Is there a way to configure Apache to slow down login after failed attempts?
It looks like it is not the default setting as already discussed here.
On the other side it seems to be possible also without adding it to own application logic, on plain Apache, see here, but I found nothing in documentation and discussion???
Thanks
Achim
Related
I got a strange situation where my Apache Server is adding a piece of Javascript code just before closing tag of the served HTML content.
I tried to find out but could not success what is going here on the server. I restarted the server and then it went away, but after sometime I'm facing same issue.
I'm sure my server is compromized and someone is doing this act. Kindly help me where to look to check how Apache can add such code on the fly on CentOS 7.
If you do not have set up anything like this, it's likely that your server got compromised.
As a first step, I suggest you check, if anything like this has been configured.
Beware though, if your server has been compromised, it's very likely that the attacker still maintains access to your server. If you can, nuke it, rotate credentials and look into hardening your servers.
I am currently hosting the contents of a site with ProviderA. I have a domain registered with ProviderB. I want users to access the contents (www.providerA.com/sub/content) by visiting www.providerB.com. A domain forward is easy enough and works as intended, however, unless I embed the site in a frame (which is a big no-no), the actual URL reads www.providerA.com/sub/content despite the user inputting www.providerB.com.
I really need a solution for this. A domain masking without the use of a frame. I'm sure this has been done before. An .htaccess domain rewrite?
Your help would be hugely appreciated! I'm going nuts trying to find a solution.
For Apache
Usual way: setup mod_proxy. The apache on providerB becomes a client to providerA's apache. It gets the content and sends it back to the client.
But looks like you only have .htaccess. So no proxy, you need full configuration access for that.
So you cannot, see: How to set up proxy in .htaccess
If you have PHP on providerB
Setup a proxy written in PHP. All requests to providerB are intercepted by that PHP proxy. It gets the content from providerA and sends it back. So it does the same thing as the Apache module. However, depending on the quality of the implementation, it might fail on some requests, types, sizes, timeouts, ...
Search for "php proxy" on the web, you will see a couple available on GitHub and others. YMMV as to how difficult it is to setup, and the reliability.
No PHP but some other server side language
Obviously that could be done in another language, I checked PHP because that is what I use the most.
The best solution would be to transfer the content to providerB :-)
I'm using authlib in my project. I have a local IDP setup using http atm.
For testing, this code is blocking me because my dev environment is http.
https://github.com/lepture/authlib/blob/master/authlib/client/oauth2.py#L155
I can carry on by commenting out the line. But, i think having a way to turn of https check is neater.
So, dose anyway know a way to turn off https check in Authlib ?
It can be solved by setting an environment:
AUTHLIB_INSECURE_TRANSPORT=true
This is not documented on client sections, it is documented on the server parts like https://docs.authlib.org/en/latest/flask/oauth2.html
I am setting up a very simple HTTP server for the first time, am considering my options, and would appreciate any feedback on the best way to proceed. My goal is pretty simple: I'm not serving any files, I only need to respond to a very specific HTTP POST request that will contain geolocation data, run some Python code, and return the results as JSON. I do need to be able to respond to multiple simultaneous requests. I would like to use HTTPS.
In looking on stackoverflow it seems I can potentially go with BaseHTTPServer and ThreadingMixIn, or Apache and mod_wsgi. I already have Apache installed, but have never configured it. Are there compelling reasons to go the more complicated Apache route (more complicated to me, because I will need to do research on configuring Apache and getting mod_wsgi going but already have a test instance of BaseHTTPServer up and running), or is it equally safe, secure (very important), and performance-oriented to use BaseHTTPServer for something so simple?
BaseHTTPServer is not a production grade server.
If you don't understand how to set up Apache, but want to get something with mod_wsgi running quickly and easily, then you probably want to look at mod_wsgi express.
This gives you a way of installing mod_wsgi using Python 'pip' and also provides you a way of starting up Apache/mod_wsgi with a auto generated Apache and mod_wsgiconfiguration such that you don't even need to know how to configure Apache.
The next version of mod_wsgi express to be released (version 4.3.0, likely released this week), can even set up a HTTPS site for you, with you just needing to have obtained a valid certificate or generated a self signed certificate.
I would suggest if interested you use the mod_wsgi mailing list to ask for more details about using mod_wsgi express for running a HTTPS site.
http://code.google.com/p/modwsgi/wiki/WhereToGetHelp?tm=6#Asking_Your_Questions
You can start playing around though with it for a normal HTTP site by following instructions at:
https://pypi.python.org/pypi/mod_wsgi
I'm looking for a mod_auth_tkt for Nginx? I have multiple applications using auth_tkt compatible cookies and would like to have SSO. I don't want to use apache2 mod_auth_tkt, since I have nginx already running. Is there a auth_tkt compatible module for nginx?
I came across this challenge today (multi-domain SSO using Nginx), so I suppose an answer is better late than never.
I was coming from having used auth_tkt with Apache2.
Ultimately I ended up with an implementation of Pubcookie, for which somebody wrote and documented an Nginx module.
The setup is very similar:
A CGI script intercepts the request and performs login procedure for the user using whatever mechanism is configured
Upon successful authentication:
a. A cookie is set on the enterprise_domain
b. User is redirected to the originally requested resources
Some warning though, I had to hack the source a fair bit for pubcookie and the nginx module to get it to work with non-SSL sites - it seems to have been written with SSL as a fixed assumption.