I try to show list logged listeners to stream outside admin area. Without success.
I coppied listclients.xsl from /admin directory to /web.
I created sym link in /usr/share/icecast2/web. I can open: radio_adres.com:8000/listclients.xsl?mount=/mount_name.ogg and its look this same as page: radio_adres.com:8000/admin/listclients.xsl?mount=/mount_name.ogg except one. There is no listeners list.
<xsl:value-of select="#mount"/ >shows stream name, and <xsl:value-of select="#listeners" /> number of logged, but loop which is in original file to show listeners <xsl:for-each select="listener"></xsl:for-each> not working.
I have 3 log level but there is no error or even warning. Nothing. Maybe icecast don't allow show client list without login?
This will not work as /admin has much further data access and actually each XSL transform will only work correctly for certain endpoints within /admin. Outside of that only the data from /admin/stats (XML) is available and it doesn't include sensitive data such as all client details. It is a bit more than is generally available in status.xsl by default though.
If you want to expose this information you could pass the request through a reverse proxy or process it explicitly inside a second web-server with a script like PHP, python, etc.
Please note that if you want information for a specific mount-point, then you can also use the source credentials of that mount to access certain endpoints within /admin. For details see documentation linked below.
Please also see:
https://icecast.org/docs/icecast-2.4.1/server-stats.html
https://icecast.org/docs/icecast-2.4.1/admin-interface.html
Related
We are currently having an issue where some ajax requests to async Controller actions are hanging when an exception is thrown inside the action.
When viewed through the currently executing requests you can see the following information
<REQUEST REQUEST.NAME="c500100080026ded" Url="/url" Verb="GET" Stage="SendResponse" Module="SitecoreAntiCSRF" Time="1602531" SITE.ID="2" WP.NAME="14268" APPPOOL.NAME="AppPool" />
Is the module needed on Content Delivery servers? Can I completely remove it? What would be the implications if I do so?
The version of sitecore: 8 Update-5
The module is designed to protect WebForms from CSRF attacks.
By default, it is configured to protect Sitecore interfaces (Sitecore shell) only. However, it supports configuration and can be enabled to protect frontend solutions.
Since Sitecore shell site is disabled on Content Delivery servers the module can safely be disabled or completely removed without any implications.
If you have Sitecore backend enabled on Content Delivery servers the module can be configured to skip processing requests to some specific locations. Just add a node to Sitecore.AntiCsrf.config file and specify url to filter.
The AntiCSRF module validates a cookie value (a Guid) against a form field value. If your API calls don't contain both of these then the module will raise an error. Interestingly, it doesn't appear to matter what the value actually is.
The module itself injects a Guid::ToString("D") but the check doesn't attempt to parse it back into a Guid, or identify if it is the right Guid. Not sure how good an anti-CSRF check this is, but that aside, the only actual requirement is that the form field name in the request payload must match the #formFieldName attribute of the <AntiCsrf /> element, and the cookie name must match the value of #cookieName.
You mentioned that you tried adding ignore rules - that's the appropriate way to disable the functionality for your use case. I would work on getting this right - it's most likely the rule was not well crafted (or the assumptions about what the rule was testing against were not correct). Below is a sample of a correctly formatted block.
<rule name="WFFM">
<urlPrefix>/sitecore/shell</urlPrefix>
<ignore wildcard="/sitecore/shell/Applications/Modules/Web Forms for Marketers/Form Reports*\?*Cart_*_Items_Callback=yes"/>
<ignore wildcard="/sitecore/shell/~/xaml/Sitecore.Forms.Shell.UI.Dialogs.LookupRecords.aspx*"/>
<ignore wildcard="/sitecore/shell/~/xaml/Sitecore.Forms.Shell.UI.Dialogs.ListItemsEditor.aspx*"/>
</rule>
Note that #wildcard rules are executed as a Regex with IgnoreCase. You can also use #contains. These values, along with <urlPrefix> should not include a scheme, and while <urlPrefix> is necessary to enable the subsequent matching rules, it is not sufficient on its own.
The other thing you can do is set the #detectionResult value to RaiseException and set your Sitecore logging to at least WARN so that you can see the errors being raised in the Sitecore log - these may help you identify the part of the check that is failing. The actual logging in the module isn't great so you won't get much benefit from DEBUG logging I'm afraid.
I made a personal website (http://www.soyoungpark.online) using domain bought from GoDaddy and hosted on AWS s3. I set up everything and thought things were working until I put a simple link to my linkedin profile. When I check the network panel, I see that status code is 200 OK but for the response..there is nothing. The code itself doesn't seem to be problematic; it is simple a with href of the desired link. So I am guessing something could be wrong with my AWS s3 settings? Anyone with similar experience?
It's likely that these services include a header option called "X-Frame" that for security prevents them from being loaded within another site:
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. Source: X-Frame-Options
This does look to be the case when attempting to view Linkedin per your example:
Refused to display 'https://www.linkedin.com/in/exampleuser' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
That said, applying a target Attribute to each to open in a new tab or window should allow these outside services to be navigated to.
e.g:
<a href="https://www.linkedin.com/in/exampleuser" target="_blank">
I'm trying to configure cubesviewer and try out the setup.
I've got the app installed running, along with cubes slicer app too.
However, when I visit the home page
http://127.0.0.1:8000/cubesviewer/
it fails popping up an error "Error occurred while accessing the data server"
Debugging with the browser console, shows a http status 403 error with the url http://localhost:8000/cubesviewer/view/list/
After some googling and reading, I figured I'll need to add rest frame auth settings. (as mentioned here.).
Now after running migrate and runserver, I get 401 error on that url.
Clearly I'm missing something with settings.py , Can somebody help me out.
I'm using the cubesviewer tag v0.10 from the github repo.
And find my settings here. http://dpaste.com/2G5VB5K
P.S: I've verified Cubes slicer works separately on its' own.
I have reproduced this. This is error may occur when you use different URL to access a website and to access related resources. For security reasons, browsers allow to access resources from exactly the same host as the page you are viewing.
Seems you are accessing the app via http://127.0.0.1:8000, but you have configured CubesViewer to tell clients to access the data backend via http://localhost:8000. While it's the same IP address, they are different strings.
Try accessing the app as http://localhost:8000.
If you deploy to a different server, you need to adjust settings. Here are the relevant configuration options, now with more comments:
# Base Cubes Server URL.
# Your Cubes Server needs to be running and listening on this URL, and it needs
# to be accessible to clients of the application.
CUBESVIEWER_CUBES_URL="http://localhost:5000"
# CubesViewer Store backend URL. It should point to this application.
# Note that this must match the URL that you use to access the application,
# otherwise you may hit security issues. If you access your server
# via http://localhost:8000, use the same here. Note that 127.0.0.1 and
# 'localhost' are different strings for this purpose. (If you wish to accept
# requests from different URLs, you may need to add CORS support).
CUBESVIEWER_BACKEND_URL="http://localhost:8000/cubesviewer"
Alternatively, you could change CUBESVIEWER_BACKEND_URL to "http://127.0.0.1:8000/cubesviewer" but I recommend you to use hostnames and not IP addresses for this.
Finally, I haven't yet tested with CORS support, but check this pull request if you wish to try that approach.
I have a mirror API based app in which i have assigned a custom menu item, clicking on which should insert a new card. I have a bit of problem in doing that. I need to know of ways i can debug this.
Check if the subscription to the glass timeline was successful.
Print out something on console on click of the menu.
Any other way i can detect whether on click of the menu, the callback URL was called or not.
It sounds like you have a problem, but aren't sure how to approach debugging it? A few things to look at and try:
Question 1 re: checking subscriptions
The object returned from the subscriptions.insert should indicate that the subscription is a success. Depending on your language, an exception or error would indicate a problem.
You can also call subscriptions.list to make sure the subscriptions are there and are set to the values you expect. If a user removes authorization for your Glassware, this list will be cleared out.
Some things to remember about the URL used for subscriptions:
It must be an HTTPS URL and cannot use a self-signed certificate
The address must be resolvable from the public internet. "localhost" and local name aliases won't work.
The machine must be accessible from the public internet. Machines with addresses like "192.168.1.10" probably won't be good enough.
Question 2 re: printing when clicked
You need to make sure the subscription is setup correctly and that you have a webapp listening at the address you specified that will handle POST operations at that URL. The method called when that URL is hit is up to you, of course, so you can add logging to it. Language specifics may help here.
Try testing it yourself by going to the URL you specify using your own browser. You should see the log message printed out, at a minimum.
If you want it printed for only the specific menu item, you will need to make sure you can decode the JSON body that is sent as part of the POST and respond based on the operation and id of the menu item.
You should also make sure you return HTTP code 200 as quickly as possible - if you don't, Google's servers may retry for a while or eventually give up if they never get a response.
Update: From the sample code you posted, I noticed that you're either logging at INFO or sending to stdout, which should log to INFO (see https://developers.google.com/appengine/docs/java/#Java_Logging). Are you getting the logging from the doGet() method? This StackOverflow question suggests that appengine doesn't display items logged at INFO unless you change the logging.properties file.
Question 3 re: was it clicked or not?
Depending on the configuration of your web server and app server, there should be logs about what URLs have been hit (as noted by #scarygami in the comments to your question).
You can test it yourself to make sure you can hit the URL and it is logging. Keep in mind, however, the warnings I mentioned above about what makes a valid URL for a Mirror API callback.
Update: From your comment below, it sounds like you are seeing the URL belonging to the TimelineUpdateServlet is being hit, but are not seeing any evidence that the log message in TimelineUpdateServlet.doPost() is being called. What return code is logged? Have you tried calling this URL manually via POST to make sure the URL is going to the servlet you expect?
One and a half questions:
1) Does crossdomain.xml only work for Flash?
1a) If so, is there a way to allow the loading of files across domains in the general case? (E.g., serve an XML page with a cross-domain stylesheet declaration to a browser.)
In newer browser CORS should work, see http://en.wikipedia.org/wiki/Cross-origin_resource_sharing. So basically the browser and the server need to cooperate, with the browser requesting the document and the server being configured to allow the access.