i wondering, it is possible to redirect ALL WEBSITE to a URL(authentication page) in localhost (wampserver)..
after client login (in the authentication page) with correct ID and PASSWORD, then the client will be able to access to any WEBSITE.
You could setup basic authentication in apache. Edit httpd.conf by clicking through from the WampServer icon and follow these instructions. However, instead of using <Directory "/var/www/html/protected"> and doing it for each vhost, use <Location />. This is because each site will match that location directive so will all need to run the same authentication before sites will be shown.
If you didn't want to use basic auth in this manner, then I'd suggest you setting up shared authentication on your sites (like stack uses OpenID) or looking at something like CORS, but that seems like a lot of work.
The final thing I'd point out is IP restriction. We have some clients/staff/etc that access our dev servers but it's all locked down to specific IPs and luckily so far everyone who's needed it has had a static IP. This may not be an option.
Related
I know there are about a hundred questions of this on SO, but none of them are maybe up-to-date with what seems to be happening on facebook platform right now. It seems the switch that turns off SSL is disabled:
It may be hard to see, but the "Enforce HTTPS" toggle is greyed out and can't be toggled. I'm all for enforcing HTTPS in production, but is everyone who is building against facebook API really setting up an SSL certificate on their local server just for this?
You will still be able to use HTTP with “localhost” addresses, but
only while your app is still in development mode.
You can change the App mode to Development Mode from App Dashboard:
In this mode you can only test your application with Facebook test user accounts. You can obtain the test accounts login credentials from your app dashboard.
Please note, http://localhost redirects are automatically allowed while in development mode only and do NOT need to be added in Valid OAuth Redirect URIs section.
Read more about it in this Facebook Blog.
2021 update: Facebook do not allow localhost over HTTP any more. You will need to get your site working locally over HTTPS for testing. This is despite their blog post and the literal Facebook developer console assuring you that they allow localhost over HTTP by default.
paste this in your client json
"start": "set HTTPS=true&&react-scripts start",
next copy and enter this in your url bar .
chrome://flags/#allow-insecure-localhost,
and set Allow invalid certificates for resources loaded from localhost to enabled
The most simple way to test your facebook login, since you cannot dissable anymore "Enforce HTTPS" option, is to use ngrok:
ngrok.com
Im linux user. After installing it just type at your terminal:
ngrok http 80
and automaticly will be created a new https domain just for your local project. You will see an ui interface in your terminal and your secure domain will be that who starts with https://
Copy the domain and use it in developers.facebook.com in your app to see if you code is good or not.
If is good its ok keep going until you will host your project on a secure domain.
For more info and docs about ngrok.com see:
ngrok docs
This setting requires HTTPS for OAuth Redirects, and it requires and Facebook JavaScript SDK calls that return or require an access token are only from HTTPS pages. All new apps created as of March 2018 have this setting on by default, and you should plan to migrate any existing apps to use only HTTPS URLs by October 6, 2018.
Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt.
https://developers.facebook.com/docs/facebook-login/security
Our client has a set of (5-6) intranet/internet applications either custom developed or 3d-party, located in various web servers, which applications we cannot modify/control.
We have developed a web portal application (A) and the client wants that all its other applications (B) are accessed only via A, meaning that if a user enters directly the application url for B, he gets an error page telling that access is allowed only via A. So, user has to log in to application A and then click a link to application B to access it. This requirement has been asked for security reasons and to make A act as an access gateway to other applications (B).
Is this possible and how can we implement it? Should we use another web server on the top acting as a proxy to all other applications (B) or is there a better solution for this? And if we use another web server as a proxy should we implement the referrer logic with a user id - token approach combined with appropriate session cookies, so that the application B's url cannot be hacked and is unique for each user and session?
Sorry if I stated my questions unclearly or in a wrong way, but I'm unfamiliar with network/system administration and web servers. I can provide more details where needed.
there are different approaches here:
1. using firewall setup access to B http{s} port only from A IP address.
2. set Directory restriction in httpd.conf for aps B directory like:
<Directory "/var/www/B">
AllowOverride None
Order allow,deny
Allow from <IP of A>
</Directory>
in APS A create link (http://ip_A/accesstoB/somepath/script.php) that will Proxied to B using .htaccess rule like:
RewriteRule ^accesstoB/(.*)$ http://<ip_B>/$1 [P]
in this example: customer accessing http://ip_A/accesstoB/somepath/script.php link will be proxied to http://ip_B/somepath/script.php
You begin with restricting access to B Applications by using web server conf files or with firewall restrictions based on ip.
Then you redirect all these requests to new wrapper app you will develop.
With this wrapper app you do whatever authentication you like, then your wrapper app does the http/https request(via libcurl or etc.) and echoes the response.
I'm developing a web page using Flask, on an Apache server where the Server is enforcing basic authentication. That is, a user accessing a page on the server is presented with a login screen by Apache, and the login credentials checked prior to passing the request to my page.
The question is whether, and how, I can access the user name from my flask/python code. When using PHP instead of flask/python, on the same server, it is straightforward: The username is a available as a $_SERVER variable (available twice it seems, as the value for keys PHP_AUTH_USER, and also AUTHENTICATE_CN). I'm guessing/hoping that Apache would similarly make the authenticated username available to flask (perhaps through WSGI somehow), but I can't find it.
I've tried displaying all the key/value pairs in request.headers, but the username isn't there. Is there somewhere else I should look?
You can find authentication information in Flask from the request object.
from flask import request
def my_view():
auth = request.authentication
username = auth.username
password = auth.password
...
Note however that if you're using apache mod_wsgi, you'll need to turn on the WSGIPassAuthorization directive in your virtualhost config. Otherwise apache will consume the authentication header and won't pass it to the WSGI layers.
<virtualhost *:443>
...
WSGIPassAuthorization On
...
</virtualhost>
more info here and here.
I eventually found it, it's available as:
request.environ.get('REMOTE_USER')
Not knowing this wasn't my only problem however, in case
it's useful for anyone, here's the story:
Firstly I tried to find out if WSGI was passing the authentication
info through to flask. This answer to a different question was very
helpful (it shows you how to see everything WSGI is providing before
it gets to flask):
https://stackoverflow.com/a/1151129/1956954
When I list the WSGI info as per that answer, it didn't have the
user information. But that turned out to be because the setup for
apache basic authentication in the relevant sites-enabled apache
config file was configured for the document root (a htdocs folder).
Since I'm using WSGI to redirect the relevant requests to a folder
outside of the document route, I didn't actually have authentication
turned on for my page. (And I didn't notice that because I had accessed
some pages under htdocs, been forced to authenticate, and assumed that
I wasn't being asked to authenticate when I went to my flask pages
because the authentication had been cached).
Creating another section in the relevant apache sites-enabled
file setting up authentication for my flask directories enabled authentication
I currently have a landing page setup on my domain.com which already receives traffic.
It will shortly be replaced with an online store. I need to upload this store to my live server in order to get it approved by the Merchant Facility Providers (MFP), and they require it to be accessible from it's final live location on domain.com in order to get approvals. I can't have users access this site until it has met approvals.
To accomplish this I wish to redirect all domain.com traffic to domain.com/holding/ except for MFP visitors.
Ideally this would be restricted by IP address, however MFP say they will need to grant a number of external parties access, and so IP address based access will not be acceptable and I should use passwords.
So my question is, how can I automatically redirect all traffic from domain.com to the holding page domain.com/holding/ unless they have logged in using a password at domain.com/login?
Users visiting the domain.com should not be asked for a password.
Will this be possible using just .htaccess/.htpasswd?
If so, can someone suggest how the logic of how it could work?
It's not possible using just an .htaccess file as all visitors would be presented with an HTTP standard authentication dialog if you enabled it on your domain.com site at the doc_root level.
Without knowing what scripting language you're using? (you've not indicated in the tags, just apache), but you could provide one index page that both acts as a landing page for users/potential-users as well as provide a login (username/password form) for MFP parties (wherever they may come from).
That way, you fulfil both needs without offending or discriminating in any way against any party.
As #nickhar has pointed out, there appears to be no way of doing this using just .htaccess.
My solution was to use a rewrite rule to redirect all requests from domain.com to domain.com/holding unless a specific cookie was set (checked for using RewriteCond %{HTTP_COOKIE}).
I set this cookie in a php script on domain.com/login, which was password protected using .htaccess/.htpasswd.
This is by no means a particularly secure solution, but is adequate for my purposes of keeping the site hidden from general traffic while the approval process is completed.
I am trying to add OAuth athentication with to access YouTube, but how do I add localhost as domain?
For example on domain registration page here, I want to use localhost, since I am developing this application locally.
Please help me or suggest me alternative ways
Thank you
P.S. I also added this question on https://webapps.stackexchange.com/, but not sure about community activity there so please ignore
Obviously you can't register 'localhost' for authentication since it is merely an alias. If you want to use OAuth with any Google service, you'll have to have a domain. If you're developing a desktop app, there is a workaround (this may actually work for all but I didn't try):
You can actually sign your OAuth requests without registering your domain with Google by creating a signature using HMAC-SHA1, a consumer key of "anonymous" and a consumer secret of "anonymous". Just make sure you have the appropriate signature base string for your requests.
http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth
On the page in Google's APIs console where you provide redirect URIs for your app, you can use localhost. Or you can give another name to localhost in your /etc/hosts file like this:
127.0.0.1 localhost myname.madeupdomain.net