I have followed this guide in setting up my localtunnel:
https://www.hongkiat.com/blog/accessible-local-web-server/
however, when I run the following command lt –port 80 nothing is showing. I started looking for this solution since Facebook seems to have stopped localhost access to FB.iu() method for sharing content on their site.
I have tried running as admin while disabling firewall and McAfees Antivirus Scan. I have used ngrok before now too but Facebook rejects it for no clear reason.
Below is an image of the steps taken:
Managed to get my way around this localhost tunneling issue using ngrok.
I noticed I'm expected to add additional domain names under App Domains in Facebook APP settings. So I added ngrok.io as an additional APP Domain and WHALAH! everything started working for the FB.ui() method.
I am just about to go live with a website and am addressing security issues. The site has been public for some time but not linked to the search engines.
I log all incoming requests and today noticed this one:
GET /home/XXXXX/code/repositories/YYYYY-website/templates
where XXXXX is a sudo user on my server and YYYYY is my company name.
This is actually the structure of my Django project code.
My website is coded using Django and runs under Apache2 on Ubuntu.
My question is how can this guy possibly know the underlying code/directory structure on my server, in order to create this request?
Their IP is : 66.249.65.221.
They come up as 100% a hacker on https://ip-46.com
Any contributions welcome.
EDIT1 25/11/2019
With some helpful input from Loïc, I have done some investigation.
The Ubuntu 18.04 server is locked down as far as logging in goes - you can only get in with one of my private keys. The PostgreSQL is locked down - it will only accept connections from one IP where my dev machines reside. RabbitMQ is locked down - it won't accept ANY external incoming connections. The robots.txt allows all crawling but the robots meta restricts access to about 12 pages only.
Somebody who knows Django, would know how to form this directory path if they knew the Django project directory but they also have this relative to root on the server. The only place where this is available is in the Apache2 config file. Obviously Apache needs to know where to pick up the Django web server.
I am 99% sure that this 'hacker' got this via some sort of command to Apache. Everything is redirected to port 443 https. The above GET request doesn't actually do anything because the url doesn't exist.
So to make the question more refined. How can a hacker pull my Django absolute project path from my Apache2 config file?
There are a lot of different ways to learn about the directory structure of a given server.
The easiest usually being error logs;
If in your django settings, DEBUG is set to True, it is very easy for an attacker to get the directory structure of your project.
Then there is LFI, a security issue allowing an attacker to read local files. It's then possible to read some logs, or apache configuration to learn what is your project directory...
The problem could come from another service running on your server as well...
One cannot really give you a complete answer on this topic, as there are a lot of different ways this could happen.
I used Django + nginx + uWSGI to deploy a website to example.com (this is also the hostname of my instance where I put the Django app on Google Cloud Platform) following the instructions here https://uwsgi-docs.readthedocs.io/en/latest/WSGIquickstart.html.
Now here's the strange thing. I found that all devices under my university's WiFi can access my website (http://example.com) but devices outside my network (for example, in another city) cannot access it. Does anyone know what is going on here?
Thank you very much in advance.
Found out where the problem was with the help of my friend.
Turned out I pointed my DNS to two ip addresses and this caused the problem. When people at other places visit my website, they were directed to the other ip which only showed them the nginx welcome page.
Learned a useful command 'ping www.example.com', this helps you identify the ip address associated with www.example.com
I have deployed django application on IIS. The application requests external link (API) to extract some data.
What I have seen is, it makes requests but fails to complete full request. It goes for about 4 request sometimes it goes further 9 requests and stops there. No sign of error is shown.
While I perform same task from django shell, all requests are made. So I guess this is something related to IIS.
I am new to IIS and windows server app deployment.
I tried googling about this but I could not find any relevant answer.
Did anyone of you here faced similar problem? If so what can be the solution. Also can you guide me on this?
I'm following through the Django Tutorials by HackedExistence on youtube.
Since the video is about a year old, I assume that the version differences may contribute to this problem. I'm currently on the 2nd video but this issue arose since the first.
On my browser,
http://video1.hackedexistence.com/
This link opens up the Apache 2 Test Page, and the localhost link opens up the Django Administrator page nicely.
But he sets it up so that the hacked existence link loads up the Django Admin page.
How is he able to achieve this? and what steps are needed for setting it up that way with the versions that I'm working with.
Python 2.7.3, Django 1.4.1, Apache 2.2.22 (Unix)
Running on OS X 10.6.8.
video1.hackedexistence.com is (presumably) a domain under the control of HackedExistence, and it's showing an Apache 2 test page because the server it's pointing to is not configured to show anything else. You have no control over this domain or the server it is pointing to, so you can't affect it directly.
It doesn't have anything to do with different versions of python, django, apache, or anything else; it's likely that HackedExistence chose to move on to something else, is no longer maintaining his site (or at least the content on that subdomain of it) and his tutorial now no longer works as a result.
The closest you can come is add an entry to your /private/etc/hosts file (on OSX) so that video1.hackedexistence.com resolves to 127.0.0.1 (i.e. localhost, your own computer), but this is almost certainly not what you're after. For example, if you do this, everybody else will still see the test page you're seeing now, because the /etc/hosts file is just telling your computer to treat the video1.hackedexistence.com domain as if it's pointing to your computer.
For learning web development, you can safely completely disregard this and can continue to test on your local computer.
When it comes to deploying the website for other people to view and use, you will need to buy a domain (e.g. at http://namecheap.com/), get some hosting (for python/django hosting I can recommend WebFaction , or you can use Heroku's free plan), and follow the Django deployment instructions in the official documentation (or the documentation provided by the hosting provider you choose). My advice is to focus on learning web development and get something working before you spend money on any hosting.
I don't know the videos, but I'm assuming that the author of the book owns (or owned at the time) the hackedexistence.com domain name, and had it pointing to his server so that it would be able to interpret the Django App and serve it up to public requests ... and now it looks like that configuration doesn't exist any more.
If you're asking what I think you want to ask, "how can I get a Django app viewable on the public web," well, there are lots of ways to go about doing this. If your server is Apache, https://docs.djangoproject.com/en/dev/howto/deployment/wsgi/modwsgi/ is the way to go. Google could help you find the similar docs for other servers. Lots of answers on stack overflow as well.
If instead you're asking a different question, namely, "how can I get this app on my local machine to be viewable via some method other than localhost" (and you don't have a server), well, the answer is you'd have to get a domain that points to your local machine -- this is a question that has lots of answers elsewhere. One thing to be aware of is that Django through Apache on Mac OS X isn't terribly simple, as it requires manually installing mod_wsgi, but it's not overly difficult either. Here's Google's top link (a bit old but still relevant): http://jessenoller.com/2009/07/24/django-mod_wsgi-apache-and-os-x-do-it/
And finally, if you're asking how you can get your app to show up at hacked existence, well ... buy that domain and see the above paragraph. :)