I want to find mosquitto_sub/pub command option like to cert_reqs option in
mosquitto_tls_opts_set(mosq, cert_reqs, tls_version, ciphers); // C++ Code
I want to connect to the broker using only the ca.crt file.
When I set cert_reqs=0. I can connect to the broker using only the ca.crt file.
But I couldn't find this option in mosquitto_sub/pub cmd.
From the mosquitto_sub man page:
--insecure
When using certificate based encryption, this option disables verification of the server hostname in the server certificate. This
can be useful when testing initial server configurations but makes it
possible for a malicious third party to impersonate your server
through DNS spoofing, for example. Use this option in testing only. If
you need to resort to using this option in a production environment,
your setup is at fault and there is no point using encryption.
Related
Following OnlyOffice's help center's instructions leads to the creation of security certificate declared as invalid by browsers, as it is self-signed.
The intention is to use OnlyOffice's server on Docker for NextCloud, which runs properly already on another server.
Currently, the certificates have been created in the directory suggested by the instructions:
/app/onlyoffice/DocumentServer/data/certs# ls
dhparam.pem onlyoffice.crt onlyoffice.csr onlyoffice.key
I have followed all the given steps, and it does not work.
Is there a way to use LetsEncrypt instead of self-signed certificates?
I am not an IT management person, I am a simple developer trying to use OSS to not use Google Docs etc. Take this into consideration when providing guidance, as what you may take for granted, I may not.
The problem that you are having is that a self-signed certificate is not trusted by anyone (anything).
You can create your own certificate using Let's Encrypt. You will either need to create a special file on your server or create a TXT record on your domain's DNS server.
Certbot Download
The following is for Linux. If you are running on Windows, try using ManuaLE (more info below)
Go to let's encrypt and download certbot. Then from the command line:
certbot certonly --manual --preferred-challenges dns -d mydomain.com
This command will prompt you to create a TXT record on your DNS server. After creating the record wait a few minutes before pressing ENTER to continue.
After your SSL certificate is created, copy and rename them to your desired location listed in your question.
Instructions for ManuaLE for Windows.
ManuaLE Download
manuale authorize mydomain.com
manuale issue mydomain.com
After your SSL certificate is created, copy and rename them to your desired location listed in your question.
Please restart the container, the DocumentServer will switch to https config.
Open the address of the DocumentServer in your browser. If that is available, it can be connected to your NextCloud instance.
I am new to MQTT and I have a frustrating problem.
I have been using MQTT.fx to subscribe to a topic; I have set the:
Broker Address
Port
Client ID
Enable SSL/TLS
Topic
This works well, however I would like to use mosquitto_sub.
I am attempting to subscribe to the same topic in the following way:
mosquitto_sub -h host -p 8883 -t topic -i client id
This is not working for me. I am using it on a Ubuntu VM.
My powers of observation tell me that I should enable TLS, however I'm not quite sure how to do that, I have stuffed around with certificates and enabling TLS in may ways but have not got the right combo. I know it is required as if I uncheck the SSL/TLS box in MQTT.fx I am unable to connect.
I would really like to replicate what I have in MQTT.fx with mosquitto.
In the mosquitto_sub command, use the --capath argument to point to /etc/ssl/certs. It needs a pointer to the trusted certificates.
To enable SSL with mosquitto_sub you need to specify a CA certificate.
This can be done in 1 of 2 ways.
--cafile /path/to/a/file where the file contains the required trusted CA certificate (either on it's own or part of a concatenated set)
--capath /path/to/directory where the directory contains a collection of files ending in .crt which contain the CA certificates to be trusted. The ca certs should also be indexed with the c_rehash function.
Both these options are mentioned in the mosquito_sub man page as ways to enabled SSL
e.g.
mosquitto_sub -h host -p 8883 --cafile ca.crt -t topic -i client id
i am aware of a 3rd way (short cut) which is using the flag --tls-use-os-certs
also as a side note, mosquitto_sub/pub also sends SNI within the tls connection request, which is great news if you are using SNI based routing on the broker side.
don't know if the MQTT standard actually prescribes this, but at least mosquitto client's implementation does support it
How hard is it to enable TFS to start using secure connections, if its not already? Does doing so affect SQL configuration also? How can we force SSL to be required?
Im looking over this reference material
https://msdn.microsoft.com/en-us/library/aa833872%28v=vs.120%29.aspx#DisAd
Reading the above, I get the impression that MS is trying to discourage someone from using SSL for TFS over the internet?
Then I stumbled on to this blocg post
http://www.jwsecure.com/2009/01/29/using-tfs-via-the-internet/
Summary = just get a ssl cert and force ssl and port-forward a high port to 443
thoughts?
Firstly, the MSDN article you posted above shows you the detailed steps on how to set up HTTPS with SSL for TFS. To summarize main steps include:
Install a certification authority, obtain and install a server certificate for servers.
Request, install and configure websites with a certificate for Team Foundation Server using Internet Information Services (IIS) Manager.
Configure Team Foundation Server to require HTTPS and SSL.
Install the certificate on client computers.
You can also check this walkthrough: https://msdn.microsoft.com/en-us/library/aa833873.aspx
Secondly, you don't need to configure SQL Server. But if you have SQL Reporting Service, you need to configure it to support HTTPS with SSL.
Thirdly, to enable TFS to be available with external connections, you need to configure it with HTTPS with SSL. Also with it, web connections to TFS are more secure. However, these process needs more administrator's configuration & maintenance work. So you need to determine whether to use it based on your requirement.
I have subscribed to an API service which provides access based on static IP (For both Live and Testing).
Since my development area ISP doesn't provide a static IP, I have enabled API access to my staging machine IP, which is static. I installed squid and enabled/setup a proxy server in my staging server so that I can use it as a proxy and make calls to the API while i do development.
I am using Mac for my development and Networking>Proxy settings wont work for system wide( Terminal ). Due to this, I was using Trial versions of MacProxy, proxifier( proxy clients) and all was was working fine till trial expired. Are there any free alternatives to this for Mac?
I tried to setup proxy by creating ssh socks proxy and setting http_proxy="xxx". In terminal. When I check terminal IP post setting using curl ipecho.net/plain ; echo, it shows proper IPs but when I run local rails development server and tries to access the API, its rejecting call with invalid IP (it shows non proxied IP)
An free alternative that might solve your problem might be a project on github:
sshuttle (read me)
It forwards TCP and DNS requests a remote ssh server.
The most basic use of sshuttle looks like this:
./sshuttle -r username#sshserver 0.0.0.0/0 -vv
To tunnel all traffic you might do:
./sshuttle --dns -vr ssh_server 0/0
There are also helper functions available here, which can simpify some of the commands.
The system level proxy settings aren't used by ruby applications. Typically this is a code level option passed to the library you are using to make connections.
If you want Savon to use a proxy then you need to pass this to Savon when you create the client:
client = Savon.client(proxy: "http://example.org", ...)
If this call is being made inside a gem, then unless that gem already provides that option then you would need to fork it to add the option
The gem you mention seems to already implement this - it's configuration class has a proxy attribute that seems to be passed through to savon.
Is it feasible to have a Ruby on Rails app, which is:
a) deployed on Heroku, and
b) working with a remote SQL Server database?
I take it that I'll need unixODBC installed on Heroku, but I cannot find a way to do so. Is this possible?
Or, is there any other way (without ODBC?) to accomplish this?
Thank you very much for any guidance or tip.
Updated:
Some info on the subject:
1) Heroku pre-installs both unixODBC and FreeTDS by default, so you already have them.
2) Also, it is possible to run shell commands via Heroku Console in backticks, e.g.:
heroku console
`odbcinst`
(runs "odbcinst" command in Heroku shell and shows the result)
3) You do not have access to filesystem outside of your slice where the packages are installed. If you only need a driver path, Heroku support can provide it (/usr/lib/odbc/libtdsodbc.so in my case).
4) You cannot run sudo commands in Heroku shell.
At the moment, to connect to MS SQL Server you at least need to append ‘freetds.conf’ file. Even when using tinyTDS (there is an open ticket#2 in tinyTDS gitgub issue page). DSN-less connection instructions from "wiki.rubyonrails.org SLASH database-support SLASH ms-sql" didn’t work for me, I guess this connection requires some extra-configuration either.
‘freetds.conf’ cannot be modified without sudo. Therefore, I conclude that currently there is no way to make MS SQL and Heroku work together.
I’ve managed to set up this connection with EngineYard and activerecord-sqlserver-adapter.
I followed these instructions:
https://github.com/rails-sqlserver/activerecord-sqlserver-adapter/wiki/Platform-Installation---Ubuntu
(there are only some filepath differences, e.g. ‘odbc.ini’ is located in ‘/etc/unicodbc’, not in ‘/etc’ - this is easy to work out).
I installed 'unixODBC' and 'freetds' packages using EY Unix Packages feature, and made all configurations manually through SSH. Sudo is available in EY (no password required). There is also Chef Recepes feature to automate those configurations (seems to be pretty easy, I'm going to try it tomorrow).
Hope this is helpful.
It is possible.
Because Heroku copies/symlinks its own config/database.yml over whatever you supply in your repository, you may need to take additional steps (e.g. in config/environments/production.rb or in config/initializers/remote_mssql_from_heroku.rb) to set up your application appropriately.
You will face the challenge, however, that traffic from Heroku to your MSSQL database will traverse the public internet. By default, this traffic will not be encrypted. Potentially everyone in the world will be able to monitor your traffic between your Heroku application and your database, and even alter the traffic in-flight, whether for benign or malicious purpose, without you being able to detect it. MS SQL offers the capability to connect over SSL. This capability requires explicit configuration in the MSSQL server, so you must be able to access and modify that configuration. Additionally, this configuration requires that your client library be up-to-date and capable of talking with MSSQL over SSL. Note that MSSQL server will enforce that your server certificate list a Common Name or Subject Alternative Name exactly matching or wildcard-matching the server's FQDN (at least, the FQDN that the server knows about), and that the client use an FQDN for the server exactly matching or wildcard-matching one of the names on the certificate.
I've successfully used the following article which uses Heroku's newer buildpack feature to use TinyTDS and connect remotely to SQL Server 2008 R2. I'm still investigating how I could encrypt traffic. Hope this helps others!
http://blog.firmhouse.com/connecting-to-sql-server-from-heroku-with-freetds-here-is-how-on-cedar#
We're having a similar problem where we're needing to import old data from a SQL Server database into our new app. The data isn't a straight table import, but needs to undergo some processing and conversions. We've built an import layer for this which lives in a private gem, so as to not pollute the new app with the old data conversion issues. This approach is also designed to permit incremental updates, as we get closer to launch we'll keep syncing records up to the moment of switch-over.
Heroku told us that it's not trivial to connect to SQLServer, in particular as they don't support FreeTDS. Their support staff recommended to run an instance with the import gem from a laptop in our office and configure it to connect to their database (which requires a dedicated DB, not the free shared one). This sounded like the most palatable approach to us.
Secondly, regarding security that was mentioned by #Justice, we discussed configuring SSL for SQLServer with the hosting company and they pointed out the complexities of this. They recommended VPN as an easier solution. As we don't have office-side VPN hardware, the simplest and free solution proved to be an SSH tunnel.
We've set up an SSH tunnel from the laptop to the SQLServer Windows box. That was straightforward. We had CopSSH installed on Windows (which comes with a Linux shell, by the way) and we were able to simply set up a tunnel, having the laptop talk to localhost for its SQLServer connection, i.e.:
ssh -L 1433:localhost:1433 user#windows_server_name
I did not know Heroku has FreeTDS on it? I was told they did not. TinyTDS if used with FreeTDS 0.91 can have a zero freetds.conf dependency and be driving by runtime connection args. We are looking into building an Ubuntu 10.4 native gem that statically links 0.91 with OpenSSL so you can just drop it into Heroku and us it to connect to Azure and/or you own outside DB.