My website is flagged as malicious by some software and therefore blocked on some Windows computers.
For more details I use React for the front end, express for the API, all deployed by Azure services, domain bought from Namecheap and manage in Cloudflare.
My question is how do I find the reason and fix this problem? My site is pretty simple and collects no information from users.
Many thanks!
Related
I was looking at https://material-ui-next.com who seem to be running on firebase hosting and use CloudFlare on top of it.
This raised a question. Do firebase hosting websites need additional layers for things like DDoS protection? As as I am aware, firebase provides SSL, CDN, DDoS and caching out of the box? When would one want to add CloudFlare on top of that?
UPDATE: I've moved from Firebase hosting to Netlify
While deploying our website (https://mfy.im) we ran into a similar debate. However, we decided to go with Firebase hosting without CloudFlare
The main reason is the performance:
Firebase hosting without CloudFlare: 732ms
Firebase hosting with CloudFlare: 1.2s
Using Firebase config json I was able to configure most of the things that I did earlier in CloudFlare.
However, if you're not much concerned about performance, I recommend to use Firebase with CloudFlare due to the following reasons:
Firebase provides some basic DDOS prevention, but no rate limiting. See: Rate Limiting on Firebase Hosting
Brotli compression - Firebase only provides gzip
Pricing - only 10GB bandwidth is free. After that, it's $0.15 per GB. If you enable CloudFlare on top of Firebase it will cover most of your bandwidth
To anyone looking to put Cloudflare or another CDN in front of Firebase - bear in mind that Firebase sees only one IP making a massive number of requests and may decide to block that IP. I'm not sure if this is something happening recently, but here's the (arrogant) response from Google Support on the matter:
The specialist we involved in the issue recommended us to escalate
this with one of the Firebase Engineers which we did.
The engineers mentioned us that CloudFlare integration is limited as
Firebase hosting already provides content through the Firebase CDN[1]
and adding a second CDN on top is discouraged as it can actually bring
down the site performance.
This causing a limitation preventing us to allow the cloudflare IPs.
Edit: If you're interested in doing this, Google have opened a "Feature request" here to whitelist / stop blocking CDN IPs:
https://issuetracker.google.com/issues/185590945?pli=1
Please star it if you would like it resolved faster.
We put Fastly in front of firebase. We put it in front of functions AND hosting.
We did this using rewriters to point to the functions, then we requested Fastly to do a force override to pull the hosting domain properly (we were getting site not found).
Using Fastly to pull data from Firebase is working very well. We get additional logging, control of WAF, etc.
We did not have to setup a custom domain in Firebase to achieve this, but we did have to allow Fastly to call with CORS settings.
I know next to nothing about certs or site security. I'm a communications professional. I am however entrusted with fixing our company website.
www.cjfe.org
Visiting the website kicks up an untrusted certificate error for new arrivals. this wouldn't be a problem if our primary user base did not have a specific focus on civil liberties and privacy.
Now, getting HTTPS set up for our entire site is not an option. We do not have shell access, can't install Lets Encrypt and the hosting service we use (also our CRM provider) only offers encryption for $1000/month as part of their enterprise package, which we're not.
We're not concerned about offering encryption across our whole site. We are however concerned about the errors being kicked back to our users about our site. We think it's happening for any user who is running EFF's HTTPS Everywhere, which is 90% of our audience.
This has a huge impact on our traffic and I know nothing about how to resolve this. Can somebody please help diagnose this and suggest a workaround which will restore normal functionality to our site?
THANKS!
I have a website running on IIS that requires two SSL certificates, one for the main website domain, and one for the traffic coming through a CDN (the assets are served from a different domain name). Both use SSL.
I therefore used the Server Name Indication option when creating the HTTPS bindings in IIS.
The site works fine, I know that users on IE6/Windows XP may experience an issue, but we don't have any/many users visiting our site using that combination so that's not a problem. However, it is an ecommerce site that receives postbacks/callbacks from both PayPal and WorldPay. Here is where we are experiencing an issue. It would seem that neither PayPal or WorldPay's mechanism for posting back payment information understands SNI, therefore we don't get notified that a payment has been made.
I'm not sure what the options are. IIS is telling me to create a default SSL site, but I can't find any instructions online regarding what I should be creating, or what benefit it serves.
Am I going down the right path with this? Can anyone offer any advice on a) whether a default SSL site will fix this issue and b) how to create the default SSL site?
Thanks for your time in advance.
Kind regards,
Dotdev
You don't have to have all your sites configured to require SNI.
From what you're saying, your callbacks from PayPal and WorldPay are on your main site are they?
If this is the case, you can simply edit the binding on your main site so that it does not require SNI, and make sure it is set to "All unassigned" rather than a specific IP address (otherwise it will get in the way of the SNI site).
Question in the simplest way possible: I have a website which I want to make capable to use https - how to do it?
I heard about Google and its super powers, but the amount of results treating about ssl and https and so on, is too d* high. I'm really afraid to end up with incompatible certificates or empty bank account because of choosing wrong article or something out there.
I politely ask you to help me find the right articles about this topic. "Where do I start, where do I begin" as Chemical Brothers have sung.
I have an account on shared hosting
the very goal is to let users use my website through the https connections
I have one domain
all of images, javascript, css files are on the same domain
I'm aware of fact that maybe the best articles are right before my eyes (even now as I'm writing this question), but please - be understanding. I don't even know what should I know in the first place.
Thank you in advance for any guides.
First of all you need to create an SSL certificate. There are lots of sites out there that do it http://www.selfsignedcertificate.com/ or http://www.godaddy.com.
Once you have a certificate you need to install it on your web server. Depending on Windows or other OS you will do this differently.
Lastly you will configure you website to use https (port 443) rather than http (port 80). This is configured with IIS or Apache directly.
Hopefully this link for windows and this for Apache helps a bit too.
If you are using another hosting application, just Google: install ssl certificate [myhostingApplication]
Update:
For shared hosting this will more than likely depend on your hosting provider. If you don't have access to IIS or similar, you more than likely will have to contact your provider directly. I use shared hosting with GoDaddy and they say:
NOTE: If you want to install an SSL certificate on our shared hosting, Website Builder or Quick Shopping Cart®, you must purchase one of our SSL certificates. We do not install SSL certificates from other providers on our shared hosting accounts.
Your provider may be the same. So do be careful.
When I click on myAccount->SSL Certificates it redirects me to a page where I need to purchase one from GoDaddy. Upon purchasing one, I can then manage it from SSL Certificates on myAccount page.
Your provider may be different, since you haven't mentioned who they are, you may just have to scour their knowledge base.
We have a multi-tenant website where we use a wildcard SSL cert to give people a subdomain to our site. Some of our customers would like to use their own domain, but I'm concerned about how we would manage each customer's certificate as our business grows. Currently the certificate resides on the web server, which means loading all of the certs to each web server as we add them.
I'm aware we could introduce a dedicated SSL device in front of the web servers, but are there other options to improve the management of these certificates?
I'm a Microsoft Technical Evangelist and one of my partners had exactly the same challenge.
I have created a sample source code that automates and manages SSL certificates for multiple domain bindings using a new IIS 8 (Windows Server 2012) feature called SNI, which is a kind of SSL hostheaders.
All you will need to do is to reuse my code (it's quite simple) and upload your custom SSL certificates to the blob storage, or you can write your own provider to fetch custom domains and certificates from your database.
I have posted a detailed explanation and a sample "plug & play" source-code at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/
You could make your clients deal with their own certificates and make them run there own https site. They can serve a page containing a single frame with your content (over https). The users will see their domain and their certificate and the browser will load the frame without complaining as long as the frame contents are also loaded over a valid https connection. I created a quick an dirty test page so you can see it in action.
This solution will 'break' the address bar as it will keep the url of the page containing the frame. Depending on the type of site you're running this might be a showstopper.