I need to develop a Facebook app, and while I request my SSL certificate, I need to start the project because I have few time to deliver it.
Is it possible to use localhost as the "Secure Canvas URL"? This field requires that the URL begins with https, so I don't know the correct way to do it (in the case that using localhost is allowed).
First of all you need to set up your server to answer HTTPS requests.
Then you create a self-signed SSL certificate – not sure if that works for the domain name localhost, but I’d recommend setting up a local domain, such as mytest.local anyway (the .local being the important part here), make your server listen to that, and your system resolve it to your local IP address, f.e. via its hosts file.
And then you tell your browser to accept that self-signed certificate … and you’re good to go.
Related
I am setting a webhooks for a Facebook application, and they required a call back url, this url must be in https
I do have a server with a call back website but it is not https, it is in http protocol
Any idea to bypass that? (work around? )
There's no way to bypass it.
However, if you don't want to buy SSL certificate for your domain, you can configure your domain name with CloudFlare and use their universal ssl.
I have used it with facebook webhooks and it works very well. It's free and very easy to configure.
The free plan allows you to use Flexible SSL. As per the docs:
Flexible SSL: secure connection between your visitor and CloudFlare, but no secure connection between CloudFlare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled.
I have a gadget[*] that connects to the user's WiFi network and responds to commands over a simple REST interface. The user uses a web app to control this gadget. The web app is currently served over http and the app's javascript does AJAX calls to the gadget's local IP address to control it. This scheme works well and I have no issues with it.
[*] By "gadget" I mean an actual, physical IoT device that the user buys and installs within their home, and configures to connect to their home WiFi network
Now, I want to serve this web app over https. I have no issue setting up https on the hosting side. The problem is, now the browser blocks access to the gadget (since the gadget's REST API is over http and not https).
The obvious solution is to have the gadget serve it's REST API over https. But how? It has a local IP address and no one will issue a certificate for it. (Even if they did, I'd have to buy a boatload of certificates for each possible local IP address.) I could round-trip via the cloud (by adding additional logic on my server side to accept commands from the web app and forward it to the gadget over another connection), but this will increase latencies.
Is there a way around this problem? One possibility that I have in mind is to:
Get a wildcard certificate (say, *.mydomain.com)
Run my own DNS that maps sub-domains to a local IP address following a pattern (For example, 192-168-1-123.mydomain.com would map to 192.168.1.123)
Use the wild-card certificate in all the gadgets
My web app could then make AJAX calls to https://192-168-1-123.mydomain.com instead of http://192.168.1.123 and latencies would remain unaffected aside from the initial DNS lookup
Would this work? It's an expensive experiment to try out (wildcard certificates cost ~$200) and running a DNS server seems like a lot of work. Plus I find myself under-qualified to think through the security implications.
Perhaps there's already a service out there that solves this problem?
While this is a pretty old question, it is still nothing that you find out-of-the-box solutions for today.
Just as #Jaffa-the-cake posted in a comment, you can lean on how Plex did it, which Filippo Valsorda explained in his blog:
https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/
This is very similar to what you proposed yourself. You don't even need a wildcard certificate, but you can generate certificates on-the-fly using Let's Encrypt. (You can still use wildcard certificates, if you want, which Let's Encrypt supports now, too.)
Just yesterday I did a manual proof-of-concept for that workflow, that can be automated with the following steps:
Write a Web Service that can create DNS entries for individual devices dynamically and generate matching certificates via Let's Encrypt - this is pretty easy using certbot and e.g. Google Cloud DNS. I guess Azure, AWS and others have similar offerings, too. When you use certbot's DNS plugins, you don't even need to have an actual web server running on port 80/443.
On you local device, contact that Web Service to generate a unique DNS entry (e.g. ..yourdns.com) and certificate for that domain
Use that certificate in your local HTTPS server
Browse to that domain instead of your local IP
Now you will have a HTTPS connection to your local server, using a local IP, but a publicly resolved DNS entry.
The downside is that this does not work offline from arbitrary clients. And you need to think of a good security concept to create trust between the client that requests a DNS and certificate, and your web service that will generate those.
BTW, do you mind sharing what kind of gadget it is that you are building?
If all you want is to access the device APIs through the web browser, A Simple solution would be to proxy all the requests to the device through your web server.this was even self signed certs for the devices wont be a problem. Only problem though is that the server would have to be on the same network as your devices.
If you are not on the same network, you can write a simple browser plugin (chrome) to send the api request to IoT device. but then the dependency on the app/plugin will be clumsy.
Since recently I can not test applications on localhost. There is no canvas url anymore to be set, only secure canvas url and it asks for https url. Even test apps do not have this option. So I have to buy another ssl and domain for testing pourposes only? If someone has the same problem or a solution please let me know. Cheers!
Just put in https://localhost and accept the unsafe message in the browser, you don´t need to buy a certificate.
You can also use a self-signed certificate, as explained in other threads:
create a trusted self-signed SSL cert for localhost (for use with Express/Node)
How do I allow HTTPS for Apache on localhost?
Thank you luschn for pointing that about self signed stuff out because just putting https://localhost will not work anymore.
It seems that facebook made some changes and that you can only test your apps on localhost if you create a self signed certificate with openssl tool. Then you can enter in secure canvas url something like https://localhost:3000/ and in app domains localhost and it seems to work. Other than creating selfsigned certificate I could not make it work on localhost.
Recently, the company I work for changed their name, and therefore is changing its domain name. Previously, we redirected all requests on port 80 of our web server to https : //www .olddomain.com, so that all pages were sent over SSL. Now that we have changed, our SSL certificate for www. olddomain.com has expired, and we want to redirect all requests for https : //www. olddomain.com to https : //www. newdomain.com (in case anyone bookmarked us as https : //.....).
I have tried every redirection method I know, mod_rewrite, DNS forwarding, etc, but I cannot get https : //www.olddomain.com to redirect to https : //www.newdomain.com, it says that the site is untrusted.
We are running Apache 2.2 on linux.
Any help would be appreciated.
Thanks!
Not to dive into unnecessary details - if certificate itself has expired, you won't be able to make trusted connection with it, browser will always warn. To make it transparent, you'd have to renew/buy valid certificate for old domain, or force any possible website user to first download, install and trust your own RootCA certificate (obviously impossible). Theoretically there are some browser-supported HTTPS protocol extensions to deal with original construction of https, but even if they were implemented it still won't "help" for outdated certificate. It is problem with certificate itself, not really with virtual server hostname / certificate common name recognition and matching for which such protocol extensions are conceptually planned/designed.
You should have been performing domain migration during time when old certificate was still valid. Have a look here CNAME SSL certificates as well.
I want to redirect all my browser request to abc.com when a request is sent to xyz.com
I was able to do this by adding an entry in the hosts file under windows.
However I see that i can go to http://abc.com when i type in http://xyz.com:8080
but I cannot seem to get the same redirection over https.
I found out that you cannot mention ports in the host file.
Need some help on this
HTTPS is specifically designed so that you can't do this - not only is one of the core points of SSL/TLS that the conversation be encrypted, it also ensures that you really are talking to who you think you are, that you haven't been redirected to a fake site via DNS.
That's not what the hosts file is for. It's about the hosts that you are referring to. abc.com and xyz.com are hosts.
All the hosts file does is associate a host name with an IP address. Nothing else is possible.
Get a clone of the part you need from the genuine site.. put it on local iis, add ssl binding using self signed certificate and add entry to hosts file.http://www.selfsignedcertificate.com. if you are in rush with no time to play with iis mgr use appcmd.
Youll get a not verified warning for untrusted issuer.. add it to trusted root cert authorities. http://www.robbagby.com/iis/self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way/
Never tried self signed cert tho.. let us now how your testinggoes.
A hosts file is DNS, which is used to resolve a domain name to an IP addresses, which has nothing to do with ports.
If you redirect from https://abc.com to https://xyz.com then they will need to be different servers with different certificates, as an SSL certificate is bound to the domain name.
Which means if you use your hosts file to lookup the ip address of abc.com when you try https://xyz.com then it wont work as the certificate will be for abc.com and wont match the hostheader https://xyz.com sent by your browser.
If you are using windows command for routing:
netsh interface portproxy add v4tov4 listenport=listen_port listenaddress=any_free_ip_address connectport=localhost_port connectaddress=127.0.0.1
The default port for http request is 80 so if one is using https use 443 as it is the default for https
With HTTPS, it'll be to do with the security certificate - likely you can't get around that, or at least ... I hope not.
Putting an entry in your hosts file only associates your human readable host name with an ip address, the rest happens in the application that makes http requests.
parts of uri on wikipedia:
https://upload.wikimedia.org/wikipedia/commons/thumb/d/d6/URI_syntax_diagram.svg/1068px-URI_syntax_diagram.svg.png
When ever an application makes a request for a resource, let's say your browser, turns what you type for address into a proper uri, which includes scheme.
If you don't type https, or leave the scheme out, you get http. You end up still getting https for some sites, because they use ssl redirection, maybe something like this: https://www.linkedin.com/pulse/how-use-nginx-reverse-proxy-https-wss-self-signed-ramos-da-silva/?articleId=6678584723419226112
Use nslookup xyz.com and get IP
then put this IP to hosts (/etc/hosts in Linux)
the https domain name must transform to IP from