Pending loading font from use.fontawesome.com on my ISP - font-awesome

Fontawesome does not load on different sites on some provider's IP addresses..
https://use.fontawesome.com/releases/v5.1.0/css/all.css
Fontawesome in pending status ~30-40 seconds, then failed.
But when I turn on the VPN on my laptop - the font loads fine.
I checked curl request:
~$ curl https://use.fontawesome.com/releases/v5.1.0/css/all.css
curl: (28) Failed to connect to use.fontawesome.com port 443 after 214967 ms: Timeout was reached
I checked trace to host:
traceroute to use.fontawesome.com (188.114.97.7), 30 hops max, 60 byte packets
1 _gateway (192.168.1.1) 1.728 ms 2.166 ms 2.370 ms
2 95.XXX.XXX.1 (95.XXX.XXX.1) 7.262 ms 7.851 ms 7.806 ms
3 10.10.10.10 (10.10.10.10) 7.127 ms 7.082 ms 7.036 ms
4 kyiv1-ae0-1025.ett.ua (80.93.125.17) 9.512 ms 9.896 ms 9.852 ms
5 fft0-kv2.ett.ua (80.93.127.210) 34.097 ms 34.408 ms 34.769 ms
6 * de-cix-frankfurt.as13335.net (80.81.194.180) 35.889 ms 36.128 ms
7 172.70.240.3 (172.70.240.3) 34.249 ms * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * 188.114.97.7 (188.114.97.7) 33.385 ms 33.338 ms
I already wrote to the support of the provider, cloudflare, fontawesome. The provider does not understand what the problem is. The cloudflare doesn't respond and fontawesome replied that they don't provide Free support to users.
I don’t understand what the problem is, maybe in the CDN for the UA location or in some IP addresses that the provider issues.
Please help fix this problem. Thanks.

Related

How can I get Chrome to delegate credentials without opening asp.net apps in IE first?

I get the following error in Chrome browser (if I have NOT opened the app in IE first): : Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' and depending on the code used to get the username I might get this error: System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred
I've narrowed down the issue to Chrome gets to the impersonation level of "Impersonation" whereas IE gets to the impersonation level of "Delegation". I wrote a simple app c#.net 4.5.2 called (VS 2017) browsercheck that queries SQL Server 2008 on one server (SERVER2) while web app is installed on another server (SERVER1) to mirror our production setup.
In IIS 7 I have Windows Authentication and Impersonation enabled, AppPool is v4.0 Classic with identity=NetworkService however in troubleshooting I have changed the identity to LocalSystem and ApplicationPoolIdentity with no change. I've set Load User Profile to true. I have also verified with my NA that AD by default has assigned Delegation for SERVER1 and SERVER2 to Trust this computer for delegation to any service (Kerberos only).
I've visited Graham Clark's post here which closely resembles mine except his is IIS AppPool is Integrated Pipleline Mode whereas mine is Classic His solution was to set Windows Authentication provider to "Negotiate:Kerberos, not NTLM" which I am not seeing where to set this in IIS7??? IIS sets this by default doesn't it?
I understand what the double hop issue is but it seems to me that that cannot be the issue because the apps work fine when viewed with IE 11 browser. Some apps also work in Chrome after I've authenticated them in IE11 first.
The issue is I need Chrome to authenticate them first (or any other browser) without the need to open them in IE first since we will be moving away from IE soon.
IIS Log
#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2019-05-14 15:58:17
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2019-05-14 15:58:17 10.100.10.00 GET /browsercheck - 80 - 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 401 2 5 72
2019-05-14 15:58:17 10.100.10.00 GET /browsercheck - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 301 0 0 3
2019-05-14 15:58:20 10.100.10.00 GET /browsercheck/ - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 200 0 0 2349
2019-05-14 15:58:20 10.100.10.0 GET /BrowserCheck/bundles/MsAjaxJs v=VA_FXLaB5PurewZl92JsrSUQcDrqhwBct539oVLEeiY1 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 404 0 2 2
2019-05-14 15:58:20 10.100.10.00 GET /BrowserCheck/bundles/WebFormsJs v=N8tymL9KraMLGAMFuPycfH3pXe6uUlRXdhtYv8A_jUU1 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 404 0 2 2
2019-05-14 15:58:22 10.100.10.00 POST /browsercheck/ - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 200 0 0 108
2019-05-14 15:58:22 10.100.10.0 GET /BrowserCheck/bundles/MsAjaxJs v=VA_FXLaB5PurewZl92JsrSUQcDrqhwBct539oVLEeiY1 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 404 0 2 2
2019-05-14 15:58:22 10.100.10.00 GET /BrowserCheck/bundles/WebFormsJs v=N8tymL9KraMLGAMFuPycfH3pXe6uUlRXdhtYv8A_jUU1 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 404 0 2 2
2019-05-14 15:58:37 10.100.10.00 GET /browsercheck/ - 80 - 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.131+Safari/537.36 401 2 5 0
2019-05-14 15:58:37 10.100.10.00 GET /browsercheck/ - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.131+Safari/537.36 500 0 0 76
2019-05-14 15:58:37 10.100.10.00 GET /favicon.ico - 80 - 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.131+Safari/537.36 401 2 5 98
2019-05-14 15:58:37 10.100.10.00 GET /favicon.ico - 80 ABC\user1 00.000.00.00 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.131+Safari/537.36 404 0 2 3
First, do not forget to register Service Principal Names (SPN) for your AppPool account:
setspn -s HTTP/<servername>:<port> <domain>\<apppool_accountname>
setspn -s HTTP/<FQDN.servername>:<port> <domain>\<apppool_accountname>
E.g.
setspn -s HTTP/app-server:5555 org\apppoolserviceaccount
setspn -s HTTP/app-server.orgname.com:5555 org\apppoolserviceaccount
Then set useAppPoolCredentials to True in your web app settings:
And finally, add your <apppool_accountname> to Impersonate a client after authentication policy in Local Policies on the server:
His solution was to set Windows Authentication provider to "Negotiate:Kerberos, not NTLM" which I am not seeing where to set this in IIS7???
To add this provider select Windows Authentication and choose Providers... at the right:
Leave only one provider - "Negotiate:Kerberos".
The most important part - add your web-app server to the allowed list on your client machine with Google Chrome. Reg file for example:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]
"AuthNegotiateDelegateAllowlist"="<server-name>,<server-name.FQDN>"
"AuthServerAllowlist"="<server-name>,<server-name.FQDN>"
"AuthSchemes"="basic,digest,negotiate"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthNegotiateDelegateAllowlist"="<server-name>,<server-name.FQDN>"
"AuthServerAllowlist"="<server-name>,<server-name.FQDN>"
"AuthSchemes"="basic,digest,negotiate"
Check them after under chrome://policy.
Read more about these policies:
AuthNegotiateDelegateAllowlist
AuthServerAllowlist
AuthSchemes
I also highly recommend this Kerberos FAQ IIS (Internet Information Services) and Kerberos FAQ

SUM authentication issue with saphostctrl – Authentication Required

We are trying to start the Software Update Manager (SUM) 1.0 SP20 PL4 on an Netweaver 7.02 Sandbox with Red Hat Enterprise Linux 7 and DB2 (DB6).
We extracted the SUM package to /usr/sap//SUM and started the tool via command (with root):
./STARTUP confighostagent QHR &
or
./STARTUP &
When calling the URL http://localhost:1128/lmsl/sumabap/QHR/doc/sluigui the authentication box appears where we type in the sidadm credentials. When we confirm the credentials the box appears again after 1 second. No matter if the credentials are correct (sidadm with correct password) or not (any login with any password), the authentication box appears again (see attached screenshot).
This is, what we already checked:
Restart of the SUM
Restart of SAP Host Agent
Installation of latest SAP Host Agent version
Restart of complete virtual machine
Tried Internet Explorer, Firefox, Chrome in normal mode and in
private browsing mode
Re-download / re-extract of SUM to /usr/sap//SUM
Check of file authorizations of SUM
Notes we checked:
927637 - Web service authentication in sapstartsrv as of Release 7.00
1563660 - sapcontrol, user authorization issues (SUM)
2284028 - SUM SL Common UI : Troubleshooting problems with the new
SUM UI
2426160 - DB6: Add. Info - Software Update Manager 1.0 SP20
We changed the saphostctrl tracelevel to 3 and found an error in the /usr/sap/hostctrl/work/sapstartsrv.log after trying to authenticate again:
[Thr 140134583793408] Authenticate check on cache failed
Tue Jul 11 17:21:34 2017
pam_authenticate_user -> service( sapstartsrv ) user (
qhradm )
*** ERROR => pam_authenticate ( qhradm ) failed :
Authentication failure [usercheckux. 243]
[Thr 140134583793408] helper exit with return code 251
Tue Jul 11 17:21:34 2017
pam_authenticate_user -> service( login ) user ( qhradm )
Tue Jul 11 17:21:36 2017
*** ERROR => pam_authenticate ( qhradm ) failed :
Authentication failure [usercheckux. 243]
[Thr 140134583793408] Tue Jul 11 17:21:36 2017
[Thr 140134583793408] helper exit with return code 251
[Thr 140134583793408] *** ERROR => soap_check_permission
authentication: ( qhradm, ExecutOperation ) FAILED [DefaultOpera 163]
[Thr 140134583793408] Authenticate clear cache
[Thr 140134583793408] Unauthorized (user authentication
required)
[Thr 140134583793408] *** ERROR => Authentication is
required [HTTPProxyHan 258]
[Thr 140134583793408] HTTPResponse::SendError HTTP 401:
'Unauthorized: User authentication required' send as 'Unauthorized'
SAP note 927637 says the following:
[…]
If the user/password check fails, the system generates an "Invalid Credentials" SOAP exception.
[…]
Unfortunately there are no hints what to do with the above error message.
Do you have any idea, what we can do to find/solve the problem?
regards,
Umar Abdullah

Google Cloud Identity Aware Proxy (App Engine) - Strange web browser behavior?

I am seeing some strange behavior using App Engine with Identity Aware Proxy in Chrome (Desktop & Mobile) / Firefox (Desktop & Mobile) / Safari (Desktop) / curl (Desktop)
I launched a static-file site on App Engine using these settings
app.yaml:
runtime: python27
api_version: 1
threadsafe: true
handlers:
- url: /(.*)
static_files: index.html
upload: index.html
secure: always
index.html:
<html>
<body>
Hello World!
</body>
</html>
I then used the cloud console to enable the Identity Aware Proxy.
As expected, I was asked to sign in using the google account needed to access the page. All good.
However, sometimes I can access the site from a browser without credentials, or even from curl, which I feel should definitely not be possible?
It takes a bunch of refreshes / retries, but once it is reproduced I can reliably get the index page without authentication using Chrome, Firefox, Opera, and curl.
Questions:
Am I doing something completely stupid? Is it expected behavior to sometimes be able to access the page even in incognito/private mode, or using curl?
I know there is a default 10 minute caching header on static files served by App Engine, how does that factor in?
How does curl get mixed up in all of this? AFAIK https can not be cached by anyone except the UA making the request (and internally on Google's end)? Is there a cache on my computer that all of these sources talk to that I am not aware of?
Is this a problem on my computer/phone (i.e. once the page is cached somehow all UAs on that device can see the page without authenticating)?
Is this a problem on Google's end?
For completeness, here's the output from curl -v
curl -v https://xxxxxxxxxxxx.appspot.com
* Rebuilt URL to: https://xxxxxxxxxxxx.appspot.com/
* Trying 172.217.22.180...
* TCP_NODELAY set
* Connected to xxxxxxxxxxxx.appspot.com (172.217.22.180) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.appspot.com
* start date: Mar 28 14:17:04 2018 GMT
* expire date: Jun 20 13:24:00 2018 GMT
* subjectAltName: host "xxxxxxxxxxxx.appspot.com" matched cert's "*.appspot.com"
* issuer: C=US; O=Google Trust Services; CN=Google Internet Authority G3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ff81780a400)
> GET / HTTP/2
> Host: xxxxxxxxxxxx.appspot.com
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Fri, 20 Apr 2018 17:43:10 GMT
< expires: Fri, 20 Apr 2018 17:53:10 GMT
< etag: "8wDEQg"
< x-cloud-trace-context: 8e9c1b6803383aac532d48d9f0ac5fc2
< content-type: text/html
< content-encoding: gzip
< server: Google Frontend
< cache-control: public, max-age=600
< content-length: 54
< age: 371
< alt-svc: hq=":443"; ma=2592000; quic=51303433; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="43,42,41,39,35"
<
���(�ͱ�I�O���
* Connection #0 to host xxxxxxxxxxxx.appspot.com left intact
I-.Q�ч�l�!����Z�_$%
The output above SHOULD show a 302 redirect to IAP's login page, but as previously stated - it does not always do that!
TL;DR Why can I access App Engine static pages protected by IAP on my computer from contexts that should not be allowed access?
Thanks!
Ah, you've run into an interesting corner case! There's some documentation of this at https://cloud.google.com/iap/docs/concepts-best-practices -- TL;DR, App Engine does some caching for static_files that interacts poorly with IAP. That page has some instructions you can apply if you want to protect your static_files. --Matthew, Google IAP Engineering

Unable to update "old" files via Drive API

I'm unable to update files via Drive API since server build:
Server HTTP Upload Server Built on May 15 2014 11:06:48 (1400177208)
Uploading new data to update an existing file always results in a HTTP error:
< HTTP/1.1 100 Continue
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json; charset=UTF-8
< Content-Length: 180
< Date: Mon, 19 May 2014 12:26:54 GMT
* Server HTTP Upload Server Built on May 15 2014 11:06:48 (1400177208) is not blacklisted
< Server: HTTP Upload Server Built on May 15 2014 11:06:48 (1400177208)
< Alternate-Protocol: 443:quic
* HTTP error before end of send, stop sending
Response: (500) Internal Error
But creating a new file via drive UI and upload (via update) the same data to the new drive file (I only change the file ID in my script) works.
So I don't think its an error in my script, because:
Downloading works
Listing works
Uploading with new files works
Uploading to my old works well till May 15 2014 11:06:48 the new server build
FYI: I noticed that my old files served from docs.google.com/feeds/download/spreadsheets/Export... and new files www.googleapis.com/drive/v2/files/...
Update May 20. 2014: Drive UI shows "Add-ons" in menu only for new created spreadsheet files. In my old spreadsheets "Add-ons" are missing.

502 error nginx + ruby on rails application

Application details :
Rails 3.1.0
Ruby 1.9.2
unicorn 4.2.0
resque 1.20.0
nginx/1.0.14
redis 2.4.8
I am using active_admin gem, for all URL's getting response 200,
but only one URL giving 502 error on production.
rake routes :
admin_links GET /admin/links(.:format) {:action=>"index", :controller=>"admin/links"}
And its working on local(development).
localhost log : response code 200
Started GET "/admin/links" for 127.0.0.1 at 2013-02-12 11:05:21 +0530
Processing by Admin::LinksController#index as */*
Parameters: {"link"=>{}}
Geokit is using the domain: localhost
AdminUser Load (0.2ms) SELECT `admin_users`.* FROM `admin_users` WHERE `admin_users`.`id` = 3 LIMIT 1
(0.1ms) SELECT 1 FROM `links` LIMIT 1 OFFSET 0
(0.1ms) SELECT COUNT(*) FROM `links`
(0.2ms) SELECT COUNT(count_column) FROM (SELECT 1 AS count_column FROM `links` LIMIT 10 OFFSET 0) subquery_for_count
CACHE (0.0ms) SELECT COUNT(count_column) FROM (SELECT 1 AS count_column FROM `links` LIMIT 10 OFFSET 0) subquery_for_count
Link Load (0.6ms) SELECT `links`.* FROM `links` ORDER BY `links`.`id` desc LIMIT 10 OFFSET 0
Link Load (6677.2ms) SELECT `links`.* FROM `links`
Rendered /usr/local/rvm/gems/ruby-1.9.2-head/gems/activeadmin-0.4.2/app/views/active_admin/resource/index.html.arb (14919.0ms)
Completed 200 OK in 15663ms (Views: 8835.0ms | ActiveRecord: 6682.8ms | Solr: 0.0ms)
production log : 502 response
Started GET "/admin/links" for 103.9.12.66 at 2013-02-12 05:25:37 +0000
Processing by Admin::LinksController#index as */*
Parameters: {"link"=>{}}
NGinx error log
2013/02/12 07:36:16 [error] 32401#0: *1948 upstream prematurely closed connection while reading response header from upstream
don't know what's happening, could some buddy help me out.
You have a timeout problem.
Tackling it
HTTP/1.1 502 Bad Gateway
Indicates, that nginx had a problem to talk to its configured upstream.
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#502
2013/02/12 07:36:16 [error] 32401#0: *1948 upstream prematurely closed connection while reading response header from upstream
Nginx error log tells you Nginx was actually able to connect to the configured upstream but the process closed the connection before the answer was (fully) received.
Your development environment:
Completed 200 OK in 15663ms
Apparently you need around 15 seconds to generate the response on your development machine.
In contrast to proxy_connect_timeout, this timeout will catch a server
that puts you in it's connection pool but does not respond to you with
anything beyond that. Be careful though not to set this too low, as
your proxy server might take a longer time to respond to requests on
purpose (e.g. when serving you a report page that takes some time to
compute). You are able though to have a different setting per
location, which enables you to have a higher proxy_read_timeout for
the report page's location.
http://wiki.nginx.org/HttpProxyModule#proxy_read_timeout
On the nginx side the proxy_read_timeout is at a default of 60 seconds, so that's safe
I have no idea how ruby (on rails) works, check the error log - the timeout happens in that part of your stack