I am a beginner on mosquitto (Alpine Linux machine)
After several searches I did not find the answer
I would like to authorize MQTT messages only from one device in the network
I tried changing "aclfile.example" to "acl.acl"
user "equipment IP"
topic test
But this did not restrict the connection to only this equipment (The server can still receive messages from others)
Ideas?
There are several things that probably need covering here:
Mosquitto ACLs deal in users and topics, not IP addresses.
By default (at least until v2.0.0 shipped this week) mosquitto allows clients to connect without specifying a username/password. You can disable this by adding allow_annonymous false to the config file
Just renaming the example ACL file will not cause it to be loaded, you need to explicitly point to it in the config file with the acl_file directive.
You will also need to specify a password file with the password_file if you want to ensure that a specific username can only be used by authorised clients.
If you really want to limit access to a single local machine then you may do better looking to user the firewall to only accept external connections from that IP address using the firewall. e.g. iptables on Linux.
There are a couple of ways to do this. The easiest would be to define one user, and disable anonymous access. Your mosquitto.conf file would look like this:
port 1883
allow_anonymous false
password_file /etc/mosquitto/pwfile
You might have other options in your config file for things like logging and persistence, but these lines would only let clients that had the user/password connect. You then set your one username/password up in the pwfile file. Here's a great blog post about how to do that: http://steves-internet-guide.com/mqtt-username-password-example/
Keep in mind that your client node now has to also provide the username/password on the CONNECT packet, or be denied access.
Another way would be to issue an SSL cert to your client, and only allow that cert in. Again, Steve has a great blog post about how to set that up: http://www.steves-internet-guide.com/creating-and-using-client-certificates-with-mqtt-and-mosquitto/
Related
I am working with a Synology NAS type aDS716+II, DSM 6.1.4-15217 Update 2 on wich runs Docker with a Jira container.
So now what I want to do I'm assinged to get to work is to access Jira's webinterface with let's say jira.synology.local with synology being the servername.
I read a lot about nginx and how it's built in since DSM 6.X but I don't seem to get it to work properly at all.
I can access Jira's webinterface from another machine within the LAN via IP_OF_SYNOLGY:PORT so when setting up a reverse proxy on the server it should be pointing to LOCALHOST:PORT right? I have also tried using the actual IP instead of LOCALHOST but without success.
I can access the interface of Synology itself not only via IP_OF_SYNOLGY:PORT but also via DOMAINNAME.LOCAL if I set the domain name.
I really don't know what I'm missing and I tried everything I could think of. Does someone has experience with this?
If some information is missing, I'll gladly provide it. I'm fairly new to synology I have to admit. Thanks in advance!
So this has gotten zero response but I figured probably someone will have a similar "problem" in the future, so I will answer anyway.
I solved everything, when I setup Active Directory. When installing AD, the DNS-Server will automatically be installed too.
So we have JIRA running in a Docker container (on port, let's say, 12345) and I want to access it via the LAN on jira.domainname.
To do so we need to have installed DSM6.X or higher (for nginx) and the DNS-Server. That's it.
In the DNS-Server you will have to create a new master zone
and apply the following settings, whereas you can freely choose the domain name and Master DNS server must be the IP of your synology station, since it functions as a DNS
Then you want to edit the Resource Record
There you want to add an A Record Resource
and an CNAME Record Resource
So your Resource Records will look like this
Now the last step for setting up the DNS server is to tell it what to do if there is no specific record for a query. So for example if you want to open jira.domainname in your browser, there is a specific record for that and the DNS server knows how to direct it. But if you want to open up for example google.com the DNS server has no information on that and does now know what to do. So what we do now is to to tell the DNS server to forward the request, if it has no records for a request. To do so, enable the forwarders and put in the IP of your gateway/ managed switch as primary and some public DNS server (8.8.8.8 for one of google's DNS server) as secondary.
Please remember that jira.domainname shall always be the domainname you choose and 192.168.0.200 shall always be the IP of your synology station.
So now the DNS server is completely setup. Now we want to take advantage of the built-in reverse proxy (which runs on nginx in the background). To do so we navigate as seen here
and create a new reverse proxy rule
So now that the URL's can point to the same destination (your synology, 192.168.0.200) but on different Port. That comes in very handy for some applications running in docker.
So now if you are running this in an home setup or small office, you probably are working with standard issue commercial router such as for example a FritzBox by AVM. Those are pretty good but beware that some prohibit the so called DNS Rebinding which means that DNS requests pointing to a local IP will be not allowed. Since in this setup the DNS server (your synology) and the destination JIRA (also your synology) are in the same LAN, we have to create an exception. Probably other routers don't suppress those requests, but if so exceptions are necessary.
So the next step, it to tell your Gateway or managed switch that it has to use the newly setup DNS server as the primary DNS server. For FritzBox' you can do so here
put in the IP of your DNS server and an secondary DNS server. This is important as a fallback solution if your DNS server probably stops working at some point.
Now that everything is setup I would recommend to restart the router/ managed switch, synology and the workstation you are working on, to flush all caches. After that you can simply open your browser and type in jira.domainname and JIRA should open up. You can also open a terminal/ cmd and type in nslookup jira.domainname to see if it is being resolved correctly.
I really hope this will help someone at some point and if there are any additional questions, please feel free to comment this or write me directly!
If we have something like this url:
https://www.example.com/Some/Page/index.html?id=15
I know that example.com will be sent as plain text, but /Some/Page/index.html?id=15 is sending securely.
Now, my question is, if we have something like this:
https://somesubdomain.example.com/Some/Page/index.html?id=15
May attackers know that I'm visiting somesubdomain.example.com? or they just can know I'm visiting example.com?
In other words, is subdomain part of url sending securely?
If the client is using Server Name Indication (most modern web browsers/platforms do), the host name (not the rest of the URL) will be visible in clear in the handshake in the server name indication extension, so both www.example.com and somesubdomain.example.com will be visible.
If the client isn't using SNI, an eavesdropper would still see the server certificates and the target IP address(es). Some certificates can be valid for multiple host names, so there may be some ambiguity, but this should give a fairly strong clue to the eavesdropper.
In addition, the same eavesdropper might be in a position to see the DNS requests (unless you've configured the hosts explicitly in your hosts file perhaps).
In general, you shouldn't assume that the host name you're trying to contact is going to be hidden. Whether it's a subdomain isn't relevant, it's the full host name as it's requested by the client that matters.
When using https all traffic between http client and server is encrypted. That does not mean it is safe, but it is encrypted according to what you refer here. Something a network sniffer can see is the ip address you communicate with. That is regardless of what network name had been resolved to that address.
Simply try yourself and use a network sniffer. I recommend wireshark.
I have installed Plastic SCM server in one of my PCs at home (Windows 7 - Home Prem). The server is accessible from the clients residing inside my home network. It is resolved using the home network PC name as the server address / visible name.
However, I would like to be able to have access to the server from outside the home network. Ideally, I would like to use the IP that has been assigned to the PC, by the ISP, where the server resides. I can deal with the intermittent IP address changes. The PC is just a regular, personal use PC (i.e. not configured as a server).
A couple of questions: Is this possible to access Plastic SCM server from outside the home network using the IP address that the ISP assigns to the PC where PSCM-Server resides?
Second, the server config tool automatically displays as the visible name of the PC, the name assigned in the home network. It does not allow me to enter an IP address. If the answer to the first question is yes, how can I enter the desired IP address?
Are there any configurations that must be in place on Windows 7 (Home Premium), perhaps?
Any suggestions would be appreciated.
Plastic SCM servers listens in two ports: a SSL one and an plain TCP one. I'd strongly recommend you to set up an SSL connection if you're going to open up the port on the internet.
http://codicesoftware.blogspot.com/2010/08/ssl-enabled-plastic-connections-reborn.html
In order to configure your PC:
As you pointed you'll need to redirect the traffic from your router to your PC
The "redirection" must go from a public port to the Plastic SCM port (the TCP or the SSL ones)
Your PC should have the firewall configured to allow incoming traffic to the Plastic SCM port
Regarding your question about "the server configuration": no, it just shows you the name, you can't set the IP since it simply takes the IP/name from your server. It wouldn't work otherwise, unless you mean you've a multi-IP machine. Is that the case? Do you have more than one network card in your PC? If that's the case, there's a way to specify where to listen, but let's confirm first your scenario.
I'm making the assumption that you are using Plastic 4.x (I don't know how similar the 3.x version is to this)
The answer to your first question is YES. I frequently connect to my home plastic server from my work machine to view or grab projects/tools that I need.
Your second question is not technically accurate - what you need is the CLIENT tool to access your server IP address - and that IS possible.
To answer your final question - how to do it: start the Client Configuration tool on this "external" PC.
On the third page of the CLIENT configuration tool, it asks for the Plasti SCM server selection - it gives you an entry for the server address, and an entry for the port.
You most likely have set up the username/password access type on the server, but you could also have used Local users - be sure to select the appropriate log-in type you configured your server for on the final page.
Your only other consideration is the Firewall on Win7 (and as pointed out by Pablo, your router config to 'point' to your server machine on the desired ports (8087/8088) need to be forwarded) must allow those ports to be accessed. (I believe 3.x used different ports)
Since it is possible to link different domain names to the same webserver, is it possible to detect which address [can be the ip address] a client entered to access a website, so it is possible to implement conditions depending on this value?
I'm maybe totally wrong about the multiple domain names. I don't know a lot about dns and domains.
You can see it in the HTTP Host: header. For example, if you're running a PHP script, you can see it in $_SERVER['HTTP_HOST'].
I have built several applications in delphi using the indy components suite(version 10.5.2 i think) and they all are working. I have just finished setting up the POP3server and it works locally. I can see mail sent locally on there. I have been using "localhost" as my hostname. However, i want to graduate to a higher level of function. I want to be able to receive email from the internet such from msn, gmail, yahoo ... The problem is I don't know how to do this. What address should I be using inorder to do this? So far "myhouse#localhost" has been working but only internally; can't seem to get external mail in there. Is it possible to receive mail like this? Thanks.
You need to register a domain, and then setup its DNS records (in particular, its MX records) to point to your server machine. That way, when an email is destined for any "#yourdomain" address by any sending service, it will be routed to your server machine (which needs to run an SMTP server to receive emails - POP3 is for downloading emails from your mailbox, not for putting emails into it). If your server does not have a static IP, then you need to use a service like DynDNS to mange the DNS records for you so they can account for your dynamic IP whenever it changes.
"The Internet" doesn't use POP3 to send and receive email, it uses SMTP. Here's how email "flows" from the sending computer to the receiving computer:
Server needs to send email to address: myhome#localhost. The first thing it does is isolate the server name, that's the part after "#". Next it uses DNS to lookup the SERVER IP for the computer that's supposed to receive email for the given domain. DNS contains a special record for this purpose, it's called the "MX" record. You can use command line tools like dig on Linux or nslookup on Windows to find this address, or you can use an online tool like the one found at http://www.mxtoolbox.com/ (google found this site, I assume there are many others!).
If you try to locate the MX record for your "localhost" domain you'll obviously discover it's not possible, because it's not a fully-qualified name. You first need to get yourself an domain name, so you can register a MX record!
Things you need in order to RECEIVE email
Need an "real" IP address. Servers outside your local network need to contact your server, and they obviously need a way to do it. Make sure no routers along the way block SMTP ports.
You need to register an domain name, add a MX record and point it to your "real" IP address.
Need to run SMTP server software on your box. You can use Indy components to write one.
Things you need in order to SEND email
Theoretically sending email with SMTP is the easy part. You just contact the responsible server using SMTP and send email, that's the way the protocol works: any computer in the world may send email to any SMTP server.
Practically sending email is the most difficult thing you'd have to do, mostly because foreign SMTP servers don't trust you (ever heard of SPAM?). Here are some of the things you might need to do so foreign SMTP servers accept email from you. There's no definitive list because the protocol itself doesn't include a clear authentication mechanism, so every big SMTP server out there uses it's own heuristics to decide rather to accept email from you or not. You'll find yahoo especially fun!
You need to have REVERSE DNS for the IP you're using to send email.
You need to send from one of the SMTP servers listed in DNS as your MX servers.
Your DNS records need to have long TTL (this rules out Dynamic DNS services)
Many other things...
What people usually do?
eMail is hard, there's a surprisingly small number of full SMTP servers available for your own server: Exchange, Notes, Postfix, QMail, Sendmail. They're all notoriously difficult to configure. Most people would use hosted mail services, some people would use the SMTP services provided by the ISP, and very few would install one of the mentioned services.
If you really want to write your own SMTP server go ahead, but you might want to install one of the ready-made ones before, to get a bit of eMail and DNS experience. The Linux ones are cheap to install and may also help with development (you don't want to send too much bad email to your free yahoo address, you might get blacklisted!)
POP3 is a protocol to read email from a mailbox. The TidPOP3Server component implements a POP3 server (and AFAIK it has no host property to set...), while TidPOP3 implements a POP3 client. To read mail from GMail or any POP3 server you need a TidPOP3 component. The hostname to set is the DNS name the service instructs you to use (i.e. pop3.mydomain.com).