Mikrotic SSL Https Error - ssl

I'm trying to build an hotspot with mikrotik to allow the internet to my clients! So, the problem starts when i'm trying to access sites with Https sercurity like facebook, before the user authenticates.
With normal http connection the hotspot works fine, but when i put https, i'm getting this error: error
Can someone please help me? I have read all the docs in the mikrotik forum, nothing worked!

it's good news that nothing worked because it's the purpose of HTTPS: ensure that the site you want is the site you get. Hotspot does exactly the reverse: you ask for a website and you get another one (hotspot landing page): error.
There is no workaround without installing your certificate on each client, which is not doable on a hotspot environment.
Hopefully, problem has been handled with CNAs (Captive Network Assistants) which detect hotspot presence and launch an automatic HTTP request before the user has time to launch its own browser and navigate to Facebook. Latest iOS/Android/Windows versions do that automatically.

Related

ArcEnterprise issue with connecting to Developer WAB?

I have been having some issues connecting to the Developer WAB application from the Enterprise instance I am currently using. I have followed all of the steps outlined in the guide provided by Esri here and seem to be running into an authentication loop in my browser.
There is an error in the web page Console that states that there is 'No 'Access-Control-Allow-Origin' header present on the requested resource'.
The error displaying in the Web AppBuilder for ArcGIS says that there is no token found, and so redirects back to the 'setportalurl' page. Any ideas on how this can be resolved?
No token is found, redirect /webappbuilder/ to /webappbuilder/?action=setportalurl
Cheers
As the Developer WAB uses the machine name and port for it's domain, ArcGIS is rejecting the request for security reasons.
If you paste the full domain into the "Allow Origins" section of your portal's security settings and save, this should then work properly.
Might not be applicable to your scenario, but for people getting the same error when working from localhost this can be an issue with WAB Dev Edition's self-signed cert.
The solution for me was to allow the chrome flag:
chrome://flags/#allow-insecure-localhost

404 error with custom domain for Google Cloud Run service

I created a custom domain mapping for my Cloud Run service following this guide https://cloud.google.com/run/docs/mapping-custom-domains.
I can access my service via the https run.app URL and the custom domain via HTTP, but when I go to the custom domain via HTTPS, I get back a Google 404 error page.
The weird thing is, this seems to be an issue on my local laptop (both browser and curl on the terminal), but curl-ing it from a remote server seems to work ok.
As #LundinCast pointed out, there seems to be an outage on the Google server side. I'll monitor the situation and mark this as resolved for now.
Edit: I'm guessing this is related to https://status.cloud.google.com/incident/cloud-networking/19016

facebook login on localhost without https

I know there are about a hundred questions of this on SO, but none of them are maybe up-to-date with what seems to be happening on facebook platform right now. It seems the switch that turns off SSL is disabled:
It may be hard to see, but the "Enforce HTTPS" toggle is greyed out and can't be toggled. I'm all for enforcing HTTPS in production, but is everyone who is building against facebook API really setting up an SSL certificate on their local server just for this?
You will still be able to use HTTP with “localhost” addresses, but
only while your app is still in development mode.
You can change the App mode to Development Mode from App Dashboard:
In this mode you can only test your application with Facebook test user accounts. You can obtain the test accounts login credentials from your app dashboard.
Please note, http://localhost redirects are automatically allowed while in development mode only and do NOT need to be added in Valid OAuth Redirect URIs section.
Read more about it in this Facebook Blog.
2021 update: Facebook do not allow localhost over HTTP any more. You will need to get your site working locally over HTTPS for testing. This is despite their blog post and the literal Facebook developer console assuring you that they allow localhost over HTTP by default.
paste this in your client json
"start": "set HTTPS=true&&react-scripts start",
next copy and enter this in your url bar .
chrome://flags/#allow-insecure-localhost,
and set Allow invalid certificates for resources loaded from localhost to enabled
The most simple way to test your facebook login, since you cannot dissable anymore "Enforce HTTPS" option, is to use ngrok:
ngrok.com
Im linux user. After installing it just type at your terminal:
ngrok http 80
and automaticly will be created a new https domain just for your local project. You will see an ui interface in your terminal and your secure domain will be that who starts with https://
Copy the domain and use it in developers.facebook.com in your app to see if you code is good or not.
If is good its ok keep going until you will host your project on a secure domain.
For more info and docs about ngrok.com see:
ngrok docs
This setting requires HTTPS for OAuth Redirects, and it requires and Facebook JavaScript SDK calls that return or require an access token are only from HTTPS pages. All new apps created as of March 2018 have this setting on by default, and you should plan to migrate any existing apps to use only HTTPS URLs by October 6, 2018.
Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt.
https://developers.facebook.com/docs/facebook-login/security

Safari 9 disallowed running of insecure content?

after upgrading to Safari 9 I'm getting this error in the browser:
[Warning] [blocked] The page at https://localhost:8443/login was not allowed to run insecure content from http://localhost:8080/assets/static/script.js.
Anyone knows how to enable the running of insecure content on the new Safari?
According to the Apple support forums Safari does not allow you to disable the block on mixed content.
Though this is frustrating for usability in legitimate cases like yours, it seems to be part of their effort to force secure content serving / content serving best practices.
As a solution for you you can either upgrade the HTTP connection to HTTPS (which it seems you have done) or proxy your content through an HTTPS connection with an HTTPS-enabled service (or, in your case, port).
You can fix the HTTPS problem by using HTTPS locally with a self signed SSL certificate. Heroku has a great how-to article about generating one.
After setting up SSL on all of your development servers, you will still get an error loading the resource in Safari since an untrusted certificate is being used(self signed SSL certificates are not trusted by browsers by default because they cannot be verified with a trusted authority). To fix this, you can load the problematic URL in a new tab in Safari and the browser will prompt you to allow access. If you click "Show Certificate" in the prompt, there will be a checkbox in the certificate details view to "Always allow content from localhost". Checking this before allowing access will store the setting in Safari for the future. After allowing access just reload the page originally exhibiting a problem and you should be good to go.
This is a valid use case as a developer but please make sure you fully understand the security implications and risks you are adding to your system by making this change!
If like me you have
frontend on port1
backend on port2b
want to load script http://localhost:port1/app.js from http://localhost:port2/backendPage
I have found an easy workaround: simply redirect with http response all http://localhost:port2/localFrontend/*path to http://localhost:port1/*path from your backend server configuration.
Then you could load your script directly from http://localhost:port2/localFrontend/app.js instead of direct frontend url. (or you could configure a base url for all your resources)
This way, Safari will be able to load content from another domain/port without needing any https setup.
For me disabling the Website tracking i.e. uncheck the Prevent cross-site tracking worked.

SWT Browser Plugin does not promt for proxy authentication

I have successfully configured my SWT Browser application to use the proxy by setting VM arguments -Dnetwork.proxy_host and -Dnetwork.proxy_port to the according values.
However the proxy needs authentication, but the username / password prompt does not open. Futhermore when registering an authentication listener, the listener is never triggered.
The problems occured with a Linux Debian 64 Bit distribution. When compiling the same application for windows, all works fine, i.e. the password promt opens. The SWT Browser is configured to use MOZILLA, not WEBKIT. Unfortunatelly I cannot test with WEBKIT as I am limited to a given environment.
Temp solution: When starting the Linux Mozilla Browser, the prompt comes up. If entering there correct values and afterwards starting the SWT Browser application, then no authentication is needed at all and internet access is possible. But this is not a good solution.
When I register a location listener with "addLocationListener" to look whats going on with url calls, then I can see that the initial url (for example www.google.de) results to call a certain http site of the proxy server. And this http site is a redirect to a https site of the proxy. Then the https site results in calling the http redirect page again. This is then an endless loop.
I would guess that somewhere in the JAVA code of the SWT Browser class there is a routine that calls setUrl with those pages (what results in an
endless loop) and skip to call any authentication listener for some reason.
Maybe someone has an idea whats going wrong in this authentication process?
I have no solution but a hint: I'm not sure what you mean by "Linux Mozilla Browser" - I know Firefox and Xulrunner. But your workaround suggests that profile information is shared somehow and that shouldn't happen.
I tried to find some information how to define the profile (where the web browser keeps its cache, config, SSL certificates, plugins, ...) but to no avail.
This entry in the FAQ shows how to set the proxy host: How do I set a proxy for the Browser to use?
Try to find a way to add the user/password information into the request sent to the proxy server. If that fails, create a local proxy which connects to the real proxy as upstream and which can authenticate itself.
Looking at the bug database, there is no support for Browser profiles: Flexible Mozilla profile support - new API request