Can access a host on port 9988 locally but not remotely - wcf

I've set up a page and host it using bindings on ports 80 and 9988 for all incoming IPs. When testing locally on localhost:port it works for both the values but when accessing it remotely, only port 80 gives the desired result. The other one brings out connection time out.
First I thought it had to do with not recognized HTTP request so I added http:// before the IP number but that didn't make any difference.
I'm guessing that I need to alter web.config but I'm unclear why (and how). The only change from the vanilla state I've made was to allow for multiple site bindings (multipleSiteBindingsEnabled), believing that's enough. It's not, apparently. :)
Eventually, I'll be hosting the site on several different ports (none of which is the default 80, though).
What need I to do?

Firewall...
And since SO requires a minimum number of characters: check the settings of your firewall.
My experience is that when a connection isn't working but it should, you need to go "have-you-tried-turning-it-on-and-off-again" but web style: "have-you-checked-your-firewall-settings".

Related

If I change web hosting and re-point my domain to it, can it still read secure cookies from the previous server? [duplicate]

I have two HTTP services running on one machine. I just want to know if they share their cookies or whether the browser distinguishes between the two server sockets.
The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965 (both RFCs are now marked as "Historic") and formalizes the syntax for real-world usages of cookies. It clearly states:
Introduction
...
For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a given cookie is intended for "secure" connections, but the Secure attribute does not provide integrity in the presence of an active network attacker. Similarly, cookies for a given host are shared across all the ports on that host, even though the usual "same-origin policy" used by web browsers isolates content retrieved via different ports.
And also:
8.5. Weak Confidentiality
Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server. For this reason, servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security sensitive information.
According to RFC2965 3.3.1 (which might or might not be followed by browsers), unless the port is explicitly specified via the port parameter of the Set-Cookie header, cookies might or might not be sent to any port.
Google's Browser Security Handbook says: by default, cookie scope is limited to all URLs on the current host name - and not bound to port or protocol information. and some lines later There is no way to limit cookies to a single DNS name only [...] likewise, there is no way to limit them to a specific port. (Also, keep in mind, that IE does not factor port numbers into its same-origin policy at all.)
So it does not seem to be safe to rely on any well-defined behavior here.
This is a really old question but I thought I would add a workaround I used.
I have two services running on my laptop (one on port 3000 and the other on 4000).
When I would jump between (http://localhost:3000 and http://localhost:4000), Chrome would pass in the same cookie, each service would not understand the cookie and generate a new one.
I found that if I accessed http://localhost:3000 and http://127.0.0.1:4000, the problem went away since Chrome kept a cookie for localhost and one for 127.0.0.1.
Again, noone may care at this point but it was easy and helpful to my situation.
This is a big gray area in cookie SOP (Same Origin Policy).
Theoretically, you can specify port number in the domain and the cookie will not be shared. In practice, this doesn't work with several browsers and you will run into other issues. So this is only feasible if your sites are not for general public and you can control what browsers to use.
The better approach is to get 2 domain names for the same IP and not relying on port numbers for cookies.
An alternative way to go around the problem, is to make the name of the session cookie be port related. For example:
mysession8080 for the server running on port 8080
mysession8000 for the server running on port 8000
Your code could access the webserver configuration to find out which port your server uses, and name the cookie accordingly.
Keep in mind that your application will receive both cookies, and you need to request the one that corresponds to your port.
There is no need to have the exact port number in the cookie name, but this is more convenient.
In general, the cookie name could encode any other parameter specific to the server instance you use, so it can be decoded by the right context.
In IE 8, cookies (verified only against localhost) are shared between ports. In FF 10, they are not.
I've posted this answer so that readers will have at least one concrete option for testing each scenario.
I was experiencing a similar problem running (and trying to debug) two different Django applications on the same machine.
I was running them with these commands:
./manage.py runserver 8000
./manage.py runserver 8001
When I did login in the first one and then in the second one I always got logged out the first one and viceversa.
I added this on my /etc/hosts
127.0.0.1 app1
127.0.0.1 app2
Then I started the two apps with these commands:
./manage.py runserver app1:8000
./manage.py runserver app2:8001
Problem solved :)
It's optional.
The port may be specified so cookies can be port specific. It's not necessary, the web server / application must care of this.
Source: German Wikipedia article, RFC2109, Chapter 4.3.1

Need help changing my website's name / address

this might sound a bit amateur-ish but I'm in a bit of a situation here.
So I created myself a website and managed to get it working on localhost, I tried port forwarding ports 80,443 but nothing helped, So next thing I'm googling around and I read about ngrok and it actually worked. Got it working on a long randomly generated domain but the problem is that I want to use the one that I have from no-ip.com. How can I do that please? I'm very lost here.
Software being used: Xampp (Apache,MySQL)
I've reserved a DHCP ip-address for my PC in my router's settings, hopefully that helps? I don't know. Help me internet.
There are a whole bunch of possible reasons that this might not work. Here are a few of them.
Your ISP
Even if you have port forwarding set up properly on your router, it is still possible that you cannot do what you want.
First, many ISPs block serving websites from residential internet connections. Connections to port 80/443 will never even reach your router. You might try experimenting by forwarding a different port number (such as 8000 instead of 80) to see if the traffic can get through on that port. (However, that will not work as a practical solution since your users will not know to use an alternate port and your ISP can choose to terminate your service if you are violating the terms of your agreement.)
Second, due to the exhaustion of public IPv4 addresses, some ISPs are implementing Carrier-Grade NAT (CGNAT, a.k.a. Large-Scale NAT - LSN). Instead of giving your router a public IP address, they give your router a private IP address inside their network. Once again, connections to port 80/443 (or any other port for that matter) will never reach you. You can check if you are behind CGNAT by going to your router's setting and finding the public IP address, then going to https://whatsmyip.com/ and seeing if it is the same or different. (In theory, you should be able to tell that you have CGNAT if your router's IP address is between 100.64.0.0 - 100.127.255.255, but in practice some ISPs use other private network ranges too, such as 10.0.0.0 - 10.255.255.255.)
The reason Ngrok works for you is because Ngrok opens a tunnel from your computer to their cloud servers and sends the traffic through that tunnel.
DNS
You mentioned in the comments that you have the DNS set to resolve the private IP of your computer. That certainly will not allow users on the public internet to get to your site, because they cannot connect to your address.
However, you also mentioned in the comments that if you change the DNS to point to your public IP, it doesn't work from either inside or outside. This could mean your problem is one of the ISP issues described above. It could also mean that your router does not support Hairpin-NAT (a.k.a. NAT Reflection), which is how the router would be able to redirect local traffic back to the local server instead of trying to send it out over the internet.
Firewall
Your computer's firewall can look at the source IP address of the incoming traffic, and it might be set not to allow external access to your web server. DO NOT DISABLE YOUR FIREWALL to try to get around this. Instead, you need to add a specific exception to the firewall rules to allow the incoming traffic. How you do this will depend on your operating system.

Localhost works, but ip gives timout

I am trying to setup a LAMP environment on my laptop with Ubuntu 18.04.
I have no experience real previous experience with this and all tutorials i find are just a step for step guide on how to setup, but none explain what you are exactly doing.
So I don't know why I am having this problem.
After installing all parts of LAMP I can access localhost, and I see the apache default page.
But if I try to go to my IPaddress, (the ipaddress I found with curl -4 icanhazip.com) the page loads for a while and then tells me this:
Firefox can’t establish a connection to the server at 213.127.26.xxx
So my question is am I using the right IPaddress and how can I make apache work from my IPaddress? Because phpmyadmin will not work on localhost.
The issue is likely that your local ports (i imagine your web server is running on port 80 or 8080) are not being forwarded through your router. Your router likely uses something called “NAT (network address translation)” to expose all of the internal IP addresses on your network through a single “public” IP address, in your case 213.x.x.x (you should never post this here unless you’re 100% positive your network is secure!). Your router needs to be configured to forward port 80 on 213.x.x.x to your machine’s “internal” ip address, likely something like “192.168.x.x” or “10.0.x.x”. A search for “port forwarding ” should help you out
Alternatively, ngrok is a nice free tool which you can use to expose your port on a public address. By running nginx http 80, it will provide you with a temporary url where you can reach your site (on a free plan, it will only provide you that url for one day, so you will need to re-run it)
First, you have to find out on which ports your server is running.
After that, you have to go into your router's settings and add port forwarding entries for these ports, to make sure that your router forwards the requests to the right device.

Error with DOJO when using IP

Strange error with an Project using dojo:
if i call : http://localhost/project everything works like expected.
if i call : http://127.0.0.1/project everything works like expected.
if i call : http://192.168.2.1/project i get the following error (ONLY in IE6!):
"Bundle not found, locale.."
Any ideas?
Iam running Zend Server CE with PHP 5.2
if i add: 192.168.2.1 to "hosts" it works (windows)
Sounds like Zend server is performing some kind of virtual site support using the site name as a partial domain.
I can't say 100% if/how it is beacuse I don't use Zend, but I can explain the principle using Apache as an Example.
There are 3 ways in which a web site can be virtually hosted under a single web server application, this applies to most servers on the market today, Apache, IIS, nginx and many others.
It all boils down to one thing, giving one running server application instance the ability to host multiple individual websites.
The 3 methods of seperating sites are as follows:
By IP address : If you have multiple IP addresses (Usually -but not always beacuse you have multiple network interface cards) then you can tell your server application to listen to one IP for one site, another IP for another site and so on. If you browse to one IP you'll get one site, and likewise the other on the other IP.
By Port Number : If your using only one IP address, then you can bind to multiple port numbers, port 80 is generally the default for web servers, but by browsing to an address and pinning the port number on the end (http://mysite.com:99) you'll force the browser to use that port. You can then have multiple websites listening on different ports and select them manually at browse time as required.
By Host Name Header: This is by far the most common way of supporting multiple sites, all web servers that understand the HTTP/1.1 protocol have to obey a header field in the request that contains the host name, when a request comes in for EG: http://mysite,com/ then there will be an entry in the request header that looks like 'Host: mysite.com' the webserver can then use that to say, oh yes.. I know which one that is.. and it then selects and serves the correct website.
The problems start to arise however when you start to use IP addresses that generally cannot be resolved or have no DNS name, because the web server then doesn't know which hostname to tag it to.
As an example in Apache, if you set up a virtual host, then try to browse that server using just the IP address, you'll get the default server, which in many cases won't even be configured to respond correctly or display anything.
To compound this, going up to web application layer, many frameworks also do their own checks on hostnames and other variables passed to them by the web server, and many make decisions on how to operate based on this information.
If you've gotten to the default web application by IP address, then there's a high chance that the framework may get confused at being presented with an IP address as a host name.
As the OP noted, in many cases, you can add a name to your hosts file and use this as a poor man's DNS substitute, the file to modify can be found in the following locations:
c:\windows\system32\drivers\etc\ - on windows
and
/etc/
on Linux/Unix
The file is generally just called 'hosts' and is a plain text file. Adding a line like:
123.456.789.123 myserver
Will tie http://myserver/ to http://123.456.789.123/
If you can, and your doing a lot of web applications it may be worth setting up your own DNS server, most Linux distros will allow you to install 'Bind' and I do also believe there is a version available for windows too.
I'm not going to go into the pro's and cons of private DNS servers here, it's a whole other subject in itself, but if your likely to be doing a lot of additions to your hosts, then in the long run you'll find it a better option.

Fiddler: Can I redirect outgoing traffic from foreign console app to Fiddler instance (localhost:8888)?

I am looking for a way to forward traffic from an application which goes to the web over port 443 to an instance of Fiddler running on my computer. Fiddler does not see this traffic while a packet trace application verified that the traffic is going out.
The application is foreign and I am not able to modify how it requests and it is not going through Internet Explorer (or apparently any other browser). If this app is going to an ip address (ie. 66.xxx.xx.xx port 443) or to a named host (ie. https://www.anysite.com), is there a way to tell my computer to forward this traffic to Fiddler, ie. to localhost port 8888?
I am not sure I am using the right terminology to describe this but and ideas would be appreciated!
Thanks,
David
If you can't get the application itself to send traffic to localhost on a specified port, then you need something lower level than Fiddler. Try WireShark.
http://www.wireshark.com/
#David: What's the application in question? Virtually all applications can be proxied, because those that can't aren't usable from most corporate networks. In some cases, you have to make minor changes to the environment (e.g. setting the proxy for the JVM). Some details are here: http://www.fiddler2.com/fiddler/help/hookup.asp
Using Netmon or Wireshark, you should be able to determine whether or not the application in question is making a request directly to a fixed IP address, or more likely, doing a DNS lookup first. If it's doing a DNS lookup first, you could edit your Windows Hosts file so that whateverthehostis.com points at 127.0.0.1. Because the hosts file only maps host to IP and not port to port, you'll need to adjust Fiddler to run on the target port that the application is looking for (use Tools > Fiddler Options for that).
Now, if the traffic is HTTPS (and I'm guessing it is) you're going to have a problem at that point, because Fiddler currently can only act as a HTTPS endpoint when it "knows" that the traffic is HTTPS by virtue of the client having opened a CONNECT tunnel first. This is something that could be adjusted in a future version of Fiddler, but it's not a common request.