I will host a static site (just a few pages actually) on Netlify, a cloud hosting provider. It would be my notes and may have sensitive code and API keys. I want it set up so that only I can access this site from internet and no one else. How can I block access to the static site for others?
Alternately, if I do the same with with Github Pages, is it possible to restrict access there?
You need an access control mechanism to protect your notes.
If you are running the web server doing the hosting, most web server programs (Apache and nginx are the two most popular) have built-in access control mechanisms, see link given by Carsten H or see Access Control with Apache or How to Set Up Password Authentication with Nginx (Digital Ocean guide).
If you are using Github Pages, it is possible to do access control, but a bit more tricky. You can create a Github OAuth application and ask people to authenticate using your Github OAuth app. The app will ask for their username, and check if that username matches a list of allowed Github users (probably just your Github username). If the usernames match, static content is served up, otherwise the user is redirected to a 403 forbidden page.
Also see the github-heroku-attack-rabbits project page for details of how to create the Flask app mentioned above (using flask-dance to authenticate users via your Github OAuth app). The Flask app can be hosted for free on Heroku.
Two more things to note regarding public/private repos:
If you are using Github Pages, the repository containing your notes will need to be private, otherwise the contents of your notes will be in a public repository (even if the Github Pages static page has an access control layer).
Just because a repo is private does NOT mean its Github Pages page is private. By default, a private repo's Github Pages page is accessible/readable by the public. It is up to you to put an access control mechanism in place to protect the page.
You can try the encryption route. Here, the name staticrypt really says everything (I have a demo here). It allows you to create a password for each page for your website. It used AES-256 encryption, so as far as I am concerned, a long password should suffice.
If you don't share the password, you will be the only one to view the webpage.
These are actually two questions and is good practice to ask them individually.
This is a frequently asked question and depends on your server, e.g. for Apache you can edit your .htaccess following this instructions
you need to create a private repository by checking the private repository option during the repository creation
Related
The Azure APIM developer portal (new one) has been edited and now some of the menues dont work.
Is it possible reset the content ?
I have tried the capture.bat (from another APIM instance) and generate.bat into the broken instance but it didnt appear to work - i even made changes to one of the jpg files in the scripts.v3/media directory but it didnt get changed in the portal when i ran generate.
I find the "run your own hosted developer portal" scenario confusing. I am unclear on:
where is the content held for the unpublished managed portal ?
where is the content held for the published managed portal ?
where is the content held for the unpublished "own hosted" portal ?
ie when running locally (npm start on the Github repo code)
where is the content held for the published "own hosted" portal ?
When developing on a self hosted scenario, ideally i think it would be benefitial to hold the content locally so that it could be placed in source control. Failing that, is it possible to customise such that the "run your own hosted developer portal" content is in an accessible location such as a blob in a container on the same storage account that the code is being published to? That way I could copy content from an unbroken APIM into a storage account and develop with that.
Is it possible reset the content ?
Yes. Have you actually tried the simplest solution?
Open developer portal in edit mode:
Click reset content
where is the content held for the unpublished managed portal ?
where is the content held for the published managed portal ?
Same place - in the APIM resources. When you edit developer portal and you save it,
other users won't see those changes until you click publish.
You can also use developer portal revisions, from REST API or directly from Azure Portal. This will give you an opportunity to go back to previous revisions. So if you are publishing manually, after you edit and save developer portal I recommend to go to the revisions tab in azure portal and publish it from there - this way you will have simple version control.
For managed version, important thing to understand is, "content" consists of:
content types and content items which are just json template files describing your pages on developer portal. Those can be accessed by REST API here and here (this is a parent child relation).
and your uploaded custom media (images, fonts etc.) that can be retrieved from APIM Blob Storage. To get SAS URL for APIM Blob Storage and connect to it, just call your APIM Management API with address POST /portalSettings/mediaContent/listSecrets/ - this URL is not documented but you can call it like any other endpoint.
And that's it. That's all you need - json file and media files. The rest is managed for you. And in fact that's what those scripts from github repository are doing. capture.bat for example is downloading all the media and json from developer portal and saves it to your local folder. So you can for example save it to source control or/and upload to another APIM developer portal instance.
When managed developer portal and online editor is not enough for you and you need more customization, like custom widgets etc., you can go with self hosted version. It gives you more freedom but the downside of course is you are responsible for its upgrades.
where is the content held for the unpublished "own hosted" portal ? ie
when running locally (npm start on the Github repo code)
When you run npm start it just runs locally like when you develop any other webpage. In this case it uses webpack-dev-server to host the page.
where is the content held for the published "own hosted" portal ?
Wherever you feel like it. That's the idea behind the self-hosted version. After you are happy with the changes you've made, just run npm run publish and files will appear in dist folder. Then you can upload them to the resource of your choice. This tutorial shows you how to enable hosting of static websites for your blob storage and host your developer portal there. Everything is explained, just follow the article carefully step by step (don't skip any step, every single one is important in order to successfully configure and deploy your self-hosted developer portal). Good luck.
I know this is the most basic of questions. I made my own website in HTML documents. I bought a domain name from google. How can I publish this, how can I host it? I don't want to use any website creator, I want to publish my own files that I worked on.
You can use Github to host your website on your own domain.
You have to add the whole files needed for the website. Then in the settings of your repo use the Github pages feature and enable it. Change the source of Github pages to host in your own domain. Then you have to add some A and CNAME records of your domain to point to github servers.
Here are the full steps for the process - https://www.geeksforgeeks.org/publish-websites-on-github-pages-with-a-custom-domain/
I am writing a command line application that produces an index.html with links to other generated HTML files, but also some links to filesystem subdirectories. Here is an example of such a link:
Invoices
The intention for sharing this content is for the user to zip up the directory tree and send it to other parties for review. However, some users might think to use ngrok, or use screen sharing, to share their web browser to allow other people to access their local system. With ngrok they would be running a web server and might be able to configure the web server to protect against this, but with screen sharing that would not be possible. (Consider the case where a user might leave their web browser open to the remote user and step away, not realizing that the remote user can now examine their entire filesystem.)
The problem is the "Parent Directory" links. Using those links, the others could navigate above the intended directory root and navigate their entire filesystem. Here is an image to illustrate:
The directories linked to can have arbitrary numbers and levels of subdirectories, so hard-coding links on custom pages would probably be prohibitively complicated.
There is no web server involved here; the files are displayed by just opening index.html in a web browser, so .htaccess is not a solution. Also, I don't want to disable navigation, I only want to limit its upper bound.
Is there a way to prevent this access?
If there is no web server involved at all, there is no way to prevent that behaviour.
Edit:
You could of course write a browser plugin that limits the access to the parent directory using JavaScript. But every client would have to install that plugin.
I host my website on 000Webhost.
I have to fill all my scripts for my website in the folder "public_html" (Example: /public_html/index.html).
I would like to have a "private" folder on the same level (Example: /private_html/variables.php) like public_html, but where only I can access and place things in it.
Is there any possibility for it or some other host which will support this function?
Private "stuff" is not meant to be on a web server. Create a small app server where you can a have a database and keep its IP private or get some security from the hosting service (better) and connect to it maybe from SSH (PuTTY) and then exchange files over it.
Anyway, a very basic workaround way to implement what you need is something like a PHP script that asks for admin credentials when a page under that folder with a URL(even if someone gets access to it when you would try to keep it private in the first place) is hit. From there, after you get authenticated, you can load the rest of the page using the same script which will basically present you a management tool or UI for yourself...Say if you'd want to upload some files or delete them.
Basically, Heroku gives you a domain named by default: XXX.herokuapp.com.
On my own, I have a set of REST apis that I would like to set on a domain named: api.myDomain.com.
On the same time, I have my HTML files (web view) distributed by the same server as the REST API.
It's similar to this; embedding static files on server in a dist folder.
I expect the domain serving those HTML/JS files to be www.myDomain.com.
I thought about putting them clearly on a distinct server dedicated to static files, but the fact is that Single Page Application should be controlled by a server, in order to make the refresh works (F5 redirecting to index.html), that's why I chose to use the same server as REST apis.
An alternative would be to dedicate ANOTHER server to treat only static files, independent of the REST Apis' server.
How to deal with both domains (api and www) while sources being on the same servers?
Or should I completely rethink the strategy?
You can just set both domains to direct to your page by setting it up in your app settings, but then I'm pretty sure that would mean api.myDomain.com/dist would show your static things, and www.myDomain.com could show your api things.
https://devcenter.heroku.com/articles/custom-domains
Another way you could do this might be by doing some things with your actual code, but we don't really know what your code is like right now.