Decided to try the Letsencrypt service recently.
I'm using the Windows Powershell client found here - https://github.com/ebekker/ACMESharp
Following the quickstart instructions here - https://github.com/ebekker/ACMESharp/wiki/Quick-Start - I managed to get to Step 6b of the manual http authentication process, but when I check the status of the request with the Update-ACMEIdentifier dns1 -ChallengeType http-01 command, the challenge request remains in a pending state:
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : www.example.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/#myhash
Status : pending
Expires : 16/02/2016 00:00:00
Challenges : {manual, , }
Combinations : {1, 0, 2}
I've been checking on the status every 10 minutes for the past hour, but it's still pending. The quickstart instructions suggest that the process should take between a few seconds, and a few minutes.
Is this an ACME server issue, or an uninformative error response?
The challenge you have requested is probably not in a pending but the first one is. You will see there are three possible challenges (dns, tns and http). If you output the individual challenges you will probably see the the http challenge has been validated. Try:
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges
To list the details of all three challenges including the individual statuses.
Related
I am getting occasional layer 7 health check failures. This happens on production machine seemingly at random, maybe once a minute or every few minutes on average. Here is the configuration:
backend api
mode http
option httpchk GET /api/v1/status HTTP/1.0
http-check expect status 200
balance roundrobin
server api1 127.0.0.1:8001 check fall 3 rise 2
server api2 127.0.0.1:8002 check fall 3 rise 2
The HAproxy log tells me the following:
Health check for server api/api2 failed, reason: Layer7 timeout, check duration: 10001ms, status: 2/3 UP.
Strange thing is when I run a script to fetch the same URL at a much faster pace than HAproxy, it never fails to return 200 response. It never hangs like it seems to do for HAproxy.
In addition, I'm getting occasional HAProxy error for various API calls, not just health checks, all looking quite similar:
https-in~ api/api1 45/0/0/-1/30045 504 194 - - sHVN 50/49/13/10/0 0/0 "POST /api/v1/accounts HTTP/1.1"
What could be the issue here? This one really got me stumped.
I'm trying to deploy a SAILS app & a VUE app on heroku with a custom domain. I'm currently facing with something that seems to be a CORS issue, but I do not understand this one.
Problem
When I send a GET request to my backend in stage mode, (with postman or my frontend-app) I get an error message :
"... blocking Cross-Origin Request : the "same origin" policy does not
allow access to the resource located at
https://app-frontend.herokuapp.com/api/v1/account/user-controller
...".
The HTML response is :
Status 503 →Service Unavailable
Cache-Control →no-cache, no-store
Connection →keep-alive
Content-Length →511
Content-Type →text/html; charset=utf-8
Date →Tue, 24 Jul 2018 08:17:13 GMT
Server →Cowboy
And my sails console gives me this info :
Redirecting GET request from 'undefined.' subdomain...
But with POST requests, I don't face to this problem and my route is well defined as it works in dev mode.
Did you try setting csrf: false in the config/security.js? It shouldn't affect GET requests, but the key to your problem might be somewhere there.
Need some help related to create a custom filter for custom app which is websocket server written in node.js . As per my understanding from other articles the custom node.js app needs to write a log which enters any authentication failed attempts which will further be read by Fail2ban to block IP in question . Now I need help with example for log which my app should create which can be read or scanned by fail2ban and also need example to add custom filter for fail2ban to read that log to block ip for brute force .
Its really old question but I found it in google so I will write answer.
The most important thing is that line you logging needs to have right timestamp because fail2ban uses it to ban and unban. If time in log file is different than system time, fail2ban will not find it so set right timezone and time in host system. In given example I used UTC time and time zone offset and everything is working. Fail2Ban recognizes different types of timestamps but I didn't found description. But in fail2ban manual you can find two examples. There also exist command to check if your line is recognized by written regular expression. I really recommend to use it. I recommend also to use "regular expression tester". For example this one.
Rest of the log line is not really important. You just need to pass user ip.
This are most important informations but I will write also example. Im just learning so I did it for educational purposes and Im not sure if given example will have sense but it works. I used nginx, fail2ban, pm2, and node.js with express working on Debian 10 to ban empty/bad post requests based on google recaptcha. So set right time in Your system:
For debian 10 worked:
timedatectl list-timezones
sudo timedatectl set-timezone your_time_zone
timedatectl <-to check time
First of all You need to pass real user ip in nginx. This helped me so You need to add line in You server block.
sudo nano /etc/nginx/sites-available/example.com.
Find location and add this line:
location / {
...
proxy_set_header X-Forwarded-For $remote_addr;
...
}
More about reverse proxy.
Now in node.js app just add
app.set('trust proxy', true)
and you can get user ip now using:
req.ip
Making it work with recaptcha:
All about recaptcha is here: Google Developers
When You get user response token then you need to send post request to google to verify it. I did it using axios. This is how to send post request. Secret is your secret, response is user response.
const axios = require('axios');
axios
.post(`https://www.google.com/recaptcha/api/siteverify?secret=${secret}&response=${response}`, {}, {
headers: {
"Content-Type": "application/x-www-form-urlencoded; charset=utf-8"
},
})
.then(async function (tokenres) {
const {
success, //gives true or false value
challenge_ts,
hostname
} = tokenres.data;
if (success) {
//Do something
} else {
//For fail2ban. You need to make correct timestamp.
//Maybe its easier way to get this but on my level of experience
//I did it like this:
const now = new Date();
const tZOffset = now.getTimezoneOffset()/60;
const month = now.toLocaleString('en-US', { month: 'short' });
const day = now.getUTCDate();
const hours = now.getUTCHours()-tZOffset;
const minutes = now.getUTCMinutes();
const seconds = now.getUTCSeconds();
console.log(`${month} ${day} ${hours}:${minutes}:${seconds} Captcha verification failed [${req.ip}]`);
res.send(//something)
}
Time zone offset to set right time. Now pm2 save console.log instructions in log file in /home/youruserdir/.pm2/logs/yourappname-out.log
Make empty post request now. Example line of bad request will look like this:
Oct 14 19:5:3 Captcha verification failed [IP ADRESS]
Now I noticed that minutes and seconds have no 0 but fail2ban still recognizes them so its no problem. BUT CHECK IF DATE AND TIME PASSES WITH YOUR SYSTEM TIME.
Now make filter file for fail2ban:
sudo nano /etc/fail2ban/filter.d/your-filter.conf
paste:
[Definition]
failregex = Captcha verification failed \[<HOST>\]
ignoreregex =
Now ctrl+o, ctrl+x and you can check if fail2ban will recognize error lines using fail2ban-regex command:
fail2ban-regex /home/youruserdir/.pm2/logs/yourappname-out.log /etc/fail2ban/filter.d/your-filter.conf
Result will be:
Failregex: 38 total
|- #) [# of hits] regular expression
| 1) [38] Captcha verification failed \[<HOST>\]
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [38] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 42 lines, 0 ignored, 38 matched, 4 missed
[processed in 0.04 sec]
As You can see 38 matched. You will have one. If You have no matches, check pm2 log file. When I was testing on localhost my app gave IP address with ::127.0.0.1. It can be ipv6 related. It can maybe make make a problem.
Next:
sudo nano /etc/fail2ban/jail.local
Add following block:
[Your-Jail-Name]
enabled = true
filter = your-filter
logpath = /home/YOURUSERDIR/.pm2/logs/YOUR-APP-NAME-out.log
maxretry = 5
findtime = 10m
bantime = 10m
So now. Be sure that you wrote filter name without .conf extension.
In logpath be sure to write right user dir and log name. If You will get 5(maxrety) wrong post requests in 10minutes(finditme) then user will be banned for 10 minutes. You can change this values.
Now just restart nginx and fail2ban:
sudo systemctl restart nginx
sudo systemctl restart fail2ban
After You can check if Your jail is working using commands:
sudo fail2ban-client status YOUR-JAIL-NAME
There will be written how much matches was found and how much ips are banned. More information You can find in fail2ban log file.
cat /var/log/fail2ban.log
Found IPADDR - 2021-10-13 13:12:57
NOTICE [YOUR-JAIL-NAME] Ban IPADDRES
I wrote this step-by-step because probably only people with little experience will look for this. If You see mistakes or you can suggest me something then just comment.
I'm seeing the following error message when attempting to perform a simple payment using the PayPal Adaptive Payments API and the Explicit Approval Payment Flow in the sandbox environment:
Proxy Error
The proxy server could not handle the request GET /webapps/adaptivepayment/flow/expresscheckoutincontextremembermeflow.
Reason: Error during SSL Handshake with remote server
As per this related post, this issue has supposedly been resolved, but I'm still unable to perform a simple payment in the sandbox environment.
The API call to generate a payKey is returning successfully:
{
'responseEnvelope': {
'ack': 'Success',
'timestamp': '2013-04-01T10:00:33.572-07:00',
'build': '5563463',
'correlationId': '9ddb6d34b8b31'
},
'paymentExecStatus': 'CREATED',
'payKey': 'AP-30241506EH984280M'
}
and the following series of redirects are occurring:
https:// www.sandbox.paypal.com/webapps/adaptivepayment/flow/pay?expType=light&paykey=AP-30241506EH984280M
redirects to:
https:// www.sandbox.paypal.com/webapps/adaptivepayment/flow/payinit?iframecookie=1364835660832&paykey=AP-30241506EH984280M&expType=light
which redirects to:
https:// www.sandbox.paypal.com/webapps/adaptivepayment/flow/corepay
which redirects to:
https:// www.sandbox.paypal.com/webapps/adaptivepayment/flow/expresscheckoutincontextremembermeflow
which gives the 500 proxy error after approximately 210 seconds.
Additionally, if I attempt the workaround of logging into developer.paypal.com in another tab first, I get a 404 error on the initial request:
https:// www.sandbox.paypal.com/webapps/adaptivepayment/flow/pay?expType=light&paykey=AP-45P14958V28124917
I've searched and searched and poked and prodded this issue to death...anyone else seeing this problem, and does anyone have a working resolution?
We are rolling a patch later tonight which we expect to fix this issue permanently.
I have a Flash website. When I want to use Paypal Express Checkout with Digital Goods, I call this javascript code :
dg = new PAYPAL.apps.DGFlow();
dg.startFlow("http://mydomain.com/setup.php");
setup.php calls SetExpressCheckoutPayment function and redirect to https://www.sandbox.paypal.com/incontext?token=...&useraction=commit
With Firebug I can see this address returns a 302, and redirects to https://www.sandbox.paypal.com/webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow?exp_type=&cookiesBlocked=&token=...&useraction=commit
This adress returns also a 302 and redirects to https://www.sandbox.paypal.com/webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow?execution=e1s1
Here it hangs for several minutes and ends with this error message :
Proxy Error
The proxy server could not handle the request GET /webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow.
Reason: Error during SSL Handshake with remote server
I started to get this error sometimes last week, and I have it every time today.
It happens on my MAMP environment and on my website.
I don't have SSL certificate but I didn't last week and it was not a problem.
Do you know anything about this error message ?
Edit
I tried with Opera, proxyError comes at a different step : https://www.sandbox.paypal.com/webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow?execution=e1s4
And once this morning on Firefox I had another Proxy Error after the first redirection :
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /webapps/checkout/webflow/sparta/expresscheckoutvalidatedataflow.
Reason: Error reading from remote server
I don't have the Proxy Error anymore since yesterday. I didn't change anything so it seems PayPal servers are unstable...
I'm having the same issue since Sunday evening (sorry that I can't post this as a comment, don't have enough reputation yet).
I'm on LiquidWeb shared hosting, using the Merchant SDK ( https://github.com/paypal/merchant-sdk-php ). I was on merchant-sdk-php-2.1.96 when the errors began, and tried upgrading to merchant-sdk-php-2.2.98 but now it is worse (won't even do the first redirect, which is confusing). My code is server side, but getting the timeout and proxy error at the same urls:
$setECResponse = $PayPal_service->SetExpressCheckout($setECReq);
if($setECResponse->Ack == 'Success') {
$token = $setECResponse->Token;
$payPalURL = 'https://www.sandbox.paypal.com/incontext?token=' . $token;
$this->Redirect($payPalURL);
}