I am creating a voice-bot using dialogflow with google assistant. My client has provided his network access, which is not a private URL an IP instead. It is not SSL certified too. I will get two errors this time
Only public URLs are allowed and
You can use only https:// in fulfillment url when "Google Assistant" integration enabled
Any workaround for this? What are the other options I have? I can access clients API within his network only. So I cannot replace this IP address. Please advise how to proceed further.
You can use an IP address, as long as it is a public IP address. The machine doesn't need a DNS entry.
Actions on Google requires an HTTPS connection, however, using a valid certificate (ie - not self-signed). This is to protect your client and their users data.
One possible workaround is to look into a tunnel/proxy service such as ngrok. They provide a public HTTPS address that securely tunnels to an ngrok client you run on the same machine as the webhook fulfillment server. They have a free service that will change hostnames periodically, or you can subscribe to a commercial service which will give you a fixed name which you can use for the fulfillment URL.
You have to make URL https://.
you can try https://letsencrypt.org/
Related
I need to configure an application to accept connection only from client with a certificate, the client should be ApiGateway.
I followed this step by step tutorial. But when I should upload a certificate and enable a checkbox called "Enable request of client certificate" in upload dialog box it disappear.
I tried with many browser (Chrome, Firefox, Safari) on a Mac. I'm quite that this not depend on browser, so now how can do the same thing?
Thanks for every answer.
From my understanding, the given task needs to be separated into two activities.
Client with certificate
A client with DNS APIgateway
Client with Certificate
In general, when we create an API, we expose with a gateway via HTTP protocol which has some signed certificate (Production). Please provide that public certificate to the consumer of your API. And you can test this using postman, we have an option of SSL certificate upload in Postman, make a use of it for testing.
Client with DNS Name
For this, in Datapower (API Gateway), you can create an Access control list following this IBM documentation. Access control list is something, we allow or restrict the host that we consume the services exposed using Datapower.
Good evening, just saw that Facebook released his messenger bot toolkit and i immediately jumped right into it to learn more about it and maybe try to do my own.
My problem is that i don't have a https website running and it requires a https valid url. I tried to use my local web-server that has a certificate but it doesn't work.
My question is if this is possible to be done using a localhost url at all.
Thank you in advance
Actually this is possible with localhost. Use ngrok. It allows you to open localhost to the public web, over http or https. This should only be used for testing however.
If you want to test webhooks on your local environment, I would try ultrahook.com, you can get an API Key for free and the tool creates a tunnel from a public URL to your computer. This is from their FAQs page:
You download and run the UltraHook client on your computer. It
connects to UltraHook servers in the cloud and creates a tunnel from a
public endpoint on our servers to your computer. Any HTTP POST
requests sent to the public end point will be sent through the tunnel
an delivered to a private endpoint accessible from your computer.
I have used it to test webhooks from different providers (like payment gateways). In your computer, you can run something like:
ultrahook <subdomain> http://localhost:8000/webhook/
and then configure the webhook URL in your external service to something like <subdomain>.ultrahook.com
My question is if this is possible to be done using a localhost url at all.
No, of course it isn’t – because what such a “callback” actually means, is that Facebook makes a request to your server – and that is hardly possible with localhost.
A valid SSL certificate for your website is easy to get for free these days, via LetsEncrypt. And even if that is not available on your server, there’s still StartSSL, that provide basic certificates for free. All you need is a server you can install them on, or upload them to, or whatever mechanism your hoster provides for it. (And if they don’t provide any, then it might be time to switch.)
I have a gadget[*] that connects to the user's WiFi network and responds to commands over a simple REST interface. The user uses a web app to control this gadget. The web app is currently served over http and the app's javascript does AJAX calls to the gadget's local IP address to control it. This scheme works well and I have no issues with it.
[*] By "gadget" I mean an actual, physical IoT device that the user buys and installs within their home, and configures to connect to their home WiFi network
Now, I want to serve this web app over https. I have no issue setting up https on the hosting side. The problem is, now the browser blocks access to the gadget (since the gadget's REST API is over http and not https).
The obvious solution is to have the gadget serve it's REST API over https. But how? It has a local IP address and no one will issue a certificate for it. (Even if they did, I'd have to buy a boatload of certificates for each possible local IP address.) I could round-trip via the cloud (by adding additional logic on my server side to accept commands from the web app and forward it to the gadget over another connection), but this will increase latencies.
Is there a way around this problem? One possibility that I have in mind is to:
Get a wildcard certificate (say, *.mydomain.com)
Run my own DNS that maps sub-domains to a local IP address following a pattern (For example, 192-168-1-123.mydomain.com would map to 192.168.1.123)
Use the wild-card certificate in all the gadgets
My web app could then make AJAX calls to https://192-168-1-123.mydomain.com instead of http://192.168.1.123 and latencies would remain unaffected aside from the initial DNS lookup
Would this work? It's an expensive experiment to try out (wildcard certificates cost ~$200) and running a DNS server seems like a lot of work. Plus I find myself under-qualified to think through the security implications.
Perhaps there's already a service out there that solves this problem?
While this is a pretty old question, it is still nothing that you find out-of-the-box solutions for today.
Just as #Jaffa-the-cake posted in a comment, you can lean on how Plex did it, which Filippo Valsorda explained in his blog:
https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/
This is very similar to what you proposed yourself. You don't even need a wildcard certificate, but you can generate certificates on-the-fly using Let's Encrypt. (You can still use wildcard certificates, if you want, which Let's Encrypt supports now, too.)
Just yesterday I did a manual proof-of-concept for that workflow, that can be automated with the following steps:
Write a Web Service that can create DNS entries for individual devices dynamically and generate matching certificates via Let's Encrypt - this is pretty easy using certbot and e.g. Google Cloud DNS. I guess Azure, AWS and others have similar offerings, too. When you use certbot's DNS plugins, you don't even need to have an actual web server running on port 80/443.
On you local device, contact that Web Service to generate a unique DNS entry (e.g. ..yourdns.com) and certificate for that domain
Use that certificate in your local HTTPS server
Browse to that domain instead of your local IP
Now you will have a HTTPS connection to your local server, using a local IP, but a publicly resolved DNS entry.
The downside is that this does not work offline from arbitrary clients. And you need to think of a good security concept to create trust between the client that requests a DNS and certificate, and your web service that will generate those.
BTW, do you mind sharing what kind of gadget it is that you are building?
If all you want is to access the device APIs through the web browser, A Simple solution would be to proxy all the requests to the device through your web server.this was even self signed certs for the devices wont be a problem. Only problem though is that the server would have to be on the same network as your devices.
If you are not on the same network, you can write a simple browser plugin (chrome) to send the api request to IoT device. but then the dependency on the app/plugin will be clumsy.
In my site I have payment service. when i was trying to access it from VS it was not working because URL was not as registers.
once i have hosted site on server and I have made request from the registered URL It has started working and i can access it.
My query is how they can restrict their service to my domain name ?
They have probably restricted it by IP address.
In order to publish real-time updates to my app, Facebook needs needs to perform a post request to my server.
Problem is, my server is my home computer and not publicly addressable from the internet. Bringing a server live to implement this sounds like it could be a pain... can't attach debugger, fiddler etc....
So what's the best way to test the Http Endpoint? Integration tests that simulate the Facebook server? Fiddling with firewalls/NAT to try and get Facebook talking to my home computer?
Any ideas?
You can use ngrok - https://ngrok.com/ - free (pay-what-you-can) service that does exactly what you need. Localtunnel service is down and the developers also recommend ngrok.
In the past, I've used LocalTunnel to do this. It's a nice wrapper around an SSH tunnel and it effectively assigns you a subdomain at localtunnel.com pointing to a port on your localhost.
So basically, when you run it it will spit back an externally accessible sub domain name like xyz.localtunnel.com who's port 80 will point a port you specify on your local box.
You can find it at: http://progrium.com/localtunnel/
It's really great for testing various pubsubhubbub subscription feeds (like Facebook's).
OK! I think NAT should be the best bet and I don't see a reason for it not to work. You should try it out.
It was actually pretty easy - Logged into my home router, set up port forwarding on port 80 to the local IP of my computer, put an exception in windows firewall for port 80. and then navigate to my public IP address in the browser.
Implement the receiver samples at: https://github.com/facebook/real-time/tree/master/samples
The only answer is to get a webserver that is publicly accessible for real-time updates to be able to call back to.
There's lots of free webhosts that allow server-side scripting. And there's lots of paid for webhosts out there too. Stackoverflow is really not the place to get leads on where/when/why/howmuch for web hosting.
No you can't use ngrok only to simulate facebook realtime update since you must make a call to facebook servers with your ngrok adress to validate it (tell me if you find out how to do this :p ).
I use an openshift server to receive facebook realtime and then post evry json data received from facebook to my ngrok adress. So the process is
set up an openshift server to receive facebook notifications
Facebook sends notifications to your openshift
your openshift sends datas (as received) to your ngrok adress
And if you must receive facebook notifications on a local website (like www.website.dev/fb-notifications/) then create a script in your localhost folder which receives openshift posts (let's call it tunelscript.php). the process will be
set up an openshift server to receive facebook notifications
Facebook sends notifications to your openshift
your openshift sends datas (as received) to your tunel script via your ngrok adress (perso.ngrok.com/tunelscript.php)
Relay datas from your tunelscript to your local website (tunelscript.php => www.website.dev/fb-notifications/)
That's Tuneling B-)