How do I protect a directory within github-pages? - jekyll

I am building my personal website using Jekyll and hosting it at github-pages. I would like to have a password protected area (just password protected directory, not the whole website). I have tried a few options and tricks to get htaccess to work but failed.
I would like to know if someone managed to use htaccess, or any other method, to protect a directory on github-pages.
Listing solutions which did not work for me (or I failed to get them to work):
*Flohei.
*Jeremy Ricketts.

GitHubPages (like Bitbucket Pages and GitLab Pages) only serve static pages, so the only solution is something client side (Javascript).
A solution could be, instead of using real authentication, just to share only a secret (password) with all the authorized persons and implement one of the following scheme:
put all the private files in a (not listed) subdirectory and name that with the hash of the chosen password. The index page asks you (with Javascript) for the password and build the correct start link calculating the hash.
See for example: https://github.com/matteobrusa/Password-protection-for-static-pages
PRO:
Very simple approach protecting a whole subdirectory tree
CONS:
possible attack: sniffing the following requests to obtain the name of the subdirectory
the admins on the hosting site have access to the full contents
crypt the page with password and decrypt on the fly with javascript
see for example: https://github.com/robinmoisson/staticrypt
PRO: no plaintext page code around (decrypting happens on the client side)
CONS:
just a single page, and need to reinsert the password on every refresh
an admin could change your Javascript code to obtain the password when you insert it

One option is to use Cloudflare Access to control access at the DNS level.
After setting up a custom domain for your Git pages using Cloudflare for DNS, you can use their Access rules policy to require authentication at the specified url path.
This could still be bypassed if someone is familiar with bypassing DNS blocks.
https://www.cloudflare.com/products/cloudflare-access/

You can give a try to Jekyll Auth and if you run into troubles, this issue can be useful.

You can use Render to deploy your static Web app. It has a npm package that encrypted your html files and user can not see it in browser. So you can use frontend password validation.

Related

HTML: Link to non-http resource on the same server

I am creating a small internet site for my personal stuff. I want to put there a few links to e.g. FTP resources or SVN server.
The important thing is that the FTP server has the same IP address as the page. I don't want to hard-code the address of my site in the link, because I consider this an anti-pattern. Instead, I would like to tell browser that the resource is on the current server, whichever server it is.
Let's say that the current page is https://example.com/stuff/index.html. If I create a tag things, it will lead to https://example.com/things.index.html.
However, if I add a protocol identifier to an URL, it won't work. For example, download will lead to ftp:///files/thingies.tar.gz, not to ftp://example.com/files/thingies.tar.gz.
What magic code should I put in the place of question marks:
download thingies
UPDATE:
I would prefer a client-side solution. My server machine has very low processing power and RAM amount.
In php (server side language code) if you'd like to forward
ftp:///files/thingies.tar.gz
to
ftp://example.com/files/thingies.tar.gz
considering example.com is the domain where your server is hosted, just do
echo 'ftp://'.$_SERVER['HTTP_HOST'].'files/thingies.tar.gz';
or, in your specific case
download thingies

Multitenancy and Subdomains in Orchard

Crosspost: https://orchard.codeplex.com/discussions/455071
I'm using Orchard 1.6.1.
Say my first site is called domain.com. I tried to create a new tenant and put the beta.domain.com as the Host with no URL prefix (seeing that it is Optional).
The url http://beta.domain.com is shown and when I try to Set Up, it doesn't show anything. I tried to remove the subdomain and enter a prefix which resulted in http://domain.com/beta. It worked, however, I would very much prefer a subdomain as shown/detailed here: http://docs.orchardproject.net/Documentation/Setting-up-a-multi-tenant-orchard-site
Do I have to set it up in my DNS server?
Any piece of advise or information would be highly appreciated. Thanks!
If you have an IIS server, you will need to have your beta.domain.com point at it and then add a binding to your website in iis of beta.domain.com for it to pick it up.
If you're using shared hosting and you don't have access to IIS. Then you should use Domain Aliases (in Plesk) rather than setting the DNS. It would make your Orchard CMS on your primary domain serve the tenant site.
Example: You want to add a tenant site on tenant.mysite.com then you should add a domain alias tenant.mysite.com to mysite.com domain. Don't forget to check the Web option if using Plesk.
In case of you have access to IIS, you need to add binding to your primary domain.

Obvious security flaws in redirect?

I have a web app that stores videos. I am using a java servlet (over https) which verifies a username and password. Once the details are verified, i redirect the user to a video stored in AWS S3. For those who don't know how S3 works, its just a web service that stores objects (basically think of it as storing files). It also uses https. Now obviously to make this work, the s3 object (file) is public. I've given it a random name full of numbers and letters.
So the servlet basically looks like this:
void doGet(request, response){
if (authenticateUser(request.getParameter("Username"), request.getParameter("Password")){
response.sendRedirect("https://s3.amazonaws.com/myBucket/xyz1234567.mp4");
}
}
This is obviously simplified but it gets the point across. Are there any very obvious security flaws here? The video tag will obviously have a source of something like https://www.mysite.com/getVideo?Username="Me"&Password="randomletters". At first blush it seems like it should be as secure as anything else assuming i give the file names sitting at AWS s3 sufficiently random names?
The obvious security flaw is that anybody could detect which URL the authentication servlet redirects to, and share this URL with all his friends, thus allowing anyone to access the resource directly, without going through the euthentication servlet.
Unfortunately, I don't know S3 at all, so I can't recommend any fix to the security problem.
All this mechanism does is provide a very limited obfuscation - using developer tools in most modern browsers (or a proxy such as Fiddler) a user will be able to watch the URL of the video that's being loaded and, if it's in a Public S3 bucket, then simply share the link.
With S3 your only real solution would be to secure the bucket and then either require that the user is logging in or use the temporary tokens for access [http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html] ... though this does complicate your solution
I would also mention that including the password and username in plaintext on the link to the video asset (from the question above) is very insecure

secure images (gmail)

I was wondering how to keep images secure on my website. We have a site that requires login then then user can view thousands of different images all named after their ID in the database.
Even though you need to login to view the images the proper way...nothing is stopping a user from browsing through the images by typing <website-director>/image-folder/11232.jpg or something.
this is not the end of the world but definitely not ideal. I see that to stop this facebook just names the images something much more complicated + stores them in hashed folders.
Gmail does a very interesting thing, their image tags looks like this:
<img src=/mail/?attid=0.1&disp=emb&view=att&th=12d7d49120a940e5>
I thought the src attribute has to contain a reference to an image??...how does gmail get around this?
This is more for educational purposes at this point, as I think this gmail scheme might be overkill for our implementation.
Thanks for your feedback in advance,
Andrew
I thought the src attribute has to contain a reference to an image?
GMail is referencing an image. It's just being pulled dynamically, probably based off of that th=12d7d49120a940e5 string.
Try browsing to http://mail.google.com/mail/?attid=0.1&disp=emb&view=att&th=12d7d49120a940e5
Instead of it being a direct path to its location on the server's filesystem, it uses a dynamic script (the images may even be in a database, who knows).
Besides serving up an image dynamically from your webapp, it's also possible to use a webapp to dynamically authorize access to static resources that the webserver will serve -- commonly by putting the files somewhere that the webserver has access to, but not mapped to any public URI, and then using something like X-Sendfile (lighttpd, Apache with mod_sendfile, others), X-Accel-Redirect (nginx), X-Reproxy-File (Perlbal), etc. etc. Or with FastCGI you can configure an application in a FastCGI "authorizer" role rather than a content provider.
Any of these will let you check the image being authorized, and the user's session, and make whatever decision you need to, without tying up a proceses of your backend application for the entire time that the image is being sent to the client. It's not universally true, but usually a connection to the backend app represents a lot more resources being reserved than a connection to the webserver, so freeing them up ASAP is smart.
The code that runs after this GET request is issued:
/mail/?attid=0.1&disp=emb&view=att&th=12d7d49120a940e5
outputs an image to the browser. Something doesn't have to be named with a .jpg or .png or whatever ending to be considered an image by a browser. This is how captcha algorithms are able to serve up different images depending on a value in the id. For example, this link:
http://www.google.com/recaptcha/api/image?c=03AHJ_VusfT0XgPXYUae-4RQX2qJ98iyf_N-LjX3sAwm2tv1cxWGe8pkNqGghQKBbRjM9wQpI1lFM-gJnK0Q8G3Nirwkec-nY8Jqtl9rwEvVZ2EoPlwZrmjkHT7SM32cCE8PLYXWMpEOZr5Uo6cIXz1mWFsz5Qad1iwA
Serves up this image:
So the answer really is to just obfuscate your image names/links a bit like Facebook does so that people can't easily guess them.

Redirected Domain Problem

We have 2 different websites. One is xy.com another is xyz.com. The domain xyz.com is redirected to a folder on xy.com\one
This works fine. Now we want a particular link to be opened (for example, www.xyz.com\abc.html). I am placing this file in xy.com\one\abc.html. But when I enter this url, it takes me to home page, instead of abc.html. Though I can open abc.html, by entering www.xy.com\one\abc.html.
I need to open this file, from link, www.xyz.com\abc.html. How to accomplish this??
Regards,
Rahul Jain
I think the problem is your slashes are reversed. Did you keep your url's near a strong magnet?
If you are using apache you might want to have a look at mod_rewrite. There are similar methods available for other servers.
Would be good to know which environment you are using (web server and server side language) and if you are applying the re-direct rules in a programmatic way or via server configuration.
To give a serious reply, there could be several things wrong in the redirect.
You have to setup a redirect from the old domain to the new, by using a .htaccess on the old domain, changing the DNS records for the domain, or probably some other alternatives. Which of these have you used?
In case of the second option the receiving server (xy.com) has to accept the incoming domain (xyz.com). When I set my DNS records for a domain to go to a certain server, I have to actually setup the server to accept that domain, usually by "parking" it in Cpanel. Some hosts charge per parked domain, which is why they don't accept the incoming traffic automatically.
Depending on the method used, the receiving server has to be told what to do with the request.
So most importantly: HOW did you set up the redirect? Was it a DNS record? Was it a htaccess on the side of xy.com? Any other methods? (sorry, this isn't really an answer either but it was too long for the comments)