
}
},
"insertId": "nlbq4xd9dhq",
"resource": {
"type": "cloud_function",
"labels": {
"project_id": "my-project",
"function_name": "ga4-to-s3-1",
"region": "us-central1"
}
},
"timestamp": "2023-01-11T13:15:30.423213Z",
"severity": "NOTICE",
"logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "operations/Z2E0LWV4dHJhY3QvdXMtY2VudHJhbDEvZ2E0LXRvLXMzLTEvbHA2QlowNzBTekk",
"producer": "cloudfunctions.googleapis.com",
"first": true
},
"receiveTimestamp": "2023-01-11T13:15:31.626931279Z"
}
I'm unsure where else to look? Any pointers or advice most welcome.
Found the similar issue discussed here and the issue resolved.
cloud build service account was missing the Cloud Build Service Account role.
I tried removing the Cloud Build Service Account role and deployed the function, I also got the same deployment errors
Try adding the Cloud Build Service Account role for the Google Cloud Build Service Account (project-number#cloudbuild.gserviceaccount.com) in the Google Cloud IAM console . This fixed symptom of a cloud function deploy with the message:
message=Build failed: {
"metrics":{},
"error":{
"buildpackId":"",
"buildpackVersion":"",
"errorType":"OK",
"canonicalCode":"OK",
"errorId":"",
"errorMessage":""
}
}
Also have a look at this github link1 & link2 which might help

AWS Certificate Manager Pending Validation when DNS validation is successful

Resolved! - Ended up just needing to contact Amazon Support to push it through.
I'm attempting to renew a certificate created in AWS Certificate Manager (ACM), but I'm stuck in the dreadful PENDING_VALIDATION status; this is a DNS validated certificate where I validated using the CNAME record.
Under domains I can see the domain validation has a status of Success and Renewal Status of Success
If I run aws acm describe-certificate --certificate-arn "examplearn", I get a return showing DomainValidationOptions with the ValidationStatus being success for the CNAME validation.
Replaced with "example" for sensitive values
{
"Certificate": {
"CertificateArn": "arn:aws:acm:us-east-1:example:certificate/certid",
"DomainName": "*.example.com",
"SubjectAlternativeNames": [
"*.example.com"
],
"DomainValidationOptions": [
{
"DomainName": "*.example.com",
"ValidationDomain": "*.example.com",
"ValidationStatus": "SUCCESS",
"ResourceRecord": {
"Name": "examplename",
"Type": "CNAME",
"Value": "examplevalue"
},
"ValidationMethod": "DNS"
}
],
"Serial": "",
"Subject": "CN=*.example.com",
"Issuer": "Amazon",
"CreatedAt": "2019-01-17T12:53:01-08:00",
"IssuedAt": "2021-10-22T21:21:50.177000-07:00",
"Status": "ISSUED",
"NotBefore": "2021-10-22T17:00:00-07:00",
"NotAfter": "2022-11-23T15:59:59-08:00",
"KeyAlgorithm": "RSA-2048",
"SignatureAlgorithm": "SHA256WITHRSA",
"InUseBy": [
"example",
"example",
"example",
"example"
],
"Type": "AMAZON_ISSUED",
"RenewalSummary": {
"RenewalStatus": "PENDING_VALIDATION",
"DomainValidationOptions": [
{
"DomainName": "*.example.com",
"ValidationDomain": "*.example.com",
"ValidationStatus": "SUCCESS",
"ResourceRecord": {
"Name": "examplename",
"Type": "CNAME",
"Value": "examplevalue"
},
"ValidationMethod": "DNS"
}
],
"UpdatedAt": "2022-09-21T23:39:15.161000-07:00"
},
"KeyUsages": [
{
"Name": "DIGITAL_SIGNATURE"
},
{
"Name": "KEY_ENCIPHERMENT"
}
],
"ExtendedKeyUsages": [
{
"Name": "TLS_WEB_SERVER_AUTHENTICATION",
"OID": "1.3.6.1.5.5.7.3.1"
},
{
"Name": "TLS_WEB_CLIENT_AUTHENTICATION",
"OID": "1.3.6.1.5.5.7.3.2"
}
],
"RenewalEligibility": "ELIGIBLE",
"Options": {
"CertificateTransparencyLoggingPreference": "ENABLED"
}
}
}
Followed instructions successfully in https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ (checking cname response exactly matches what is in acm CNAME values when copy pasting)
The site domain registration is in Route 53 with NS pointing to cloudflare, where DNS is managed.
Is there something obvious that pops out to you? Thank you!

AWS Amplify 405 MethodNotAllowed error in POST method with Nuxt.js Proxy

An attempt to integrate an API with my application that was built using Nuxt.js and hosted with AWS Amplify. I've added a proxy, it works perfectly in local but it returns 405 MethodNotAllowed in AWS server for a POST method.
For the proxy, I've made the changes as following to rewrite the path:
axios: {
proxy: true
},
proxy: {
'/lead/': { target: 'https://api.apidomain.org/v2', pathRewrite: { '^/lead/': '' },
changeOrigin: true }
},
I've read the Amplify documentation where we can update the redirects so I've tried
[
{
"source": "/<*>",
"target": "/index.html",
"status": "404-200",
"condition": null
},
{
"source": "</^[^.]+$|\\.(?!(css|gif|ico|jpg|js|png|txt|svg|woff|ttf|map|json)$)([^.]+$)/>",
"target": "/index.html",
"status": "200",
"condition": null
},
{
"source": "/lead/<*>",
"target": "https://api.apidomain.org/v2/<*>",
"status": "200",
"condition": null
}
]
The first two rules are the defaults and I added the third rule but still getting the 405 MethodNotAllowed error. What am I missing?
Amplify Redirects are executed from the top of the list down. This has been fixed by reorder the rules.
[
{
"source": "/lead/<*>",
"target": "https://api.apidomain.org/v2/<*>",
"status": "200",
"condition": null
},
{
"source": "</^[^.]+$|\\.(?!(css|gif|ico|jpg|js|png|txt|svg|woff|woff2|ttf|map|json)$)([^.]+$)/>",
"target": "/index.html",
"status": "200",
"condition": null
}
]

10060 error when connecting MariaDB on VM on Compute Engine of Google Cloud Platform

Created a VM on Compute Engine of Google Cloud Platform.
Installed Maria DB. Configured binding to 0.0.0.0.
Created a firewall rule to allow access to 3306 in the IP ranged 0.0.0.0/0. Tagged it as "mysql-open" and Added it as a network tag in the VM instance detail. I also chose the option to log the connection.
When I try to connect from MySQL workbench to the public address of the VM Instance with 3306 as the Port, I get a
10060 error.
The user ID used to connect was given full GRANT and was like 'testuser'#'%'.
Below is the log entry. Which seems to show that the firewall rule worked.
"insertId": "epk9z8g1zjxknf",
"jsonPayload": {
"instance": {
"project_id": "XXXX",
"vm_name": "XXX",
"region": "us-east4",
"zone": "us-east4-c"
},
"connection": {
"src_port": 44826,
"dest_ip": "10.150.0.5",
"protocol": 6,
"dest_port": 3306,
"src_ip": "198.199.98.246"
},
"remote_location": {
"city": "San Francisco",
"continent": "America",
"country": "usa",
"region": "California"
},
"rule_details": {
"priority": 2000,
"ip_port_info": [
{
"port_range": [
"3306"
],
"ip_protocol": "TCP"
}
],
"source_range": [
"0.0.0.0/0"
],
"reference": "network:default/firewall:mysql-open",
"action": "ALLOW",
"direction": "INGRESS"
},
"vpc": {
"project_id": "XXXX",
"vpc_name": "default",
"subnetwork_name": "default"
},
"disposition": "ALLOWED"
},
"resource": {
"type": "gce_subnetwork",
"labels": {
"subnetwork_id": "2510359252254555075",
"project_id": "XXXX",
"subnetwork_name": "default",
"location": "us-east4-c"
}
},
"timestamp": "2020-11-05T14:12:33.819891417Z",
"logName": "projects/XXXX/logs/compute.googleapis.com%2Ffirewall",
"receiveTimestamp": "2020-11-05T14:12:39.166067521Z"
}

Is it possible to use ASP.NET Core + IdentityServer4 JWT in AWS PrivateLink?

I've been running my web API under AWS Windows VM with IIS using Asp.Net Core and IdentityServer4.
The Identity Server is running on the same application of my secured controller.
This is running perfectly with no issue using my external domain of 'http://{my-external-domain}'.
My StartUp.cs relevant portion looks like the following:
.AddJwtBearer(options =>
{
options.Authority = xyzConfig.Authority; //http://{my-external-domain}
options.Audience = "xyz";
options.RequireHttpsMetadata = false;
I'm using http://{my-external-domain}/connect/token and then I can request the authorized content successfully.
However, when setting this flow using the AWS PrivateLink some combinations aren't working including the desired one of http://{my-internal-domain} as the issuer/authority and the secured controller.
Using the StartUp settings above I get a 500 error saying the following:
IOException: IDX20804: Unable to retrieve document from: 'http://{my-internal-domain}/.well-known/openid-configuration'.
However, from the same machine it's possible to retrieve this information:
{
"issuer": "http://{my-internal-domain}",
"jwks_uri": "http://{my-internal-domain}/.well-known/openid-configuration/jwks",
"authorization_endpoint": "http://{my-internal-domain}/connect/authorize",
"token_endpoint": "http://{my-internal-domain}/connect/token",
"userinfo_endpoint": "http://{my-internal-domain}/connect/userinfo",
"end_session_endpoint": "http://{my-internal-domain}/connect/endsession",
"check_session_iframe": "http://{my-internal-domain}/connect/checksession",
"revocation_endpoint": "http://{my-internal-domain}/connect/revocation",
"introspection_endpoint": "http://{my-internal-domain}/connect/introspect",
"device_authorization_endpoint": "http://{my-internal-domain}/connect/deviceauthorization",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
"openid",
"email",
"profile",
"xyz",
"offline_access"
],
"claims_supported": [
"sub",
"email",
"email_verified",
"name",
"family_name",
"given_name",
"middle_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported": [
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"request_parameter_supported": true
}
When I changed the StartUp.cs settings to the following:
var key = System.Text.Encoding.ASCII.GetBytes(xyzConfig.Secret);
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
//options.Authority = xyzConfig.Authority;
options.Audience = "xyz";
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false
};
});
Now I get 401 with the following message in the response header:
Bearer error="invalid_token", error_description="The signature key was not found"
This was pretty interesting as the token used here seems valid when parsed in jsonwebtoken.io:
{
"nbf": 1602077163,
"exp": 1602080774,
"iss": "http://{my-internal-domain}",
"aud": [
"http://{my-internal-domain}/resources",
"xyz"
],
"client_id": "789456",
"sub": "23de9244-86ba-4553-845f-1cbe6bac0536",
"auth_time": 1602077162,
"idp": "local",
"given_name": "gname",
"email": "email#white.com",
"scope": [
"openid",
"xyz"
],
"amr": [
"pwd"
],
"jti": "921552fd-da9b-49b0-98a6-c7c0dcb2d865",
"iat": 1602077174
}
That also comes with the Signing Key Verified so now I don't know which way should we go now and if anyways we can run the JWT authentication using AWS PrivateLink that uses their Network Load Balancer (NLB)
If any other info is required I'll be happy to provide here.
Any help is appreciated here, thanks!