netsh http add urlacl problem - wix

I'm trying to set up some ports from a WIX installer. For WinXP we use httpcfg in a custom action and this works fine. For Win7, we're trying:
netsh http add urlacl url=http://127.0.0.1/8346/ user="NT AUTHORITY\Authenticated Users" sddl="D:(A;;GX;;;AU)"
The WIX installer correctly executes this statement and sets up the ports - FOR THE ADMINISTRATOR who runs the .msi. Users with lesser priviliges cannot access these ports. I need to set it up for all users on the machine, but I've tried about everything I can think of with no luck.
Something I find odd is that the Admin user can see the assigned ports using netstat -a, but they do not appear at all using netsh http show urlacl...is that an indicator of something wrong?

If 8346 is your port number you syntax is incorrect it should be.
netsh http add urlacl url=http://127.0.0.1:8346/ user="NT AUTHORITY\Authenticated Users"

You can add condition to the setup file to prompt for UAC when installation starts. this will ensure all the installer is started by admin and thus will add exception in firewall even when user does not have admin rights.

Related

netsh http add urlacl fail - parameter is incorrect

I'm trying to register wcf net tcp port sharing, for a process to listen on this port (currently the client machine can't even ping this port eventhough the process is up so I read this command is needed):
netsh http add urlacl user=domain\svcUser url=net.tcp://+:8092/Service1
getting Url reservation failed, Error 87. The parameter is incorrect.
Also tried changing the user, the port, removing the Service1, adding a trailing /. Is there anything else that should be done?
Remark: The following command does succeed (but does not help): netsh http add urlacl user=domain\svcUser url=http://+:8092/Service1
This post shows the usage of netsh in this case
This post deals with error 87 but did not solve in my case
You mean the command succeed but it didn't work. This is not normal.
Maybe you can try this:
netsh http add urlacl url=http://+:8092 user=domain\svcUser

outbound connections (curl, sockets) not working for apache but working as root

After a recent automatic update to linux components (CentOS v7 with PLesk 17.8.11) my web (php) applications are no longer enabled to do outbound connections.
Both "curl" requests and PHPMailer fail; curl is returning http code 0 with no content, while PHPMailer says "SMTP Connect() failed".
The same statements/programs work perfectly when run from terminal (root user). In other words, if I write a trivial program executing "curl http://www.example.com" and run it from terminal, it works; if I call it from a browser, it does not work.
The same is true for any program using PHPMailer to send a mail.
SELinux is disabled, so it does not depends on the httpd_can_network_connect SELinux boolean.
Any idea?
I found a solution, but I did not really understood what the real reason was. By default, my CentOS+Plesk server has SELinux disabled: I changed it to "enabled" with SELINUX=permissive, then I changed two SELinux booleans:
setsebool -P httpd_can_network_connect on
setsebool -P httpd_can_sendmail on
Even if SELinux is in warning-only mode, settings those two booleans on made the trick.
Most likely, affected domains are using system PHP, which was updated recently. Correct me if I am wrong.
What would explain broken PHP functionality, because during the update of system PHP package, Apache restart is not triggered by Plesk.
Simply restart Apache in Tools & Settings > Service Management or by using systemctl restart httpd. If the issue still persist after that, try to switch to any of Plesk PHP versions.

Use netsh instead of hosts file to handle IP and Port

I need to be able to map and IP and Port to another IP and Port on my Windows 7 machine. The reason is enable me to access a URL in another location on a different port than the one I get given from the link.
For example if a link will route me to
123.123.123.123:8080
I want to be able to intercept this (like how the Windows Hosts file works with domain name resolution overriding) to re-route the request to
123.456.789.123:49120
I've quickly found out you can't specify ports in hosts files but netsh appears to do the job although the information on Technet is a little confusing and I'm unsure on how the command should look
the netsh command would look like this:
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=123.123.123.123 connectport=49120 connectaddress=123.456.789.123
More information here.

How to disable and enable admin console (admin-listener, port 4848) from the command line

I would like to control when and where the admin service is accessible
How do I do one of the following (if possible)
Enable the admin console only from localhost (I know about disable-secure-admin, but still I don't want anyone to see the console login page when they add 4848 in the end)
I will use SSH tunnle to connect
Or, be able to use a certificate, so only certified clients will be able to even see the console
Or, be able on demand to start / stop the admin service when needed, not opening it to the outside world (e.g. start stop __asadmin virtual server)
Is any of the above possible?
Ok, I found it by guess-work
Solution to scenario #1
Make sure you have SSH tunnel on port 4848 first
Go to Configuration -> server-config -> Network Config -> Network Listeners -> admin-listener
Under the General tab, in the Address: field replace 0.0.0.0 to 127.0.0.1
Restart the server
Solution to scenario #3
I didn't find any command line way to enable / disable virtual servers, network listeners or protocols, but editing domain.xml shows that it's all there, just comment out and restart.
Use asadmin to update the The HTTP Network Listener named admin-listener.
asadmin enable-secure-admin-principal
"Instructs GlassFish Server, when secure admin is enabled, to accept admin requests from clients identified by the specified SSL certificate".
asadmin enable-secure-admin "enables secure admin (if it is not already enabled), optionally changing the alias used for DAS-to-instance admin messages or the alias used for instance-to-DAS admin messages". Also a good blog on the subject. This doesn't turn admin on/off, but enables/disables for remote access to the admin console without the complications of (1).

Servicehost throwing an error, even though added to configuration with netsh

ServiceHost.Open() is throwing this error:
HTTP could not register URL http://+:8001/. Your process does not have
access rights to this namespace (see
http://go.microsoft.com/fwlink/?LinkId=70353 for details).
So I used netsh to add the url. But event though it is added, i'm still getting the error. This is the command I use:
netsh http add urlacl url=http://+:8001/ user=djerryy
djerryy is my computername. When I run netsh http show urlacl i see it was added.
What am I doing wrong?
Thanks in advance.
It looks like you are missing the name of the user account who is running the service. Here's a couple of options:
Local user account:
netsh http add urlacl url=http://+:8001/ user=ComputerName\Username
Domain user account:
netsh http add urlacl url=http://+:8001/ user=DomainName\Username
Built-in NetworkService account:
netsh http add urlacl url=http://+:8001/ user="NT AUTHORITY\NETWORK SERVICE"
I must stress:
netsh http add urlacl url=http://+:8001/ user="NT AUTHORITY\NETWORK SERVICE"
will work only on a system with the English locale!
A better way is to remove that one space and make it:
netsh http add urlacl url=http://+:8001/ user="NT AUTHORITY\NETWORKSERVICE"
Now the command will work on any locale. I spent a good 0,5h battling this today... all because of a single char. ;)
To add even more to this answer: You MUST specify a port number! Spend quite a while trying to authorize a service to bind to a normal HTTP address, it only started working when I explicitly specified:
netsh http add urlacl
url=http://some.example.com:80/extension/
user="NT AUTHORITY\NETWORKSERVICE"