We load data from a few subdomains/3rd parties. This causes about 100ms of SSL handshaking for each domain. I'm wondering if there is a way to "pre-fetch-handshake" similar to how dns-prefetching works. Does dns-prefetching already do this?
I doubt that there is a pre-fetch-handshake and I doubt that it would make sense. DNS prefetching is done for links in the page so that the browser already knows the IP address of the target host when the user decides to click the link. This might be immediately after loading the page, some minutes later, hours later or never. DNS prefetching also does not tie any resources on the server. It just warms up the local DNS cache by asking the upstream DNS resolver which might either have the record already or will resolve the query and thus have the entry in the cache, available for other clients too.
Contrary to this a pre-fetch-handshake for HTTPS would need to create a TCP connection directly to the target server, do the SSL handshake and then wait for the client to click. This ties up resources at the client and the server so after some time of inactivity the server will close the connection to free these resources. Thus in many cases this would just waste resources on both sides since the link will never be clicked or will only be clicked after the server already closed the idle connection.
The situation is a bit different if the link points to a site with an already existing connection, like a same-site link when loading a page from some site. Today browsers use persistent HTTP connections and will try to leave the connection to a site open for a while in case more requests need to be send. If the user then clicks the same-site link an existing connection might be used which was still open from previous requests. Of course these connections tie up resources on the server too so the server will close the connection after some idle time too.
Related
this is my first question, hope I do it right!
I'm actually working on a Centos server with nginx as reverse proxy and a NextJs web application.
Until now I've made a single connection for every query to my db, but I want to switch to pool connection to my DB (with npm module mysql2), but apparently there's something I'm missing...
If I run my application local, or on the server without nginx, with yarn start, it opens just one pool (I can see them by running the query SHOW PROCESSLIST on the DB in use). But in the moment I add nginx as reverse proxy, every request my app receives opens a pool and the latter never gets closed or called again (apart from the one pool opened if someone visits the page for which I use the nextjs function router.push(/url)).
It happens also if I run yarn dev: it opens a connection pool for every new page next has to build in development or if I make some changes to pages and save. But this behaviour I understand.
The nginx configuration is a normal configuration, and everything works fine.
I've surfed the web far and wide, but didn't find anything that could help me understand what could be going on between nginx-next-mysqldb, and no one reported any problem whatsoever. Is this how it's supposed to be or there's something that I should do to make it work?
Oops... my bad...
Transitioning from single db connections to pool, I left a function which made a single connection, which I was not closing.
So there's no problem and nothing to uncover behind nginx-next-mysql.
Don't know if anyone will stumble upon this problem, ever, but, just make sure you don't have any single connection to your db... And make sure to close them :)
When tyring to login to RDP the "old" remote dekstop connection gave "an internal error occured"
And the new modern UI remote dekstop from windows store with version 10.2.1810.0 gave: error code 0x4 remote desktop
It seems a colleage has been logged in with wierd screen size. How can I resolve this without rebooting the machine?
I found a solution.
In the new GUI untick:
"Uppdatera fjärrsessionens upplösning vid storleksändring" in Swedish
Which translates to: Update the resolution of the remote session when resizing
Update remote sessions resolution when size change
Actually, even moving the port off 3389 doesn't help (for long)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
if there is an open port allowing RDP they will find it eventually and you will need to implement one of the above programs noted by Daniel. That was exactly my issue as well. You can usually tell if the problem is intermittent since it's just luck to get by the constant pounding on the open port...
For me, it was the graphic choice. No idea why but as I swap between the 4 options, only one works
I needed to set it to Highest Quality (32 bit)
However, I then restarted the server, and it no longer worked but True Colour (24 bit) did work! So, hopefully by toggling through each will get you through
In my case the cause was AVG Firewall blocking some RDP connections. I had to configure AVG Remote Access Module to allow RDP connections from some known IP addresses.
Hope this helps someone.
Looks like this error code pop up for many things... from screen resolution resize to colour depth to firewall and more... Which is quite odd. You have to check what is your specific case.
In my case, when I had problems with error code 0x4, it was related to unprotected RDP port.
In my case, it was caused by open, unprotected, RDP port 3389. As many would guess, this is a highly targeted port by bots. If your port is open to anyone in the internet, it's just a matter of time that your server or computer will be targeted.
The best solution would be to only allow connections from trusted IP addresses, the ones you use for connecting to your server.
Of course, that can't always be possible, so another solution would be something like the fail2ban utility used on many Linux servers.
The two solution I've found are EvlWatcher which is free and open source, and IPBan that have a free and open source version, but also a paid version.
You only need one of them, as they do the same thing. Do not install both. They will scan your logs and will temporary or permanently block any IP address with repeated fail connections. I suggest you always have your main IP address whitelisted, so you don't lock yourself out.
Best regards to you all.
While working on a project, I've observed that, if a open a single Chrome tab, there are multiple socket connections being made. Ideally I assumed, there should be only one connection, that is from my local machine to the google server.
Here is the netstat results of multiple remote connections made:
Why are there many connections made instead of one? Please clear this doubt for me, thanks.
Because when you open a Chrome tab, it will load not only one resources from the internet(maybe not just from Google). You can use some HTTP/S request capture tools like fiddler or HTTP Analyzer to see those requests.
Is there any way to disable web socket connections or end a web socket connection through Chrome's developer tools network tab?
I've noticed that turning throttling under the network tab to Offline doesn't affect web socket connections that have already been established. It only prevents traditional HTTP requests from going out.
There's a question here related to this, but it's woefully outdated.
February 2022 update
As of Chrome 99 this is supported: https://developer.chrome.com/blog/new-in-devtools-99/#websocket
Original answer
No, there is no way to disable or close a connection from the Network panel. Source: DevTools Engineer.
If you have a reference to the WS connection, though, you can close it via the Console using its JS API.
You can close idle and flush your inactive socket pools in the Net Internals page in Chrome. However, this unfortunately only closes your active sockets by the looks of it.
chrome://net-internals/#sockets
You would have to use the WebSockets API and call close() on a reference to an existing socket to close it explicitly. Otherwise, killing the process with the active socket is all I can think of.
I assume you want to test unexpected connection failures, it is possible, but not through Network-tab and you need to be able to log from code.
You can close Websocket connections if you are able to use console.dir(socket) even when you could not store the connection reference, e.g. due sandboxing. Via console.dir() you are able to gain a reference to the socket by right clicking the console.dir() output of the websocket and choosing "Store object as global variable". Then call close() on the temporary reference and the connection you want to terminate closes.
I've been asked to change all of our current Joomla sites from using PHP Mail to SMTP.
The background: we were recently compromised through a vulnerable component on one of our sites. We have a dedicated server, running CPanel. The hack involved a file being uploaded to one account, which had a file manager (with access to /home, ie. all other accounts). From there, another file was uploaded that began sending emails - not enough to catch with ease, but eventually enough to get our main server IP blacklisted. Because the main IP was blacklisted, many of our other sites (for which we also host email) were also blacklisted.
My argument (your comments/ideas on this are much appreciated!)
Changing to SMTP will not solve this instance
It would solve the issue of any vulnerable components where an email can be sent via a request spoof (ie. option=com_users?task=email&..., or something similar to that)
Because the hacker has access to the files in the account, they also have access to the configuration.php file, which holds the SMTP password in plain text. Access to this means they would also have access to the SMTP server.
The SMTP that we would be using is localhost, which doesn't solve the issue of our IP being blacklisted.
My first idea was to provision/setup SMTP on a separate IP (or server), but that can still be blacklisted if a site gets hacked.
The second idea was to provision each site a unique IP, so no one site can get the rest blacklisted.
So I'm a bit lost. Before we tackle the task of setting the mailing function to SMTP, testing each site (there's roughly 70, with varying components to test) I'd like to have a better idea of what's the best route, if any.
It seems that either setting in Joomla is insecure in the event of a compromised site, no?
Find where your server is blacklisted, and apply to be removed. Note: if any of the sites require payment to be de-listed, ignore them. [eg: SORBS] Nobody cares about extortionists, trust me. I was admin for several busy mail servers for the last few years.
If you're completely switching from PHP-based mail() on all sites, then disable the mail agent on the server. mail() simply submits to the MTA running on the server [usually Sendmail or Postfix] and if your server is compromised again they will still be able to spam out.
Yes, your SMTP credentials will be stored in a config file somewhere, but most instances the intruder won't even bother to look for them. They simply drop in a basic PHP script that calls mail() and that's it.
If mail service is at all important to you you should always monitor:
The reputation of your outbound server.
The abuse mail for your domain. It will either be coming to abuse#yourdomain.com, or the abuse# contact for whoever owns the IP address block.