I want to limit REST API access only to authenticate users and specific IP addresses.
To make the authentication, I can it in wp-config.php with:
remove_action('rest_api_init', 'create_initial_rest_routes', 99);
And IP restriction with:
<Directory "/opt/htdocs/www.xxx.yy/wp-json">
Require all denied
Require ip a.a.a.a
Require ip b.b.b.b
</Directory>
Will this limitation of REST API make ani issue with my Woocommerce shop with Stripe payment plugin?
Related
I am trying to send mail from a compute instance using Gmail's smptp relay and I have enabled smtp-relay through my GSuite account and have also configured POSTFIX in my compute instance and as per mail.log file the mail has been delivered but it is not appearing in my Gmail box. Could you please let me know what is being missed?
Here is the log for the same.
At first, have a look at the Firewall rules overview where at section Always blocked traffic you can find that:
Google Cloud always blocks the traffic that is described in the
following table. Your firewall rules cannot be used to allow any of
this traffic:
So, you should follow documentation Choosing an email service to use:
To use a G Suite domain: Follow the instructions for SMTP relay
service settings in the G Suite documentation. SMTP relaying through G
Suite is only allowed through ports 465 or 587.Port 25 is not
supported through G Suite.
and use ports 465 or 587 to connect to G Suite.
Also have a look at this guide SMTP relay: Route outgoing non-Gmail messages through Google:
In the Allowed senders section, select the users who are allowed to
send messages through the SMTP relay service:
Only registered Apps users in my domain—The sender must be a registered user in one of your domains.
Only addresses in my domains—The sender doesn't have to be a recognized G Suite user, but must be in one of your registered
domains. This can be useful when you have third-party or custom
applications that need to send messages.
Any addresses (not recommended)—The sender address can be anything, even an address outside of your domain.
Important: The Any addresses option makes you more vulnerable to abuse,
either through malware on your user’s machines or by
misconfiguration of your SMTP infrastructure. Therefore, we don't
recommend this option.
and check who is allowed to send emails, then follow next step:
In the Authentication section, check one or both boxes to set an authentication method:
Only accept mail from the specified IP addresses—The system only accepts mail sent from these IP addresses as coming from your domains.
Require SMTP Authentication—Enforces the use of SMTP authentication to identify the sending domain. Using this option
requires your clients to connect via TLS.
and check if you use whitelisted your instances.
In addition, this example could be useful to check your steps.
In case if you still have an issue, check possible alternatives SendGrid:
This tutorial shows how to use SendGrid to send email from an app
running on a Compute Engine instance. SendGrid is a third-party email
service that offers Compute Engine users a free trial with 12,000
transactional emails free each month.
or Mailgun, or Mailjet. If they work for you, but you still need G Suite you can contact G Suite Support. It they don't work for you also - you should check you Postfix configuration first.
I have a Python application which has been deployed to openshift.
I am using an external REST service in my application. In order to use this service, the developers of the REST service have to whitelist my IP because a Firewall blocks unauthorized IP addresses.
How can I find the external IP of my application? How can I find it in openshift? I tried a few OC commands, but I am not sure if I have to get the IP of the pod or the service.
Out of the box the traffic from internal cluster components will appear to external infrastructure like they are coming from whichever OpenShift compute host their pods are currently scheduled on.
Information on internal cluster networking and how traffic traverses from a process running inside a pod to the external network can be found at SDN: Packet Flow.
In your case you could have the external application whitelist all of the ip addresses of the compute hosts that are expected to run your application pods.
Alternately you could set up an EgressIP. This will cause all traffic originating from a specific OpenShift project to appear as if it is originating from a single ip address. You could then have your external application whitelist the EgressIP address.
Documentation for configuring EgressIP can be found in the official documentation under Enabling Static IPs for External Project Traffic
What you are searching for is the external IP of the Service. A Service acts as a load balancer for your pods but by default it only has a cluster-wide IP address. If you need a URL to access it from the outside, you can create a Route. For your purpose where you need an actual external IP address, you can assign the Service an external IP manually. Information on how to do this can be found in the official OpenShift Docs.
We have multiple device which access microservice via Azure APIM. Each device has wrapper, for example Mobile wrapper which access microservice. Now i want to do mutual certificate authentication in order to restrict mobile wrapper accessing microservice directly via APIM. Hence we decided to install client certificate at mobile wrapper which is hosted on Azure Appservice and server certificate at Azure APIM to do authentication before connecting to microservices. Similarly we have multiple client certificate for individual device wrapper like whatsapp bot, FB etc which will be interacting with APIM. My question is if this approach is feasible from architecture perspective.
Sure that would work, just make sure that you actually test for a client certificate in APIM policy (context.Request.ClientCertificates) and validate them somehow. You could compare thumbprint to a predefined hardcoded value, or call .Validate on a certificate if all of them are issued by limited number of CA, and CA cert is uploaded into APIM.
I am facing the following problem.
I have to log in users in Openshift using Keycloak and then these users should be able to use the Openshift API using a custom external Web GUI which I made.
When I log in, Keycloak returns a Keycloak JWT-token. But my problem is that with this Keycloak JWT-token I cant use the Openshift API, for that I need an Openshift token, which is a different token. I could get the Openshift token using an http request to -openshiftmaster-/oauth/authorize , But I don't wanna do this cause this second authentication would mean a second login screen for the user.
Is there a way, once logged in usingKeycloak and in possession of a Keycloak JTW-token, to get the Openshift token without having to authenticate again against Openshift with username and password?
You can set up keycloak as an open id provider. Link 2. Link 3.
I'm using the API Gateway service to manage my spring boot resources. I want to point the gateway to my sub-domain. I tried adding it to alias in Route 53 but it does not work. There's an option in the API Gateway console which asks for my domain and some credentials. I don't know if a sub-domain can work and what should i add to certificate input. Probably it is asking for an SSL certificate and I am ready to purchase one, but before i do that, i want to be sure that it accepts sub-domains.
Yes, API Gateway supports subdomains. You can try with self-signed certificate and see the options.
See the official documentation on using Custom Domain Names in API Gateway.