I have one web server, one db server and one file server. Web and db servers works fine, but I want to place all media files (photos, etc) on file server. Architecture is like that:
I read this and this, but I cant find instructions, how to do this. If someone has already done it, share experiences and code, please :)
Thanks.
Related
I am just about to go live with a website and am addressing security issues. The site has been public for some time but not linked to the search engines.
I log all incoming requests and today noticed this one:
GET /home/XXXXX/code/repositories/YYYYY-website/templates
where XXXXX is a sudo user on my server and YYYYY is my company name.
This is actually the structure of my Django project code.
My website is coded using Django and runs under Apache2 on Ubuntu.
My question is how can this guy possibly know the underlying code/directory structure on my server, in order to create this request?
Their IP is : 66.249.65.221.
They come up as 100% a hacker on https://ip-46.com
Any contributions welcome.
EDIT1 25/11/2019
With some helpful input from Loïc, I have done some investigation.
The Ubuntu 18.04 server is locked down as far as logging in goes - you can only get in with one of my private keys. The PostgreSQL is locked down - it will only accept connections from one IP where my dev machines reside. RabbitMQ is locked down - it won't accept ANY external incoming connections. The robots.txt allows all crawling but the robots meta restricts access to about 12 pages only.
Somebody who knows Django, would know how to form this directory path if they knew the Django project directory but they also have this relative to root on the server. The only place where this is available is in the Apache2 config file. Obviously Apache needs to know where to pick up the Django web server.
I am 99% sure that this 'hacker' got this via some sort of command to Apache. Everything is redirected to port 443 https. The above GET request doesn't actually do anything because the url doesn't exist.
So to make the question more refined. How can a hacker pull my Django absolute project path from my Apache2 config file?
There are a lot of different ways to learn about the directory structure of a given server.
The easiest usually being error logs;
If in your django settings, DEBUG is set to True, it is very easy for an attacker to get the directory structure of your project.
Then there is LFI, a security issue allowing an attacker to read local files. It's then possible to read some logs, or apache configuration to learn what is your project directory...
The problem could come from another service running on your server as well...
One cannot really give you a complete answer on this topic, as there are a lot of different ways this could happen.
I cant seem to figure out how to query database information from mysql through a php file uploaded to a server back to a xamarin application after something like a http post call.
I am relatively new to database development, however I had used bluehost for php storage and querying of my app information for about a year yet cant seem to do the same with AWS. I have a relatively decent scope of what S3, EC2, and RDS do for you, however none of them seem to do what I want. In essence I want to be able to say have someone click a button on my xamarin app that creates an event for a club. Then after they click said button, it will make an http post request to an aws site that contains a php file. In that php file it will change or grab the contents of a mysql database. The only place that seems to be able to upload files is S3 but you cant seem to directly utilize php files in the JSON format that I want. Am I completely off with why you would use AWS at all, am I close but not using the right tools, or is it something else? Please give a pretty extensive description on all that I would need to do as I have been struggling to find anything at all on this topic surprisingly.
So after some digging this video here walks through it a bit with phpstorm as your way to connect to the database and add webpages or api php files. Its pretty long but very helpful.
I've created a web application that runs a web service (WCF). The source code is long gone but I just checked that the app itself is still up and running. Given that I have the address to the service (something.azurewebsites.com) and the name of one of the methods exposed (parameterless Ping), how can I learn the location of the WSDL file?
As far I recall, I've exposed it the most common way, the publish file fetched from the suggestion on Azure portal. I'd like to just call the method Ping to verify something, so rebuilding a whole new service seems a bit overkill.
Suggestions on what the exact URL might be? Alternatively, suggestions on a tool to sniff that up?
Go to the Azure portal and find the FTP address for your "something.azurewebsite.net". Then use an FTP program to connect to the server and browse the files. This way you might be able to find the ".svc" file. For that matter, you might be able to download all of your code and use a tool like Reflector to view the .Net compiled code.
I want my customers to upload some file to my server. My current design is as below:
I make a folder on my server with R/W permission to Anonymous user like this: http://myserver/uploads
Customer contact my web service to indicate they want to upload something, and the webservice returned a path like this: http://myserver/uploads/xxx-xxx-xxx-xxx, the xxx part is a GUID.
But I don't know what to do next? I believe customer has the permission to write to the virtual path returned by the web service, but how could I write my client-side code so that it can actually copy things to that virtual path? My client-side is a Win32 application, not a web page.
What if I want the customer upload files within a web page, how to do that? I know that there's a "PUT" method in HTTP protocol that could be used to upload things to server, but how to use that?
I am new to this kind of web development. I hope I made myself clear. If there's any better design, please let me know.
Many many thanks.
Update - 1 - 0:59 2010/12/27
A similar question: How to upload a file to a WCF Service?
Some possible solutions:
Image Upload Web Service in C#.NET
Upload any type of File through a C# Web Service
Progress Indication while Uploading/Downloading Files using WCF
I would avoid allowing anyone to write files to a directory. I know you have set up permissions to help guard against anything bad happening, but it is still setup to where anyone can read/write to it, not just to person you've told the URL to. Security through obscurity is not a best practice.
What kind of webservice are you using? WCF, SOAP, something else all together? I would have the file upload still be a service call (not just some PUT command to a directory). That way you can still apply security if needed. When you get right down to it, a file is nothing more than an array of bytes, so you can have your web service accept an array of bytes and write it out to the correct location. If I had a better idea of what technologies you are using (php, asp.net, jsp, etc) Then I might be able to make more precise recommendations.
HTH
You can use SOAP attachments, or if not using SOAP, something similar - specifying filename, content type and binary data, Base64-encoded.
I saw this somewhere, but I can't remember where.
Where can I find, for Mac OS X, a system that automatically syncs a folder to your web server, sort of like Dropbox does? The idea being that I can edit code on my computer, and it automatically updates it on the server.
It seems so simple, but I can't for the life of me find the service.
Thanks!
rsync seems to do what you want.
Dropbox's web interface IS a web server. But I presume you mean your own server.
So put dropbox on your own server, and have the server serve the dropbox files.