i got a little odd situation to develop.
The MVC web system my team has to develop (or project is made with rails), will rely on login/password from another site.
The idea is, the user will have a log-in on the third part site, and somewhere relevant, will exist a link to our site. When the user click on that link, we need receive from the site, some data of the user.
We have no control of the third part server, or direct access to their database. Plus, making then make any change to their application/infrastructure is a BIGDEAL so i am searching for a solution with less impact for then. (Of course they will have do change something but will be a political issue, so the less, the better)
From our viem, we need to be sure that the user really come from the third part site (and only from there), and we not have received a fake message from an attacker.
Their site have an valid SSL certificate working. (no idea if my system will have one (it should))
Not sure if its relevant, but we think that their server is an oracle aplication server, who connect to a oracle server in their internal network.
I first thought in using just SSL, but i not sure how to do it (what i have to check, what i have to change?) and if is safe enought.
My second thought is to use PGP keys, and make then sing and cryptography the data before sending to us, and, the link yo our site, would make a post to a control on our server which would verify and de-crypt the data.
Anyone have any tips/pointers/thoughts that could help me?
If both servers are using SSL, and supposing the server give you at least a json or xml interface, should be ok to simply make a secure request (using, for example, rest-client) and evaluating the response in your server.
Most likely you will want to cache user data on login in your server, and if user/password aren't found, look in the other server - this will reduce the load.
I have had an issue with setting up my gerrit server. The machine has Ubuntu 12.04 LTS Server 64-bit installed on it. I am setting up git and gerrit as a way to manage source code and code review.
I require internal and external access to it. I setup a DNS that would work externally. However, during the initial setup, i left the canonicalWebUrl to its default value. It usually take's the machine's hostname (in this case it was vmserver).
The issue I was running into is exactly as explained here https://stackoverflow.com/questions/14702198/the-requested-url-openid-was-not-found-on-this-server, where after trying to sign in/register account with OPEN ID, it was saying url not found.
For some reason, it was changing the url in the address bar from the the DNS i setup to the CanonicalWebURL.
I tried to change the canonical web url in the gerrit.conf file found in etc of the gerrit site. After restarting the server, however, we were able to see the git project files present as they should be, but the account that was administrator seemed to no longer be registered and none of the projects were visible through gerrit.
I was wondering if there was a special procedure to changing the canonical web url in gerrit without disrupting access to a server?
any help or information on canonical urls would be much appreciated as i cannot find too much information on them.
edit:
looking deeper, i found some information that is way over my head regarding "submodules"
i do not understand if this is what i am looking for or not.
https://gerrit-review.googlesource.com/#/c/36190/
The canonical web url must be set, and it sounds like you have done that correctly.
I suspect the issue you are seeing is caused by changing the canonical web url - some OpenID providers (Google being the big one) will return a different user ID based on the URL of the request. This is a privacy thing and cannot be changed. So previous users will now show up as new users and won't be in their old groups (Administrators group in this case).
If you don't have many users, it might be easiest to migrate them by hand. You can modify the database to map the new user ID to the old user account.
I am creating a blogging-like application where we allow our customers to use their own custom domain names such as domainexample.com, so each different domain serves the same application but with different content.
However I am struggling to figure out how to set this up on a production server. If my production server has a static IP then I can surely just set an a-record on each domain to the ip of the production server.
But what if the production server does not have a static IP. For example if we want to host it on heroku or engineyard? I have seen a few solutions online that require using rewrite rules but they require server restarts and cant really dynamically add and remove new domains as new users sign up. Does anyone know any good solutions to let multiple domains hit one rails app?
Heroku isn't your only option. If you can anticipate your customer's domains, have a look at this. If you can't, Rails routes constraints and a combination of the accepted answer to the question linked above should get you where you need to be going. Sounds like you wouldn't want to restart your server--so no editing of the routes. You might also make domains part of your models, or distinguish at the controller level or use URL rewriting in your web-server layer.
The problem, as I see it, is that Rails breaks its mantra of opinion over configuration here. There are many ways of serving up from multiple domains. That might be an intrinsic complexity, but the Rails Guides could at least document one possible solution.
If your customers just CNAME to your domain or create the A record to your IP and you don't handle TLS termination for these custom domains, your app will not support HTTPS, and without it, your app won't work in modern browsers on these custom domains.
You need to set up a TLS termination reverse proxy in front of your webserver. This proxy can be run on a separate machine but you can run it on the same machine as the webserver.
CNAME vs A record
If your customers want to have your app on their subdomain, e.g. app.customer.com they can create a CNAME app.customer.com pointing to your proxy.
If they want to have your app on their root domain, e.g. customer.com then they'll have to create an A record on customer.com pointing to your proxy's IP. Make sure this IP doesn't change, ever!
How to handle TLS termination?
To make TLS termination work, you'll have to issue TLS certificates for these custom domains. You can use Let's Encrypt for that. Your proxy will see the Host header of the incoming request, e.g. app.customer1.com or customer2.com etc., and then it will decide which TLS certificate to use by checking the SNI.
The proxy can be set up to automatically issue and renew certificates for these custom domains. On the first request from a new custom domain, the proxy will see it doesn't have the appropriate certificate. It will ask Let's Encrypt for a new certificate. Let's Encrypt will first issue a challenge to see if you manage the domain, and since the customer already created a CNAME or A record pointing to your proxy, that tells Let's Encrypt you indeed manage the domain, and it will let you issue a certificate for it.
To issue and renew certificates automatically, I'd recommend using Caddyserver, greenlock.js, OpenResty (Nginx).
tl;dr on what happens here;
Caddyserver listens on 443 and 80, it receives requests, issues, and renews certificates automatically, proxies traffic to your backend.
How to handle it on my backend
Your proxy is terminating TLS and proxying requests to your backend. However, your backend doesn't know who is the original customer behind the request. This is why you need to tell your proxy to include additional headers in proxied requests to identify the customer. Just add X-Serve-For: app.customer.com or X-Serve-For: customer2.com or whatever the Host header is of the original request.
Now when you receive the proxied request on the backend, you can read this custom header and you know who is the customer behind the request. You can implement your logic based on that, show data belonging to this customer, etc.
More
Put a load balancer in front of your fleet of proxies for higher availability. You'll also have to use distributed storage for certificates and Let's Encrypt challenges. Use AWS ECS or EBS for automated recovery if something fails, otherwise, you may be waking up in the middle of the night restarting machines, or your proxy manually.
Alternatively, there have been a few services like this recently that allow you to add custom domains to your app without running the infrastructure yourself.
If you need more detail you can DM me on Twitter #dragocrnjac
We design and host websites for our clients/sales force. We have our own domain: http://www.firstheartland.com
Our agents fill out a series of forms on our website that are loaded into a database. The database then renders the website as a database driven website.
/repwebsites/repSite.cfm?link=&rep=rick.higgins
/repwebsites/repSite.cfm?link=&rep=troy.thompson
/repwebsites/repSite.cfm?link=&rep=david.kover
The database application reads which "rep" the site is for and the appropriate page to display from the query string. The page then outputs the content and the appropriate CSS to style the page and give it its own individual branding.
We have told the user to use Domain Name Forwarding to get the users to their spot on our server. However, everyone seems to be getting indexed under our domain instead of their own. We could in theory assign an new IP to them, the cost is not the issue.
The issue is how we would possibly accomplish this.
With all of that said, them being indexed under our domain would still be OK as long as they would actually show up high in the ranking for their search term.
For instance, an agent owns TroyLThompson.com. If I search Troy L Thompson, It does not show up in my search. Only, "troy thompson first heartland" works (they show up third)
Apart from scrapping the whole system, I don't know what to do. I'm very open to ideas.
I'm sure you can get this to work as most hosting companies will host hundreds of websites on a single server (i.e. multiple domains on one IP).
I think you need your clients to update the nameservers for their domains (i.e. DNS) to return the IP address of your hosting server. Then you need to configure your server to return the right website based on the domain that was originally requested.
That requires your "database driven website" to look in the HTTP request and check which domain was originally requested, then it can handle the request accordingly.
- If you are using Apache, see how to configure Apache to host multiple domains on one IP address.
- If you are using Microsoft IIS, maybe Host-Header Routing is what you need.
You will likely need code changes on your "database driven website" to cope with these changes.
I'm not sure that having a dedicated IP address per domain will help much, as then you have to find a way to host all those IP addresses from a single web server. However, if your web server architecture already supports a shared database and multiple servers, then that approach might work well for you, especially if you expect the load from some domains to be so heavy that you need a dedicated web server for them.
Google does not include URL in its index which return a 301 status code. The reason is pretty obvious on second thought, because the redirect tells Google "Whatever was here before has moved there, please update your references". One solution I can see is setting up Apache virtual hosts on your server for each external domain, and have each rep configure their domain's DNS A record to point to the IP address of your server.
I have an ASP.NET MVC application that I'm working on. I've been developing it on Windows Server 2003 with IIS6 and SQL 2008 Express, and everything was working great. I recently decided to try out the Windows 7 beta, so now I'm using IIS7, and have run into a problem with connectivity to my database that I can't seem to figure out.
I can run/debug the app just fine, but whenever I try to access a page that needs to access the database, I get the following error:
"Cannot open database "MyDatabaseName" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\MyApplicationName'."
I've obviously got some security configuration setup incorrectly, but I can't seem to find any good documentation on how to set it up correctly. I've tried giving NETWORK SERVICE permissions on the database, but that didn't seem to work. Anyone know what I need to do to give "IIS APPPOOL\MyApplicationName" permissions to this database? Am I missing something obvious?
Thanks...
If you are NOT using Active Directory, then ignore all of the other solutions mentioned here. The confusion stems from the new ApplicationPoolIdentity setting default in IIS 7.5+ (MS keeps changing the identity mechianisms)
Open SQL Management Studio, connect to your local machine as an admin.
Expand the Security branch.
Right click on Logins and select New Login
Into the Login Name field, type "IIS APPPOOL\MyApplicationName". Do NOT click the search button. The user profile dosn't actually exist on the local machine, it's dynamically created on demand.
While you're looking at it, don't forget to add the user to a database or a server role.
The error means the web application doesn't have access to your database. On Windows 7 / IIS 7, by default each application pool has its own user. It seems the idea is to improve security by restricting what that web application can do (in case it gets compromised and controlled from the outside). You can change what user the application pool is running under but that will defeat its own purpose. A better way seems to give the pool's user the needed permissions (and not a bit more).
On the SQL Management Studio connect to the server you want your web app to connect (tested with SQL server 2008). Go to
Security -> Log ins
right click, New Log in. In the form that comes up leave everything as default except username, where you have to type whatever username the web app is trying to use, in this case 'IIS APPPOOL\MyApplicationName'. Note that the search function of that dialog fails to find or check as valid that user, but nevertheless it works.
Still on the SQL Management Studio connected to the server go to
Databases -> *YOUR-DATABASE* -> Security -> Users
right click and New User. I'm not sure if the user name field there has any effect, I just set it the last part of the username, like MyApplicationName. Then I've set the login name to IIS APPPOOL\MyApplicationName. You can click on the ... button and use the check and search, this time it works. If you don't do the previous step, the user will not be present here. Then give it whatever permissions you want to this user, like db_datareader.
And that's it, you've given permission. If lack of permissions was your problem, then it should be solved (or at least, I've just solved it that way).
I have a total amount of 2hs of experience with IIS and about three weeks with SQL Server and less than two months with Microsoft technologies so take my advice with a grain of salt, I can be totally wrong. (If another person can confirm these are the right steps, feel free to remove the last warning).
Here is an article that explains why AppPoolIdentities are in use; basically, it's about enhanced security: http://learn.iis.net/page.aspx/624/application-pool-identities/
(That article claims I can use these virtual accounts just like any regular account but on my Windows Server 2008 that does not seem to be possible; adding e.g. IIS AppPool\DefaultAppPool just produces an error: "The following object is not from a domain listed in the Select Location dialog box, and is therefore not valid.")
Erick Falsken is right, however he is missing the User Mappings. So right click on the new
IIS APPPOOL/DefaultAppPool, click on Properties and then check boxes for:
1) databases master and yourdatabase
2) db_owner and public
This error usually means that the user that your site is running as (or more to the point the application pool), does not have permissions to use the DB. You can either check in IIS what user the pool is running under and give them permissions, or instead change your SQL connection string to not use trusted authentication and supply the credentials of a user that does have permission in the connection string.
Edit:
If you right click on the pool Identity section and go to properties, it should come up with a box that lets you either choose from 3 builtin system accounts, or specify your own account. Either give one of the builtin accounts permission for the DB, or use an account that has permission. Or leave it as is and change your connection string.
Well...changing the ApplicationPoolIdentity property and setting it to NETWORK SERVICE seems to have fixed my problems. Not sure if that's the "right" way to do things or not (as in, I'm not sure if that's the recommended way to do things in IIS7 or not), but it seems to at least be working and has gotten me past this hang-up for now. Thanks.
I'm familiar with the idea of giving permissions to the user that the application is running under...my problem is that in IIS7, the "user" seems to be virtual or something strange like that. Prior to me changing the "Identity" property of the Application Pool properties to NETWORK SERVICE, it was set to "ApplicationPoolIdentity", and the error I was getting was that "IIS APPPOOL\MyApplicationName" didn't have access to the database. When I attempted to add the "IIS APPPOOL\MyApplicationName" user to the database, it didn't appear to exist...not that I could find anyway.
So my ultimate problem is not understanding or being able to find any good documentation on how the IIS7 security model works. When I created the application, it seemed to create an AppPool with the same name just for this application. I don't know exactly what changes I need to make to give the application and/or the user it runs under privileges to the database, considering the fact that the user that the AppPool runs as doesn't appear to actually exist.
As I mentioned, changing the Identity of the AppPool to NETWORK SERVICE seems to have worked for now, but I'm trying to find out what the best practice is for this kind of thing under IIS7. Thanks.
leave the hard problems for someone else -
create a sql user and use SQL Auth. :D
If you follow Mr. Fernández' advice, you will get everything working. This is the new way of giving least privilege to a site.
So don't do the easy, less secure thing (NETWORK SERVICE). Do the right thing. Scroll up. ;)
Using Trusted Connection in Windows Authenticated Mode:
OS: windows 7 32 bit
IIS 7, Sql Server 2008 R2 Express
Connection String:
cn.open "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=test;Data Source=mycomputername\sqlexpress;" (if instance name is sqlexpress or whatever instance name you have used)
If you are not able to connect sql server using windows mode authenticated connection to sql server 2008.
NT AUTHORITY\IUSR Account might not have permission in sql server to authorize connection with database.
Connect Sql server using windows authentication mode.
Expand Security node.
Select NT AUTHORITY\IUSR (IF NOT THERE THEN ADD NEW LOG IN FOR THAT)
Click on "User Mapping" under Select a page at Log-in properties window.
Select the database that you are trying to connect.
Select following permissions from "Database role membership for:......"
1. db_datareader 'this allows to open connection
2. db_datawriter 'this allows to fetch data records from datatable
The first step is to verify which account your website is running under. Create a simple aspx page with:
<%# Page Language="C#" %>
<% Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name); %>
If you're using windows authentication the WindowsIdentity account will need to have a login in your SQL Server. Under Security -> Logins -> Login New you'll want to add whatever name that was displayed by WindowsIdentity and make sure Windows authentication is selected.
If you ever happen to move your database to a separate machine you'll have to create a domain account and use impersonation in your web.config. Google <identity impersonate="true"> for more info.
If you look in the description of the field it states that running under "Network Services" account is the recommended account to use. Not sure why in Win7 it defaults to the ApplicationPoolIdentity setting.
I have the exact same issue. I'm running Windows 7 RC. When I'm trying to usa a .mdf file (located in App_Data), there is now way to make that thing work. I did try to change the AppPool's identity for LocalSystem, but it simply won't work.
If I use a "standard" database, then it will work if I'm using LocalSystem, but it won't work with the famous 'IIS APPPOOL\DefaultAppPool'.
I find it a bit disturbing not to find any information on that matter, it seems that the 'IIS APPPOOL\DefaultAppPool' user is totally useless if you are using a database of any kind...
I have it running, but I'm also bit frustrated not to understand the security model, as stated by ryexley.
yes, the app pool identity method doesn't work like they say (not in IIS7 anyway) it's supposed to. I think there are hackers at MS who make this security convoluted on purpose so you take the path of least resistance and leave your system less secure (so they can hack into it later). - just kidding, but really, their security model is pure insanity, no straightforward (step by step) instructions anywhere on MSDN - nada, zip!
I faced same problem between (SQL2008 that is installed on standalone Win-server2003 server) and (IIS6 with ASP.NET3.5 that are installed on standalone Win-server2003 server).
Where, IIS tries to access SQL2008 using some user in the domain "domain\username".
I removed following option out of connectionstring, and every thing works fine now.
Integrated Security=True;
Open SQL Management Studio, connect to your local machine as an admin.
Expand the Security branch.
Right click on Logins and select New Login
Into the Login Name field, type "IIS APPPOOL\MyApplicationName". Do
NOT click the search button. The user profile dosn't actually exist
on the local machine, it's dynamically created on demand.
Select Database in User Mapping
Select sysadmin in Server Roles