how to set x-client-cert header in tcserver or F5? - tcserver

Each request from the client must have the certificate in the header for it to successfully access the web service. The web service looks for it under the header name x-client-cert. Can someone guide me on how one can set x-client-cert header with x509cert using F5 or tcserver 2.9.9?

This entry on the DevCentral codeshare is the iRule you are looking for. You can exchange the SSLClientCertb64 header (line 42) with your x-client-cert header. If you don't need to pass the cert validity or the serial number, you can clean up the information stored in the memory for those and eliminate the headers being created for them.

Related

Typo3 mailserver issues (Mailing list hitobito CRM)

We from the the Swiss umbrella association for youth parliaments (DSJ) use TYPO3 as the backbone of our website. Next to TYPO3, we also use the CRM software hitobito, which allows us to create "Abos" with "mailing lists". However, this service is currently not working since Hitobito has recently changed its mail server. I have already changed the server addresses manually in our 365 Admin microsoft account and the changes have been verified by the Hitobito support.
This is where TYPO3 comes into play. The support staff from Hitobito suspects that the mail server configurations must also be changed in TYPO3. I, as a layman, have no clue where to make such changes, however. I was hoping you could help me out here. I believe the following information must be updated in the TYPO3 configuration:
*For the new mail server:
crm.dsj.ch IN MX 10 app.hitobito.ch.
For the outgoing mail server:
crm.dsj.ch 3600 IN TXT "v=spf1 a:mxout.appuio.ch -all*
The information you gave has nothing to do with TYPO3 but is part of the domain record. You should approach your domain registrar (seems to be https://www.visol.ch/ according to whois) with that.
The 1st one is to designate the mail server app.hitobito.ch for all incoming mail to recipients ...#crm.dsj.ch (so-called MX record).
And the 2nd one is to lower the spam level for outgoing mails from senders ...#crm.dsj.ch from the server mxout.appuio.ch (so-called SPF).
Is your webserver supposed to send mails, too? If so and you have problems with receiving these mails, I suggest to use the InstallTool's "test mail" function and send a mail to https://www.mail-tester.com/ - a great tool to identify spam-related problems.

Odoo/OpenERP - send all mails from same adress

We have set up Odoo 8 as a multi-user helpdesk tool, which creates a new project issue for each incoming mail. Incoming and outgoing servers are configured correctly and system parameters are set to
mail.catchall.domain: company.tld
mail.catchall.alias: helpdesk
mail.bounce.alias: bounce
The problem now is that every time a user comments the mail thread to answer the original issue creator, a new mail is generated with header
FROM: [user]#company.tld
TO: [followers]
REPLY-TO: helpdesk#company.tld
Which is totally fine but leads to a sending failure due to our SMTP configuration. To get around this we want to achieve that all outgoing E-Mails are sent from the same specified address, like helpdesk#company.tld, no matter which user response to the thread.
How do we achieve this?
I had specific issue when I was working on Odoo 8 and I found fix but its not recommended action from developer view, because changing odoo source code is not recommended and changes can be lost.
So what I did was to change email from address to real email from address. Yes it's weird but that's how Odoo works. Odoo is always sending from one specific email address and changes email from to user email address, but if you will look at email carefully you will notice that real sender is always same.
The fix is changing this line
smtp_from = message['Return-Path']
to this line
smtp_from = tools.config.get('email_from')
in openerp/addons/base/ir/ir_mail_server.py file.
PS I don't like this solution.

Error: The requested URL “[no URL]”, is invalid

Originally posted as a reply to: Error: The requested URL "[no URL]", is invalid
I get this error but only with one specific website (which is my own). This must be linked to the website as it is happening on 3 different machines on 3 different networks (personal comp on personal wifi, phone on 4/3g and work pc on work network) and no other sites. Also, it happens no matter what you put after the domain name, weather its a real page or just '/sdjhlgajhsdfg'.
A reply to the other post said that it looks like somthing to do with akamai. As this is my site, i went to the CPanel and disabled the akamai options (over 24 hours ago). i do not need any kind of caching like this as it is a simple html css site with only a hand full of mostly text pages. The most complicated thing on the site is a downloadable pdf which i have actually just taken down.
The error ref number changes every time you refresh the page.
Reference #9.d7c33b8.1478565760.55ccef1
Reference #9.d7c33b8.1478566986.560a7c3
Reference #9.d7c33b8.1478567000.560b460
Any advice would be very much appreciated.
I finally found some time to contact my webserver provider.
I can see that the domain has been removed from the Akamai server.
However, the CNAME which was pointing to Akamai server was causing the
issue. I have removed the CNAME record.
after about half an hour its back up. theres some display issues with the layout, but at lease its displaying the relevant content and not the error.
When you see Invalid URL error, this indicates that the hostname (domain) is not recognized by the Akamai's network (production or staging).
More info at: https://control.akamai.com/search/kb/11327
Hope this helps.
If there is a reverse proxy in before akamai you may get this error.
Client > Reverse Proxy > Akamai > Your API, will give this error.
Let your reverse proxy strip "Host" header and sent by "Client" and try again.
That worked for me in a setup like this:
Browser > Caddy Server > Akamai > My API
in akamai i had to add a new property manager entry for the new url/cert then activate it in prod.

Allow-Control-Access-Origin header "*" vs origin

I am trying to create white list on the server and set Allow-Control-Access-Origin header if the requested host is within the white list. I have seen all the people saying we should add Allow-Control-Access-Origin: <request host origin> in the response header, and I also believe this is the correct way to do this, but I have a question:
If after I find the request comes from a trusted host and add
Allow-Control-Access-Origin: * in the header, will that work as well?
Would the browser remember the * and allow all the future request comes from somewhere to call this server as well? Or if browser will still check this header for every single request. If browser check every request, then what is the different to return * or the specific host origin at this point? Thank you.

Registering on No-quota push notifications

On my WP8 app, I followed instructions from here to register on push notifications service MPNS.:
HttpNotificationChannel pushChannel;
// The name of our push channel = the CN from certificate
string channelName = "CN-from-cert";
However, channel URI returned from the MPNS is always http:// and it seems like it's not using this secured connection. So, my question is:
How can I verify if my channel is using no-quote (secure) connection
What is needed on the client side (WP8 app)?
What is needed on the server side (sending push notifications)?
Many thanks.
I think you need to set ServiceName property (not channelName) to your service's domain name exactly as it appears on CN property in the server certificate that you will use. P.e., if your certificate's CN=www.mydomain.com, you must set Channel.ServiceName="www.mydomain.com". Channel name my be anyone that you like. This is at client side.
At server side you need to upload your cert file to developer.windowsphone.com dashboard and to your server too (with the private key).
You can check if MPNS recognize your secure channel by checking if channel URI generated starts with https:// instead http://. This not ensure that your server can send trusted notifications since it depends on if you have the same certificate in your server and specify it correctly in all petitions, but tells you that client side is ok.
You have detailed information about how to configure your server here:
http://msdn.microsoft.com/en-US/library/windowsphone/develop/ff941099%28v=vs.105%29.aspx
Best practices to implement a push notification system (including authenticated servers):
http://blogs.windows.com/windows_phone/b/wpdev/archive/2013/10/22/recommended-practices-for-using-microsoft-push-notification-service-mpns.aspx