I'm trying to figure out whether a website I use was hacked.
When I access the site via www.site-name.com, I'm taken to the website.
However, when I access the site without the "www," i.e. site-name.com, I'm taken to a different website.
Why is this happening? I did a little research and my only guess is that someone changed the site's .htaccess file, but that seems unlikely, as the different website has no relation to the official site.
Can someone help me understand what's going on here?
One IP address can host multiple websites with different hostnames using Virtual Name Hosting.
The HTTP server will look at the Host header in the request to determine what site to use for a given request.
This lets you have one IP address serving example.com and example.net.
Typically, the first Virtual Name Host will be the default, so if you were to ask for example.org the server would not recognise it and give you example.com instead.
In this case, it appears that the server has a Virtual Name Host configured for www.site-name.com but not for site-name.com so requests for site-name.com get the default site for the server.
I have set up SAB, Sickbeard, CouchPotato & Plex on my home media server. All mapped to respective ports.
The ports have been forwarded correctly and I have DDNS enabled, if I browse to my DDNS address proceeded by the port number - I can access my services absolutely fine.
What I am wanting to do is use sub-domains on a domain that I already own to make the URLs a bit more friendly. However I have tried setting up simple web redirects & these don't work for some reason.
For example;
sab.domain.com = DDNS_address:9090
plex.domain.com = DDNS_address:32400/web/index.html
When trying to access I get 404 Not Found errors.
I don't host my own IIS or Apache server, the domain is hosted by an online provider.
Is this possible or worth too much hassle?
Thanks.
When I test my ASP.Net app locally, I use a DNS tool called DNSSpeeder which takes over the DNS process for my machine. In effect, I can setup www.mysite.com locally and enter an IP address like 192.168.178.200 and in my browser just enter www.mysite.com and it launches from my local IIS web server. When I'm ready for production, I just disable DNSSpeeder so that an Internet's DNS is used to lookup my site.
The problem I am facing is when I use Google OAuth to exchange my code for a token. It returns with an error of redirect_uri_mismatch. It isn't clear to me what is actually going out on the wire to Google's server and what URI Google is seeing. The URI redirect does match what is in the API console, although that doesn't say anything about what is actually sent to Google's server after it leaves DNSSpeeder. I tried Wireshark but it shows nothing. Probably encrypted with https. Instead of using http://localhost:8080, I tried http://localhost:80 as well as http://192.168.178.200 for the Javascript origins but that didn't help.
Is it possible to use an IP address other than localhost when testing locally to get a successful token?
"Is it possible to use an IP address other than localhost when testing locally to get a successful token?"
Yes it is possible. My setup is that I have configured two redirect URLs in the Cloud Console, (http://www.mydomain.com/redirect and http://dev.mydomain.com/redirect).
I then edit /etc/hosts (on linux, the Windose equivalent is under system32\drivers somewhere) to map dev.mydomain.com to 127.0.0.1.
And it works just fine. You may need to tweak your app so the redirect URL is not hardcoded, but is in fact varied based on whether your app senses it's in dev or production.
One thing to be aware of is that the confiured redirect URL must be a character for character match to the actual URL. So be careful that you have both http and https variants, and also watch for a trailing slash. If necessary configure both with and without the trailing slash.
Hi I have a website that I will be developing in the future.
Upon looking at the current website I noticed something weird that I have never seen before and also Google'd and found nothing.
If you go to: http://www.smartrainer.com.au you get the normal site
But, if you go to: https://www.smartrainer.com.au you get redirected to another website and are also given an SSL warning beforehand (in Chrome)
The site is hosted on a UNIX / PHP server and the .htaccess file currently has nothing that would suggest that it's redirecting to this other website.
Any help or insight would be appreciated with this, because I've never heard of this or seen this before.. The client also has no idea why it would be directing to that company that we've never heard of
Thanks!
It sounds like you're using a shared hosting server.
In plain HTTP, the server can know which host the client is requesting using the Host header in the request (this is based on the URL). Apache Httpd supports this with what it calls Name-based virtual hosts.
The HTTPS configuration is separate from the HTTP configuration in Apache Httpd (and presumably a number of other servers). Having virtual hosts (typically on a shared host) for the HTTP configuration doesn't mean that the same configuration is replicated for HTTPS.
HTTPS presents another problem: choosing which certificate to send before being able to see the Host header. Indeed, the server needs to send the client a certificate with the correct name during the SSL/TLS handshake, which happens before any HTTP traffic is sent (so before the Host header can be read). To overcome this problem, some hosts will set up a certificate valid for multiple host names (typically multiple Subject Alternative Names, or sometimes wilcards), others will use Server Name Indication (which isn't supported by all clients).
To get your server to host your site for HTTPS, you'd need:
To make sure the certificate it serves is valid for your host name (otherwise, there will be a warning message).
That the virtual hosts (or equivalent) it serves are configured for your host too.
In your case it seems that (a) your server is serving a single certificate that is not valid for your host and (b) your host isn't configured for HTTPS anyway, since you're falling back to what's probably the default host.
You may solve this issue by redirecting HTTPS URL to HTTP URL from your .htaccess. This error might because of shared hosting. If you cannot solve this issue from your .htaccess than you may also contact your hosting provider on this issue.
I am trying to test OAuth buttons, but they all (Facebook, Twitter, LinkedIn) come back with errors that seem to signal that I can not test or use them from a local URL.
How do people usually work in development with OAuth stuff if they all seem to require a non-dev and non-local connections environments?
Update October 2016: Easiest now: use lvh.me which always points to 127.0.0.1, but make sure to verify that this is still true every time you need to invoke it (because domains can expire or get taken over, and DNS poisoning is always a concern)
Previous Answer:
Since the callback request is issued by the browser, as a HTTP redirect response, you can set up your .hosts file or equivalent to point a domain that is not localhost to 127.0.0.1.
Say for example you register the following callback with Twitter: http://www.publicdomain.com/callback/. Make sure that www.publicdomain.com points to 127.0.0.1 in your hosts file, AND that twitter can do a successful DNS lookup on www.publicdomain.com, i.e the domain needs to exist and the specific callback should probably return a 200 status message if requested.
EDIT:
I just read the following article: http://www.tonyamoyal.com/2009/08/17/how-to-quickly-set-up-a-test-for-twitter-oauth-authentication-from-your-local-machine, which was linked to from this question: Twitter oAuth callbackUrl - localhost development.
To quote the article:
You can use bit.ly, a URL shortening service. Just shorten the [localhost URL such as http//localhost:8080/twitter_callback] and register the shortened URL as the callback in your Twitter app.
This should be easier than fiddling around in the .hosts file.
Note that now (Aug '14) bit.ly is not allowing link forwarding to localhost; however Google link shortener works.
PS edit: (Nov '18): Google link shortener stopped giving support for localhost or 127.0.0.1.
You can also use ngrok: https://ngrok.com/. I use it all the time to have a public server running on my localhost. Hope this helps.
Another options which even provides your own custom domain for free are serveo.net and https://localtunnel.github.io/www/
Or you can use https://tolocalhost.com/ and configure how it should redirect a callback to your local site. You can specify the hostname (if different from localhost, i.e. yourapp.local and the port number). For development purposes only.
For Mac users, edit the /etc/hosts file. You have to use sudo vi /etc/hosts if its read-only. After authorization, the oauth server sends the callback URL, and since that callback URL is rendered on your local browser, the local DNS setting will work:
127.0.0.1 mylocal.com
Set your local domain to mywebsite.example.com (and redirect it to localhost) -- even though the usual is to use mywebsite.dev. This will allow robust automatic testing.
Although authorizing .test and .dev is not allowed, authorizing example.com is allowed in google oauth2.
(You can redirect any domain to localhost in your hosts file (unix/linux: /etc/hosts))
Why mywebsite.example.com?
Because example.com is a reserved domain name. So
there would be no naming conflicts on your machine.
no data-risk if your test system exposes data
to not-redirected-by-mistake.example.com.
You can edit the hosts file on windows or linux
Windows : C:\Windows\System32\Drivers\etc\hosts
Linux : /etc/hosts
localhost name resolution is handled within DNS itself.
127.0.0.1 mywebsite.com
after you finish your tests you just comment the line you add to disable it
127.0.0.1 mywebsite.com
Google doesn't allow test auth api on localhost using http://webporject.dev or .loc and .etc and google short link that shortened your local url(http://webporject.dev) also bit.ly :). Google accepts only url which starts http://localhost/...
if you want to test google auth api you should follow these steps ...
if you use openserver go to settings panel and click on aliases tab and click on dropdown then find localhost and choose it.
now you should choose your local web project root folder by clicking the next dropdown that is next to first dropdown.
and click on a button called add and restart opensever.
now your local project available on this link http://localhost/
also you can paste this local url to google auth api to redirect url field...
This answer applies only to Google OAuth
It is actually very simple and I am surprised it worked for me (I am still sceptical of what my eyes are seeing).
Apparently you can add localhost as a trusted domain on the Google Developer Console, since localhost is an exception for most rules as you can see here.
This can be done on this page under OAuth 2.0 Client IDs. Click edit and then add http://localhost:8000 or similar ports, and hit save.
It is crucial that you include http or https in the input box.
HTTP or HTTPS?
I am once again surprised that Google allows http, although do note that there is a minor security risk if your application has been released to production.
If you want to be extra cautious, you can choose to stick with https. This will require you to set up an SSL certificate on your localhost server.
This is easier than you think, since the SSL certificate needs not be valid. Many http servers should give you this option. You will have to click the "proceed anyway" button anyway in your browser to bypass the big red warning.
This is more secure than http since either a) users will see a big red warning if hackers are trying something phishy, or b) the only time they won't see this warning is if the user intentionally set up a self-hosted SSL certificate, in which case they probably know what they are doing (I suppose a virus could technically do this as well, but at that stage they've already gotten enough control of a user's system to do anything they want).
I ran into some issues with the tools mentioned in other answers such as http://tolocalhost.com not forwarding query parameters (not to mention you have to visit the page and configure it first, same case with https://thomasmcdonald.github.io/Localhost-uri-Redirector/) and http://lvh.me not being useful to me because I run a proxy on my local machine and need the public URL to point to a private URL like http://mywebsite.dev.
So I made my own tool that filled my needs and may fill yours:
https://redirectmeto.com
Examples:
https://redirectmeto.com/https://www.google.com/search?q=puppies
http://redirectmeto.com/http://localhost:4000/oauth/authorize
http://redirectmeto.com/http://client.dev/page
Another valuable option would be https://github.com/ThomasMcDonald/Localhost-uri-Redirector. It's a very simple html page that redirects to whatever host and port you configure in the UI.
The page is hosted on Github https://thomasmcdonald.github.io/Localhost-uri-Redirector, so you can use that as your OAuth2 redirect url and configure you target host and port in the UI and it will just redirect to your app
If you have a domain, you can create a subdomain that redirects to your local entry point, it works for me
I created a public subdomain : oauth-test-local.alexisgatuingt.fr that redirects you to http:127.0.0.1:8000/oauth/callback/google with the returned data
Taking Google OAuth as reference
In your OAuth client Tab
Add your App URI example(http://localhost:3000) to Authorized JavaScript origins URIs
In your OAuth consent screen
Add mywebsite.com to Authorized domains
Edit the hosts file on windows or linux Windows C:\Windows\System32\Drivers\etc\hosts Linux : /etc/hosts to add 127.0.0.1 mywebsite.com (N.B. Comment out any if there is any other 127.0.0.1)