For a scaling solution with Ant Media Server, how do we whitelist IP when using a load balancer? As you know for load balancer IP dynamically changes, and Ant Media Server can now white list domain name?
How should be the setup?
You have 2 choices for this request.
Option 1 - Setting IP Filter with REST Method
Step 1 - Remove below code snippets in /AMS_DIR/webapps/root/WEB-INF/web.xml
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>io.antmedia.console.rest.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/rest/*</url-pattern>
</filter-mapping>
Step 2 - Request Application Settings with following REST Method which supports GET method
http://domain-address.com:5080/rest/getSettings/WebRTCAppEE
Returns settings object for that application.
Step 3 - Add/edit remoteAllowedCIDR field in the settings object and send the settings to object to the following REST method below.
http://domain-address:5080/rest/changeSettings/WebRTCAppEE
Request Type: POST
Content-Type: application/json
You can add comma separated CIDR notations or IP Addresses to the remoteAllowedCIDR. For instance:
remoteAllowedCIDR=127.0.0.1,12.44.55.3/24,192.123.33.66
Note: You can change request https, port address, an application like WebRTCAppEE
Option 2 - Setting IP Filter with MongoDB
Step 1 - Update settings.remoteAllowedCIDR and updateTime field in the settings object in MongoDB -> clusterdb -> AppSettings collection. Also, you can connect MongoDB with service.
a- You can change settings.remoteAllowedCIDR the same way you do above
b- You should also update the updateTime field. You can set the current time in milliseconds(System.currentTimeMillis()). Let me give some more information about why we need to update updateTime.
Each AMS checks periodically updateTime field in AppSettings to update application settings. So, after the updated remoteAllowedCIDR field, you need to update updateTime field to let each node update itself.
Note: In the clusterdb, the application settings are storing in MongoDB as a collection.
You can also check out the following docs for MongoDB transactions and AppSettings class:
https://docs.mongodb.com/manual/core/transactions-in-applications/
https://docs.mongodb.com/manual/crud/#update-operations
https://github.com/ant-media/Ant-Media-Server-Common/blob/master/src/main/java/io/antmedia/AppSettings.java#L533
In this kind of setup I suggest to make use of security on the load balancer level.
Quick option for disabling IP security in Ant admin would be to put a 0.0.0.0/0 wildcard.
Related
We are having some difficulty when adding basic authentication to Solr 8.6.1. We are following this document, and we have created security.json file, which is successful (since Solr instance will ask userId and password when it starts.) Our difficulty happens when trying to enable the global authentication settings: we did pass the -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory system property,and we also set the -Dbasicauth=username:password property as follows:
// the following is the last time of our Solr Dockerfile:
CMD ["solr-foreground", "-Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory", "-Dbasicauth=username:secret"]
However, the calls to retrieve data from Solr all come back with Error 401 require authentication.
Could someone please kindly let us know what did we miss?
You'll have to set the correct options on the client - not on the server. This is a setting that affects how the client that connects to Solr authenticates.
So when running your application, give the parameter to the java command (or configure it to be the default parameter through ant/maven/gradle/etc.
Setting it on the docker container will not do anything useful.
Traffic Distributor (https://docs.jelastic.com/traffic-distributor) is a cool feature which add's load balancing to your app and enables Blue/Green deploy.
However, seems that there's no API to control traffic distributor so it's impossible to automate new releases rollout.
Is there a way to do this?
There is a possibility to create and control Traffic Distributor via API.
Let us explain the flow...
At first, you should login to the platform and get your session.
This can be done by next API request:
https://app.{platform_domain}/1.0/users/authentication/rest/signin/login={your_email}&password={your_password}
If you are using Jelastic platform v5.1+ you should perform the mentioned request as POST.
As example, you can do this using curl:
curl 'https://app.{platform_domain}/1.0/users/authentication/rest/signin' -d "login={your_email}&password={your_password}"
Next, you can create the Traffic Distributor using this request:
http://appstore.{platform_domain}/InstallApp?envName=[env_name]&session=[your_session]&jps=traffic-distributor&displayName=[disp_env_name]&settings={"extip":true,"balancerCount":1,"routingMethod":"round-robin","range":50,"backend1":"{environment_1}","backend2":"{environment_2}"}
, where
[env_name] - the name of the environment.
[disp_env_name] - the visible name of the environment in the Dashboard.
[your_session] - your session, which can be taken from the response of the previous request.
The necessary settings of the Traffic Distributor can be specified inside the JSON:
extip - enables the external IP for the Traffic Distributor ( Highly recommended! ).
balancerCount - count of the balancers inside the Traffic Distributor. (by default = 1)
routingMethod - defines the necessary method of the traffic's routing.
You can specify next possible values: round-robin, sticky-sessions or failover
range - define the percent of the traffic, that will be routed to the first environment.
For example:
0 - All requests will be routed to the {environment_2},
100 - All requests will be routed to the {environment_1},
50 - All requests will be balanced between environments equally.
{environment_1} - URL to the first environment like env-XXXXXXX.{platform_domain}
{environment_2} - URL to the second environment like env-XXXXXXX.{platform_domain}
After executing this method - Traffic Distributor will appear in the Jelastic Dashboard.
Please, execute next API request to take the "uniqueName" value from the response (inside the Addons section):
https://app.{Platform_domain}/1.0/environment/control/rest/getenvinfo?envname=[env_name]&session=[your_session]
, where [env_name] - the name of the created environment with the Traffic Distributor addon.
Now you can control the settings of the created Traffic Distributor by next API:
https://appstore.{Platform_domain}/ExecuteAppAction?session=[your_session]&appUniqueName=[app_unique_name]&action=configure¶ms={"extip":1,"balancerCount":1,"routingMethod":"sticky-sessions","range":50,"backend1":"{environment_1}","backend2":"{environment_2}"}
, where
[app_unique_name] - the value "uniqueName" from the response of the previous request.
The settings inside the JSON exactly the same as for the InstallApp API request.
I'm configuring the keystone (as SP) for federation, and I have a question about the setup shibboleth [1]. I need edit the shibboleth2.xml file, and add the SP entity ID:
<ApplicationDefaults entityID="http://mysp.example.com/shibboleth">
In my case, would be:
<ApplicationDefaults entityID="http://10.7.49.47:5000/shibboleth">
I don't know if this is the right value. When I try access 10.7.49.47:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth, I receive the error:
Unable to locate metadata for 'http://10.7.49.47:5000/shibboleth'
I want understand better how the shibboleth work with keystone, and how get this Keystone SP entityID. I don't know if I need configure something to make '/shibboleth' works.
I need get this entityID to configure my IdP SimpleSamlPHP, and add the SP there [2].
[1] https://docs.openstack.org/developer/keystone/federation/shibboleth.html
[2] https://simplesamlphp.org/docs/1.5/simplesamlphp-idp#section_5
One I recommend you use HTTPS to connect with shibboleth. If it is you case then ignore.
Two entityId do not need to match with your host or IP. So if you want you can ignore port from entityId. You can use any string for that matter.
Now answer to your question, see my this answer to see steps to integrate shibooleth. Though this is java application steps but it is mostly done in apache http so it is relevant to anybody.
See the step 3 from that post, that is where your apache server knows that this location to protect.
P.S. The path your application listens is /Shibboleth.sso/ not /shibboleth
Recently I have a project that need use haproxy,after I readed the config doc I found the acl.
with the acl I can filter some backends by the request url,that's cool.
But not enough,I want generate a dynamic backend server by the url params which I matched,for example:
acl dynamic_ser url_reg /*.(10.0.0.1|10.0.0.2)$
use_backend dynamic_server if dynamic_ser
backend dynamic_server
balance leastconn
option httpclose
server node1 10.0.0.1:8080
server node2 10.0.0.2:8080
and for my question,the url is dynamic sometimes may be /path?ip=10.0.0.1 and
sometimes may like this /path?ip=10.0.0.1&10.0.0.2 and may /path?ip=10.0.0.1&10.0.0.2&10.0.0.3 also.
and everytime I want get the backend server depend on the matched,of couse I can define these servers once a time.but I don't think it's good,any method can I use?
Remember that & is a delimiter between key-value pairs, so /path?ip=10.0.0.1&10.0.0.2 is mapped to {'ip':'10.0.0.1','10.0.0.2':null}
I have a shared Windows hosting account with IIS7.5 and Plesk 10.4 .
Now, when I try to visit every page, an aspx page, some php pages, or even a jpg file, it shows This error:
Server Error
500 - Internal server error. There is a problem with the resource you
are looking for, and it cannot be displayed.
This is last lines of log file: (which plesk shows for me)
2012-03-01 18:25:59 W3SVC100 H105 208.67.23.51 GET /15iya/31.jpg - 80
109.162.226.165 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.2;+WOW64)+AppleWebKit/535.7+(KHTML,+like+Gecko)+Chrome/16.0.912.63+Safari/535.7 jsuid=1735775291;+_cfduid=dcb02ca5c638c5a33cf10003ae6ac2c561326405625;+_utma=117785567.65259312.1326369096.1330372520.1330376628.15;+_utmz=117785567.1327165762.11.5.utmcsr=2barnamenevis.com|utmccn=(referral)|utmcmd=referral|utmcct=/
ghiasi.net 500 19 13 1380 627 531 2012-03-01 18:26:13 W3SVC100 H105 208.67.23.51 GET / - 80 - 109.162.226.165 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.2;+WOW64)+AppleWebKit/535.7+(KHTML,+like+Gecko)+Chrome/16.0.912.63+Safari/535.7 jsuid=1735775291;+_cfduid=dcb02ca5c638c5a33cf10003ae6ac2c561326405625;+_utma=117785567.65259312.1326369096.1330372520.1330376628.15;+_utmz=117785567.1327165762.11.5.utmcsr=2barnamenevis.com|utmccn=(referral)|utmcmd=referral|utmcct=/
ghiasi.net 500 19 13 1380 615 515
try check with your asp.net version enable properly in plesk
https://www.motherhost.com/help/plesk-windows-hosting/iis-shows-500-internal-server-error-on-everything/
To configure ASP.NET Settings for a site:
If you are subscribed to several hosting packages and have access to several webspaces associated with your account, in the Subscription menu at the top of the screen, select the required webspace.
Go to the Websites & Domains tab and click your website's domain name.
Click ASP.NET Settings.
Set up the strings that determine database connection data for ASP.NET applications that use databases. This option is available only for ASP.NET 2.0.x.
When you open the ASP.NET configuration screen for the first time, sample connection parameters with common constructions are displayed. You can delete them and specify your own strings.
To add a string, enter the required data into the Name and Connection Parameters input fields and click next to them.
To remove a string, click next to it.
Set up custom error messages that will be returned by ASP.NET applications in the Custom Error Settings field:
To set the custom error messages mode, select an appropriate option from the Custom error mode menu:
On - custom error messages are enabled.
Off - custom error messages are disabled and detailed errors are to be shown.
RemoteOnly - custom error messages are displayed only to remote clients, and ASP.NET errors are shown to the local host users.
To add a new custom error message (which will be applied unless the Off mode was selected), enter the values in the Status Code and Redirect URL fields, and click .
Status Code defines the HTTP status code resulting in redirection to the error page.
Redirect URL defines the web address of the error page presenting information about the error to the client.
Due to possible conflicts, you cannot add a new custom error message with an error code that already exists, but you can redefine the URL for the existing code.
To remove a custom error message from the list, click next to it.
Configure compilation settings in the Compilation and Debugging field:
To determine the programming language to be used as default in dynamic compilation files, choose an entry from Default web page language list.
To enable compiling retail binaries, leave the Switch on debugging checkbox empty.
To enable compiling debug binaries, select the Switch on debugging checkbox. In this case, the source code fragments containing error will be shown in a diagnostic page message.
Note. When running applications in debug mode, a memory and/or performance overhead occurs. It is recommended to use debugging when testing an application and to disable it before deploying the application into production scenario.
Configure encoding settings for ASP.NET applications in the Globalization Settings section:
To set an adopted encoding of all incoming requests, enter an encoding value into the Request encoding field (default is utf-8).
To set an adopted encoding of all responses, enter an encoding value into the Response encoding field (default is utf-8).
To set an encoding which must be used by default for parsing of .aspx, .asmx, and .asax files, enter an encoding value into the File encoding field (default is Windows-1252).
To set a culture which must be used by default for processing incoming web requests, select an appropriate item from the Culture list.
To set a culture which must be used by default when processing searches for a locale-dependent resource, select an appropriate item from the UI Culture list.
Set a code access security trust level for ASP.NET applications in the Code Access Security field.
CAS trust level is a security zone to which applications execution is assigned, defining what server resources the applications will have access to.
Important: When an assembly is assigned a trust level that is too low, it does not function correctly. For more information on the permissions levels see http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh09.asp?frame=true#c09618429_010.
Enable the usage of the auxiliary scripts in the Script Library Settings field. Specifying the script library settings is necessary if the validation web controls are used on your web site. This option is available only for ASP.NET 1.1.x.
If you need to use auxiliary scripts (specifically, scripts implementing objects for validating input data), provide the settings for .NET framework script library. To do so, enter the path beginning with the domain root directory preceded by the forward slash into the Path to Microsoft script library field, or click the folder icon next to the Path to Microsoft script library field and browse for the required location.
To initiate the auto-installation of files containing the scripts to the specified location, select the Install checkbox. If the files already exist there, they will be rewritten.
Set client session parameters in the Session Settings field:
To set up the default authentication mode for applications, select an appropriate item from the Authentication mode list. Windows authentication mode should be selected if any form of IIS authentication is used.
To set up time that a session can remain idle, type the number of minutes into the Session timeout box.
Click OK to apply all changes.
windows hosting india