We have 2 servers SerA and SerB. SerA has apache2 and SSL with a SSL certificate, and SerB has has a Web Service that only lets connections from SerA.
We need to connect the client with SerB through SerA, and the approach used is doing it with a proxy, but we need to know if the connection between the Client and SerB, and SerA and SerB are secured. How could we know that?
Not sure from your post what scripting language you are using on SerA and SerB to drive this application. But, most scripting languages give you access to an environment variable that you can use to determine whether the client's connection to the server is by way of HTTPS or HTTP. For example, in PHP, the environment variable is: $_SERVER['HTTPS']
Related
I am trying to write a c++ websocket server and have browser/chrome clients connect over websockets, for a multiplayer game. The websocket c++ library I'm using atm is websocketpp or websocket++. I wrote an app that allows clients to connect over ws and localhost, but when I add an ip for the address, connections don't occur at all. Now I think I have to use ssl and wss for ip connection? I tried it and there is some connection activity, but then the handshake times out. Could I be experiencing cross-orgin issues, or what, do i need ssl? I am new to websockets. Could the problem be my ssl certs I made with openssl? I can post code, or if you are familiar with a c++ library to do websockets, what is it? Is this even a possible thing to do?
There could be multiple reasons why it won't connect over ip.
The first is port forwarding. On a local network it's not necessary but running a server over a remote network, portforwarding has to be done. You can just run your server then use a simple port checker (there's many websites for them) to see if a connection can be established.
The other reason could be as you said ssl. If you are running your client on a web host, the host may require a connection to be made over ssl/wss for websockets. If your server isn't running a valid ssl certificate then this could prevent the client from connecting to your server. I know for exampe Github pages requires the server to be running wss or valid ssl certificates on the server side in order for a client connection to be established; however, if you use a custom domain name for Github pages then you can disable the need for ssl.
In order to get valid ssl certificates you would need to register a domain for your ip address then either buy certificates or use free certificates from zerossl or other distributors.
Here is a game I have written which connects to a c++ server which I'm running on my own machine with its own domain with valid ssl certificates and the client is running on github pages with a custom domain I have registered.
It's basically multiplayer minesweeper where the objective is to locate the flags rather than avoid them.
I'm using a local server for django dev and ngrok tunnel for webhooks. I've seen other localtunnel services like serveo. Can these services see your source code? Are they forwarding your local files to the ngrok server or just handling requests on a public domain and then securely fetching from your local server?
I've read about how ngrok creates a proxy and handles requests, but I still don't understand what exactly tunneling involves
It depends.
They certainly don't copy your django code and run it on their own server and they're not going to maliciously grab files off of your machine.
They just read from a network socket, but they do vary as to how encrypted they are or aren't.
Telebit
Telebit always uses end-to-end encryption via SSL, TLS, HTTPS, or Secure Web Socket (WSS)
TLS certs happen on the clients, not the relay
Works with SSH, OpenVPN, etc - but requires a ProxyCommand / secure client
(i.e. sclient, stunnel, or openssh s_client)
Can work with other, normally-unencrypted, TCP protocols (requires a secure client)
There is a poorly documented and deprecated feature for raw TCP, which can be seen, if used.
Serveo
serveo uses ssh port forwarding, which encrypts between the local server and the relay, but not the relay and the remote client
the origin traffic may be encrypted or unencrypted
ngrok
ngrok used to decrypt on their server, with an option to specify SSL certs manually they may have switched to full encryption since
A deeper dive
If you want to know more about their workings, you may (or may not) find this other answer I wrote informative and digestible: https://stackoverflow.com/a/52614266/151312
I found vortex is good fit
Just download and run
https://www.vtxhub.com/
I have a web application hosted on an external server. I would create a communication beetwen my home server and the web application.
I thought something like that:
my home server send its ip to the web application
the web application send data to the home server
my home server send back some data
I want to implemente a P2P communication between the WebApp and the home server
it would be bettere if the communication is encrypted
i dont want to use dynamic dns
Is there something to implement that?
There are several types of IP. It can be "grey" and "white".
"Grey" means that your computer can't be accesses through it.
"White" IP's can be accessed directly. Also there are dynamic IP's
that changes through the time. It all depends from the provider.
It's possible that you have "white dynamic" IP but it's pretty rare
for providers to do.
It's easier to connect to server because it
always have "white" permament IP.
TCP/IP already does most of the work. You just create tcp connection and it stays. You just think about sending data.
My suggestion for you is to create something like this:
Home server connects to WebApp
Home server requests some data and WebApp sends back data
Home server sends request containing data and server respondes that all is ok
So you have client-server model. And client always does only requests and server does only responses. And they do not switch. It's easier to maintain.
There is common technology of doing that and it includes encryption too.
You should use HTTPS protocol. Https will do all the encryption(and safely exchange keys too) you just worry about certificates(there are ways not to buy certificate but sign them by yourself. It's whole another topic)
So you will send https requests from your home server PC(client) and get responses from server(webApp).
As you write on Python you would find this answer helpful for you:
HTTPS request in Python
Im working on some JSON-based web service that is supposed to work with Android application.
I would like to encrypt data transport between client (android) and server (virtual server in datacenter).
I don't have to make sure that my server is my server, just data encryption.
I have no idea how to use HTTPS.
Do I just put my PHP files in private_html and use https://example.com url?
To use HTTPS, you don't have to do anything in the coding of your web service - it's all in your hosting. Here the are steps you can follow. The specific instructions differ in your hosting (IIS, Apache, AWS/Azure, etc), but you can google specifics on how to accomplish any of these steps for whatever host and application framework you decide.
Buy an SSL certificate (there are many different vendors, but expect between $75-$200 for the certificate) based on the vendor, reputation, and level of security you need.
Generate a certificate signing request (CSR) from the server you'll be hosting.
Upload the CSR to the SSL vendor who will validate and provide the certificate for your use.
Import the SSL certificate into your application server, and configure the site to use the certificate. For instance, if you're hosting Microsoft IIS, you'd import the SSL certificate and then add HTTPS bindings on 443 to the specific website hosting your web service.
Another point of security. Since you are deploying SSL, you don't have to do any application level encryption (assuming you are not putting sensitive information in query strings - use POST if you think you need to). You probably would want to implement some security to restrict access to your web service so only your app can access it. Best practice is some level of OAuth, but at a minimum some type of pre-shared key in the header of the request is a lot better than nothing.
Here are some additional sites for more information:
https://www.digicert.com/ssl-certificate-installation.htm
https://support.godaddy.com/help/category/742/ssl-certificates-installing-ssl-certificates?prog_id=GoDaddy
If you don't want to pay for a certificate, you can use certificate signet by your own CA and add the root certificates into your application using HTTPClient and keystores
Here there's some guides
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
http://developer.android.com/reference/org/apache/http/client/HttpClient.html
KeyStore, HttpClient, and HTTPS: Can someone explain this code to me?
http://blog.antoine.li/2010/10/22/android-trusting-ssl-certificates/
You can limit users to use JUST and only HTTPS in apache, IIS or whatever do you use. If your client connects to your server, his communications will be likely to encrypted, because he is already using HTTPS. And for responsing in HTTPS you virtually cannot send HTTPS responses, as far as I know, unless that other side isn't also a website (for example, if you have your website, you could send such a response e.g. to Google). You should be okay to send data like http status codes (OK, NotModified, PageNotFound, ...), or if you want something more, or if it is a requirement, then there you still have JSON and you could encode it as well, with some encoding algorithms, or use binary JSON format.
Check if your hosting company provides a free public shared https address. Most of them do.
If you want to understand how to do it right, follow this thread
Warning: Don't stick with the solution below for production.
If you plan o use an https endpoint without a certificate you have to make sure to disable peer verification, check this answer
I have two computer systems each having an apache server. One machine is a client machine and the other is a server machine. I want both the client request and the server response to be encrypted thus making the data transfer safe.
Could someone please give pointers/steps on how I could make progress in this front.
The communication doesn't involve any GUI components meaning the communication is purely a backend one.
Both the client and the server are coded in java. I am using Axis2 and jaxws for the communication.
Currently I am able to send the client request and receive the server response without SSL enabled. Now If I enable SSL does it mean that I should also modify the existing code according to the SSL or the current working code still holds good.
You have many options here. Since you mention SSL...
On each server generate an asymmetric key-pair (RSA 2048 is a safe choice). Then create a self signed certificate on each server. Then copy each certificate to the other machine and mark it as trusted by the Java environment that apache is using and that NONE OTHER are trusted. Configure SSL/TLS on each of the apaches to use a good symmetric cypher (3DES is a safe choice, but there are other newer ciphers if you want leading edge). Next ensure that all access between Tomcat servers is via https URLs and you should be in decent shape.
An alternative is to use IPSEC to establish a static tunnel between the two servers using certificates or other trust bases.
One fairly simple option is to use stunnel, which is available via the standard package-manager on most *NIX systems. You configure an stunnel as a client (and server if you with) on one server and then another as the server (and client if you wish) and then configure your Tomcat instance(s) to connect to localhost:XYZ where XYZ is the port where stunnel is listening.
The nice part about using stunnel is that you can use it to tunnel any protocol: it is neither a Tomcat-specific nor a Java-specific technique, so you can use it for other applications in the same environment if you want.