I recently discovered that one of our production servers is giving a fatal error when we try to issue an FQL query via the Graph API. The exact same code on other servers works perfectly. The servers are behind a load balancer with a single IP address.
The error is:
PHP Fatal error: Uncaught OAuthException: (#5) Unauthorized source IP address
thrown in /usr/local/home/faniq/php-lib/facebook/base_facebook.php on line 1039
I have tried adding the IP address to my FB app's server whitelist (which was blank). When I try to save the whitelist, it gives me this error:
Your IP should be included in the Server Whitelist.
I even tried a range of IP addresses, still refuses to save. The other production servers and our development environments all work fine, so I am at a loss. Any ideas why Facebook would not accept requests from this one particular server?
You shouldn't need to enter a IP address in the Advanced Settings unless you want to restrict API calls from specific servers. Since your server(s) are behind a load balancer, you should enter the public IP for each server behind the load balancer, rather than the load balancer IP address.
The servers will be calling the API directly from each server, rather than going via the load balancer. The load balancer is only used for incoming requests to your server, not outgoing like API calls.
Related
I have a site hosted with AWS, but the domain is not ready yet. I want to work on it and begin testing.
The site runs through a load balancer.
When I go to Load Balancers in EC2 I can see the DNS name. If I type this into my browser I get a warning that it is unsafe, then when I choose to load anyway I get an error DNS_PROBE_FINISHED_NXDOMAIN
I used the "dig A " command in terminal to get the IP address. I added this IP address to my hosts file, and I get the same error when trying to access it like that.
I get a warning that it is unsafe
It is unsafe because default ALB url does not use HTTPS. It only works with HTTP which is marked as unsecure by all major browsers.
To fix that you need to have your own domain and setup a valid, pubic SSL certificate using AWS ACM for that domain.
I have a kubernetes service I exposed with a custom domain name. When I try to access the service using custom domain, it fails (just loading forever). But if I use the IP, it works. Do I need to configure something somewhere? I am using GKE.
When I ping the URL, its trying to hit the correct IP. Also ping works.
The LoadBalance service is a layer 4 load balancer and thus only uses the IP to route traffic to your backend pods. If ping works and the site loads correctly when you use the IP address, this shows that the load balancer is directing traffic correctly.
There is likely a setting in your webserver that is looking at the URL and is having issues loading when a URL is used. Check your container logs to see if any errors are returned when you use a URL instead of IP.
I have an EC2 instance which hosts a web site running in IIS. I have also set up a AWS Application Load Balancer with a HTTPS listener into which I have added my web site's SSL certificate (held in AWS Certificate Manager). The HTTPS listener redirects traffic to my target group which in turn points to my EC2 instance. The EC2 instance uses a security group to only allow traffic from the Load Balancer.
Firstly, am I correct in thinking that the Application Load Balancer decrypts the SSL traffic and as a result, this is forwarded to my target group using HTTP (in other words, my EC2 instance's security group only needs to accept HTTP traffic from the Load Balancer and I can remove my SSL certificate from IIS)?
Secondly, the main problem that I am experiencing at the moment is that the site has relative paths to some of the resources (CSS, JavaScript, etc). As a result I am getting mixed content errors in my FireFox console when I browse the site. I set up a HTTP listener in my Load Balancer to redirect traffic to HTTPS but this doesn't seem to be working for relative paths.
I don't particularly want to edit the site to change relative paths to fully qualified HTTPS URLs as it is a very complex content management system. Also, before using the Load Balancer the site was serving content perfectly (the DNS entry pointed to my EC2 instance's public IP address and there was a rewrite rule in IIS to handle non HTTPS traffic).
Any advice would be greatly appreciated.
For your first query, I think Yes. You can remove my SSL certificate from IIS and point EC2 instance's security group to accept HTTP traffic from the Load Balancer.
For your concern on relative path's problem, please go through this link: After introducing ALB, Mixed Content Error happened
I think it will be helpful.
Open your browser and click on the Network tab and check these call should be going somewhere else which is using HTTP, these are an outgoing call from your application and redirect will not fix these issue. see the screenshot
Seems like same error in your case, you serving images from some other side, not from the EC2, It's mean those request which EC2 server is supposed to answer will work fine, but those which your code try to pull JS file or other resources these are outgoing call and this is nothing to do with LB redirect rule.
Better to update your application and all the URLs to https.
When a user visits a page served over HTTPS, their connection with the
web server is encrypted with TLS and is therefore safeguarded from
most sniffers and man-in-the-middle attacks. An HTTPS page that
includes content fetched using cleartext HTTP is called a mixed
content page. Pages like this are only partially encrypted, leaving
the unencrypted content accessible to sniffers and man-in-the-middle
attackers. That leaves the pages unsafe.
Thanks for the replies. I managed to get to the bottom of the second issue. The site's web.config had a rewrite rule which was forcing URLs to lowercase (something to do with SEO). This was causing the problems when serving the CSS and JS files. I've made the necessary updates to this rule and it now appears to work (see IIS URL rewrite module url's to lowercase).
For the first issue, the SSL certificates do not need to be installed on the IIS web server - they are only required in AWS Certificate Manager and then to be assigned to the Load Balancer which in turn has 2 listeners - one to direct HTTPS traffic to my Target Group and one to redirect HTTP traffic to HTTPS.
My IIS site now only has HTTP bindings and only accepts HTTP traffic from the Load Balancer.
All seems to work!
Good evening, I am currently trying to set up a load balancer for my server, I successfully set everything up, however when I go to google domains to set ip record I get the following error "mysite.com unexpectedly closed the connection."
http://prntscr.com/npm04o
http://prntscr.com/npm0ot
Also when i type the ip manually in the browser I get the same error. However when I set my ip record to a VM machine ip that comes from my instance group the load balancer ip starts to redirect to my site. I would like to get the load balancer ip to work with my google domain records.
Picture of configuration
http://prntscr.com/npm3ye
I think you are connecting to the load balancer using HTTPS. You do not have a front-end configured for HTTPS. Specify http:// and try again. If this is not the case, then go to Stackdriver and check the logs for your HTTP(s) Load Balancer.
Note: You have not provided enough information in your question. You need to provide the frontent, backend and healthcheck configurations.
Once you have everything working, your DNS resource record TTL should be longer than 1 minute - clients will constantly have to resolve your DNS names. Using a CNAME instead of A record adds another lookup. Use an A record instead.
I've got a load balanced IIS web application in AWS. Most redirects return the correct location, but when a Http/1.0 request is made with no host header, the Location header in the response appears to be the internal IP address of the load balancer.
This was flagged up in a penetration test as a minor issue.
Is it possible to configure IIS, or the load balancer to return the host name here instead? Or is it not an issue worth fixing?
I've already added a system.webServer/serverRuntime/alternativeHostname key to the configuration of the two IIS servers, but this has not helped.