I am facing an issue with the Cloudflare Origin Certificate. I create the certificate (.pfx) using Cloudflare private key and pem. I have successfully configured this on IIS but when I am trying to configure this on SSRS (report Server) then it doesn't allow me to configure.
as per my observation, it is that Cloudflare is issuing a general Origin Certificate. It is not generated for a specific domain, but I am not sure.
Did anyone face the same issue earlier?
To solve this problem I've used CertifyWeb to create a free SSL using Let's encrypt.
Related
I purchased a domain from namecheap, and I'm gonna to use cloudflare to DNS my domain, but it says Error 521.
I created an free instance on Oracle.
Cloudflare suggest me to add their ips to oracle, but I have no idea where to add these ips.
We're from the Solutions Architecture team over at Oracle Cloud Infrastructure and wanted to give you a few pointers to help you out.
What this error indicates, is Cloudflare is having problems accessing your website. Most likely this is because you have not yet configured your website to be accessible from the internet. While we didn't write this, it appears the community has a set of instructions here on how to expose your site to the internet:
https://dev.to/yoursunny/how-to-host-a-website-in-oracle-cloud-free-tier-5hca
Here's another online class for doing the same with wordpress: https://www.udemy.com/course/wordpress-website-built-on-oracle-cloud-always-free-tier/
Once done, you'll want to test your website by IP address in a web browser to make sure you can at least load your web page.
What Cloudflare is suggesting is you should actually only open access to your website from the specific IP addresses of the Cloudflare network. This increases the security of your website by preventing people from bypassing Cloudflare if they know your site's IP address. To do so, instead of adding 0.0.0.0/0 as the allowed CIDR you add an individual entry for each CIDR listed here: https://www.cloudflare.com/ips/
For testing though, just use 0.0.0.0/0 until you have it working. Then you can change it.
Finally, don't forget to check host firewall rules (see iptables --list). Not having a entry for port 80/443 is a common error.
Let us know if it works for you.
I have a similar setup where cloudflare is fronting my app. However, in my case I am just using a public load balancer in OCI. Bought a domainname pointing to the public IP of load balancer. This way first I tested my site without the domain name and just hitting load balancer IP. If that works fine, then in the Cloudflare you just need to proxy the domain to the public IP of LoadBalancer.
I've found that if you connect to a Cloud SQL instance over SSL the CommonName provided in the server's certificate is my-project-123456:myinstance which renders the certificate un-validatable, as the client expects that the CN to be either the hostname or IP.
Every solution to this problem seems to amount to "just disable validation", which is not acceptable to me because:
Why has GCP decided to do everything else correctly, providing a CA cert and client certificates, only to drop the ball on identity validation? By disabling validation you're basically saying "I'm OK with being MITMed at some point".
What about projects where we can't play fast and loose with validation because of PIPA/HIPAA?
What about mySQL clients that don't support turning validation off? eg: All PHP 5.6 mysql libs using mysqlnd prior to the upcoming 5.6.16 release.
Is there any way to make SSL work correctly on Cloud SQL?
One of the reasons for not having the IP address of the instance in the common name of the server certificate is because these IPs can change. What is the IP address of instance A today can be the IP address of instance B tomorrow, because A was deleted, or A decided that it doesn't want the IP address anymore. So, the instance name was decided as being a more unique identification of the instance.
Also, the mysql client libraries by default have hostname verification disabled. http://dev.mysql.com/doc/refman/5.7/en/ssl-options.html
With regards to MITM attacks, it is not possible to MITM attack a Cloud SQL instance because the server certificate and the each of the client certificates are signed by unique self-signed CAs which are never used to sign more than one cert. The server only ever trusts certificates signed by one of these CAs. The reason for using unique CAs per client cert was because MySQL 5.5 did not support certificate revocation lists, and we also did not want to deal CRLs, but wanted to support deletion of client certs.
We will look into ways of supporting SSL for clients which cannot turn off hostname validation. But I cannot promise an ETA on this.
Cloud SQL Team.
I am attempting to use purely https with my compute engine. I have a network load balancer created that forwards to a pool with my instance in it. However, the pool has constantly failing health checks because it won't let me configure a health check that uses https.
I'm using apache to redirect 80 to 443. Does anyone know how to either create an https health check or have the http health check follow the redirect?
Thanks for any help.
--edit--
I finally came across some documentation at http://googlecloudplatform.blogspot.com/2015/07/Debugging-Health-Checks-in-Load-Balancing-on-Google-Compute-Engine.html.
Failure 5: Not answering directly with a 200 response code The web server may be configured to redirect to a page that returns an HTTP 200 response code. The health check will not follow the redirect; it expects the health check page to return a 200 directly.
This basic capability has been supported at every other hosting provider we've been on. Why can't this be done? What am I missing?
I spent the whole day trying to configure a purely https based load balancer in GCloud for a Kubernetes cluster with an ingress controller.
I finally got it working, so maybe I share my experience with people that struggle with the same configuration. If the health-check fails for the instances you will usually see the following accessing your websites URL.
Error: Server Error
The server encountered a temporary error and could not complete your request.
Please try again in 30 seconds.
1) Protocol: GCloud introduced new health checks which can be configured for HTTPS, SSLTCP, SSL, HTTP, HTTPS, or HTTP/2 probing. This can help the original problem to prevent a redirect from port 80 to port 443.
2) Path: The most common issue is a that the "/" path of your application will not return a 200 OK and thus let the health issue fail. This can be prevented by adding a path argument to your health check e.g. "/index".
3) Ingress HTTPS: This is relatively simple. Adding a secret or a pre-shared-cert to your ingress.yaml will automatically result in an HTTPS Load Balancer instead of HTTP. Further information to follow are here
Lastly, the guide from the docs for Setting up HTTP Load Balancing with Ingress .
However, even though the new HTTPS Health checks seem to work, they are still in the beta phase and bugs are reported in the issue tracker. The documentation for the gcloud-ingress-controller can be found here.
I have few ssrs 2008 reports.I have created group of users and gave all required permissions to that group.
Now when I am running those reports I am getting strange error.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
I don't know from where it came.
I got suggestion that its a issue related to Kerberos authentication. Please some one knows how to solve this let me know.
Or some one knows to solve this kerberos issue also tell me in steps if possible.
Thanks
Vik
Are your reports using pass-through integrated authentication, defined user integrated authentication, or sql user authentication? I suspect the first, in which case you're dealing with the difference between impersonation and delegation.
When connecting to a web server using integrated authentication, behind the scenes you are actually using NTLM or Kerberos. Both allow the process running your web server to act as you. NTLM's impersonation via security token prevents the server from connecting to yet another server as you (that is, to the DB server) and there acting as you again—this is the "double-hop" problem. Kerberos instead uses delegation, passing a ticket around that each server can check for validity and allow.
To get Kerberos working there are several requirements.
If you're connecting to the web server using a name other than its main DNS name (using as an alias) you have to register the alias as valid for the machine with SetSPN. You can have problems with the SPN (Service Principal Name) even without this. Check the SPN on your servers carefully to see if it matches what you expect.
The server you initially connect to must be "trusted for delegation" in your domain policy.
The user that your web server is running under must be "trusted for delegation" as well.
You can work around all this stuff by just making your reports have stored credentials of some sort rather than using pass-through authentication.
The difference between dev and test could be the IIS user, or the data source.
Now, I am assuming here that you're not using SharePoint and are just doing a normal SSRS web install. So if that is not correct please say so.
http://weblogs.java.net/blog/kalali/archive/2010/02/27/how-install-godaddy-certificate-your-glassfish-v3
i have followed this article .
successfully downloaded certificates from verisign .downloaded trial certificates.
now when i try to get using https:// it shows connection not found..
temporarily i have created 192.1.200.104 alias of certificate.
and my machine's ip is the same.
now what domain i should configure i have given www.xxx.com while retrieving certificate.
if i need to create www.xx.com in my local glassfish server then how to configure domain ?
Thankx.
now when i try to get using https:// it shows connection not found..
What URL did you use exactly? Did you try https://<server>:8181/ where <server> is the hostname of your server (if resolved properly)? If you followed the exact steps of the posted link, this should work.
now what domain i should configure i have given www.xxx.com while retrieving certificate.
The resolution of www.xxx.com into your machine IP should be done at the DNS level (you can add the name into your hosts file for testing though). To be honest, I'm not sure I understood the question, I'm just assuming you don't need "virtual hosting".