Craft CMS 3 Remote DB SSL connection - craftcms

I have added this to the db.php file, and am now trying to get craft setup over /admin/install. However, the database screen still reports that unsecured transport connections are not allowed. What's the gripe?
'attributes' => [
PDO::MYSQL_ATTR_SSL_KEY => '/config/ssl/key.pem',
PDO::MYSQL_ATTR_SSL_CERT => '/config/ssl/cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/config/ssl/ca.pem',
]

An array of key => value pairs of PDO attributes to pass into the PDO constructor.
For example, when using the MySQL PDO driver (https://secure.php.net/manual/en/ref.pdo-mysql.php),
if you wanted to enable an SSL database connection (assuming SSL is enabled in MySQL
(https://dev.mysql.com/doc/refman/5.5/en/using-secure-connections.html) and 'user'
can connect via SSL, you'd set these:
php
[
PDO::MYSQL_ATTR_SSL_KEY => '/path/to/my/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT => '/path/to/my/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/path/to/my/ca-cert.pem',
],
list of the available settings in vendor/craftcms/cms/src/config/DbConfig.php

Related

SteamedResponse not working in lumen on other server

I am using Lumen for a set of APIs.
using streamedresponse built in library of symphony.
use Symfony\Component\HttpFoundation\StreamedResponse;
protected function getFileResponseHeaders($filename)
{
return [
'Cache-Control' => 'must-revalidate, post-check=0, pre-check=0',
'Content-type' => 'text/csv; =utf-8',
'charset' => 'utf-8',
'Content-Disposition' => 'attachment; filename='.$filename,
'Expires' => '0',
'Pragma' => 'public'
];
}
//'Content-Type: '
protected function streamFile($callback, $headers)
{
$response = new StreamedResponse($callback, 200, $headers);
$response->send();
}
I am using this approach in a scenario where I want to stream data in command line with chunks of 2000. I have bulk of data upto 7 millions rows to stream.
This whole thing is working completly fine on a server with following specs.
php 7.3.27
centos fedora 7
apache 2.4.41
mysql8
But I have other servers where this stream only list down first batch. Specs of other servers are identical as following:
php 7.4
centos 8
apache 2.4.47
mysql8
I want guidance to run this stream on all the servers. I have compared php.ini and every other thing that I can think of.
Thanks in advance.
PHP ZTS was missing from all the servers except the one where the streamed response was working.
Adding php zts on the server fixed the problem for me finally.

Problem with using Rails / ADFS integration gem omiauth-wsfed

I have been trying to set my Ruby Rails App to be remotely accessed by a partner of mine which uses ADFS 2.0 for providing SSO possibilities. I have been using omniauth-wsfed gem but failed.
I have set omniauth.rb as below:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :wsfed,
:issuer_name => "http://fs.sib.com.br/adfs/services/trust",
:issuer => "https://fs.sib.com.br/adfs/ls/",
:realm => "https://qa.wit.com",
:reply => "https://qa.wit.com/students/auth/wsfed/callback",
:saml_version => "2.0",
:id_claim => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
:idp_cert_fingerprint => "--94061be1aba531da005d5f22bf6796b7cd69b3---"
end
Error log is:
ERROR -- omniauth: (wsfed) Authentication failure! invalid_authn_token: OmniAuth::Strategies::WSFed::ValidationError, AuthN token (wresult) missing in callback.
Does anybody suspect what is wrong ?
I am assuming you have configured your omniauth.rb properly where:
Issuer Name: This should be in the format of the adfs sever domain followed by /adfs/services/trust
Issuer: This is where your login requests will be sent, normally it will be the path /adfs/ls on the ADFS server.
Realm: This should match the domain that you provide in your federation metadata document
Reply: This is where you want the response from ADFS to be returned to in your application. This is normally the path /auth/wsfed/callback when using Omniauth.
SAML Version: The version of SAML tokens. Defaults to 2
ID Claim: This is the name of the claim field that ADFS will return that should be used as the unique identifier.
IDP Cert Fingerprint: Your Windows Administrator should be able to tell you this, but if not a way to find it is to put in any string, do a test login to ADFS — this will fail when doing the callback as the certificate doesn’t match, however if you inspect the response in the Chrome Web Inspector you will be able to see the X509 Certificate in the response. You can then use OpenSSL tools, or this online tool to get the fingerprint of the certificate.
Also Setting up callback routes like below
match '/auth/:provider/callback' => 'sessions#create', via: [:get, :post]
match '/auth/failure' => 'sessions#failure', via: [:get]
The **controller#action** can differ depending on how your application is structured.
You can handle the callback in the same way you would any Omniauth provider.
def create
auth = request.env["omniauth.auth"]
auth.uid # Gets the UID value of the user that has just signed in
# Create a session, redirect etc
end
you can refer below repo for further reference.
https://blog.craig.io/using-microsoft-adfs-with-ruby-on-rails-and-omniauth-a26237c64f8d
https://github.com/kbeckman/omniauth-wsfed
Hope it helps.

Metasploit: send_request_cgi returns nil for HTTPS connections

I am currently trying to write an auxiliary module for Metasploit. The module basically tries multiple default credentials to get access to the router's management page. The authentication is done via web, i.e. HTTP POST.
Currently, the module works as expected for plain HTTP connections, i.e. unsecured connections, however every connection attempt via HTTPS (port 443), returns nil. Below is the function used within the Metasploit class to retrieve the login page:
def get_login_page(ip)
begin
response = send_request_cgi(
'uri' => '/',
'method' => 'GET'
)
# Some models of ZyXEL ZyWALL return a 200 OK response
# and use javascript to redirect to the rpAuth.html page.
if response && response.body =~ /changeURL\('rpAuth.html'\)/
vprint_status "#{ip}- Redirecting to rpAuth.html page..."
response = send_request_cgi(
'uri' => '/rpAuth.html',
'method' => 'GET'
)
end
rescue ::Rex::ConnectionError
vprint_error "#{ip} - Failed to connect to Web management console."
end
return response
end
When trying to connect via HTTPS, the first send_request_cgi call returns nil. No exception are caught or thrown. I have tried with 3 different hosts to make sure the issue was not with a specific endpoint. All my 3 attempts failed to return a response. At every attempt, I set the RPORT option to 443;
RHOSTS 0.0.0.0 yes The target address range or CIDR identifier
RPORT 443 yes The target port
Note that I have replaced the real IP with 0.0.0.0. Using a web browser, I can actually connect to the router via HTTPS with no issue (other than having to add an exception since the certificate is untrusted) and am presented the login page. With Wireshark, I tried to look at the generated traffic. I can clearly see that nothing is sent by the router. I notice the 3-way handshake being completed and the HTTP GET request being made:
GET / HTTP/1.1
Host: 0.0.0.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
There are 3-4 ACK after and then a FIN/PUSH sent by the server.
Based on this page on Metasploit's GitHub, I was under the impression that connections to HTTPS websites were handled by the underlying framework. I have not seen any articles/tutorial/source that leads me to believe otherwise. The doc about the send_request_cgi does not specify any specific requirement to establish a HTTPS connection. Other posts did not had the exact same issue I'm having. At this point I suspect either the OS, the framework or me forgetting to enable something. Other modules I have looked at either only targets HTTP websites - which I doubt - or do not have any special handling for HTTPS connections.
Any help determining the cause would be greatly appreciated.
Version of Metasploit:
Framework: 4.9.3-2014060501
Console : 4.9.3-2014060501.15168
Version of OS:
SMP Debian 3.14.5-1kali1 (2014-06-07)
As per this post on SecurityStreet, the solution was to set SSL to true in the DefaultOptions in the initialize function:
def initialize
super(
...
'DefaultOptions' =>
{
...
'SSL' => true
}
)
...
end
Connections to routers using HTTPS worked afterwards.

geocoder not working (possibly due to network proxy? )

I am a beginner in Rails. I got to know exciting feature of geocoder from railscasts
[ http://railscasts.com/episodes/273-geocoder ]
But same source code also downloaded from it not working behind proxy. as it doesn't populate any longitudes or latitudes.
How to deal with with proxyserver of my workspace network?
else from another machine having direct internet connection things work fine.
geocoder has http proxy support, but it's not obvious from the documentation for where to configure it.
you can find it when looking at the initializer, that should get created for your rails generate call: https://github.com/alexreisner/geocoder/blob/master/lib/generators/geocoder/config/templates/initializer.rb
Geocoder.configure(
[...]
# :http_proxy => nil, # HTTP proxy server (user:pass#host:port)
# :https_proxy => nil, # HTTPS proxy server (user:pass#host:port)
)

How to configure route for oauth callback

I'm using the gem OAuth2 to communicate with Google services. I don't understand how to implement a callback, which receives the response with the OAuth code to get an access token. When I set a breakpoint in the callback method, it never seems to get called.
Here is my code:
Routes:
match '/oauth2/callback' => 'reports#callback'
Actual redirected url:
http://localhost/oauth2/callback?code=111111
ReportsController:
def new
client = OAuth2::Client.new(ENV['GA_CLIENT_ID'], ENV['GA_SECRET_KEY'], {
:authorize_url => 'https://accounts.google.com/o/oauth2/auth',
:token_url => 'https://accounts.google.com/o/oauth2/token'
})
redirect_to client.auth_code.authorize_url({
:scope => 'https://www.googleapis.com/auth/analytics.readonly',
:redirect_uri => 'http://localhost/oauth2/callback',
:access_type => 'offline'
})
end
def callback
oauth_code = params[:code]
# Create access token with oauth_code
end
Google server is trying to access this url http://localhost/oauth2/callback?code=111111 which is not valid.
You need a domain name to use a service like OAuth, because the google server must be able to find your computer over the internet.
To be able to do this from your development machine you should:
Set a name on a known DNS server: The easiest way to do this is through a Dynamic DNS server like dyndns or no-ip
If you are behind a router using NAT, you might need to redirect the requests to your modem on port 80 to your computer: If you don't do this, your modem will receive a package on port 80 from google and will say "not for me", discarding it. You can do this in your modem menu - look for port forwarding or NAT section on it.
The redirect_url passed to google must match exactly the callback url as seen from client's browser. No problem to use localhost in the url (fotanus sentence about DNS and NAT is wrong). If you are running your container in a different port (e.g. 8080) you have to:
Specify the url in google cloud: http://localhost:8080/oauth2/callback
Specify that same return url in the client request.

Resources