How do i protect configutation caddy server endpoints?
https://caddyserver.com/docs/api it seems anyone can curl into the server and run the config api there.
Is there any standard? Can it be done through some delegated auth?
You can restrict the access via different options which are documented in JSON Config Structure › admin documentation.
Related
We've enabled authentication on our Azure api app and it's working well. Clients are required to retrieve a oauth2 token for authentication and authorization to the service. Our service is a Express Node.js application and we are leveraging apidoc for the service documentation.
I can't figure out from the authentication configuration how to allow access to a url path without requiring authentication. For example:
https://app-myservice-staging-001.azurewebsites.net/constituents should require authentication
but the documentation url
https://app-myservice-staging-001.azurewebsites.net/apidoc should not
Current with authentication enabled everything under https://app-myservice-staging-001.azurewebsites.net is protected.
Is this possible and if so where do I need to look?
Answer based on link provided by amit_g. We opted to add our excludepath directly to our authsettingsV2 config using the Azure Resource Explorer since the /apidoc/* path applies to all our services.
i have read a lot about DocuSign api and how they works, i figured out that they don't support cors.
For this reason i'm using an angular proxy configuration for my test environment, so i could do all my tests with my localhost.
The problem is that when i upload my project on a server i can no more use that proxy config, if i try to use it by replacing "localhost" with my domain name it returns me an html which is not an error from docusign but a sort of error related to my proxy conf.
I think i need create a cors gateway in my server in order to use the api, i've read a guide about that and it's very complicated since i'm only a frontend developer.
So my answer is:
is there any easier method to use these api in my online application?
can i obtain some sort of permissions from docusign which grants to my domaint to access their api calls without going into some sort of cors errors.
Thank you for attention
I work in DocuSign developer support. We do not support CORS. It is on our roadmap. Looks like you have your options, move the calls to DocuSign to the back-end or build a CORS gateway.
For the Azure CLI, is there a way to use proxy authentication? Our proxy servers needs all requests to be authenticated and I do not see any document relating. Using HTTP_PROXY environment variable, I can instruct the az cli to use a particular proxy server but I cannot define it to use proxy authentication, OR if there is a way to do this, I do not know. Our Proxy authentication has to be done either through NTLM or Kerberos.
Can the relevant team, please check If we can configure az cli to use Kerberos proxy authentication?
The root of the answer lies in the fact that Azure CLI is built on top of Python. Now as regards Authentication, Azure CLI uses AAD based protocol, which is handled by the ADAL library for Python whose source code is published here.
So if this is of interest and someone wanted to see the wire level details, please dig in here.
As mentioned Azure CLI is built on TOP of python, one of the reasons being to give it a broad cross-platform reach, as it available across Windows, Mac, Linux (and may be other ports are available).
And ADAL Python is based on a popular Python HTTP library. While the proxy can be configured (and that is not the question here), what was asked and what enterprises want is a way to use Kerberos/NTLM to authenticate the requests while funneling it through a proxy. So if you dig into the documents for the Python HTTP library, you can see named requests, whose proxy support can be configured inline or by environment vars (again that is not the ASK).
Now when you dig into authentication when requests are being proxied, the document mentions HTTP basic auth only, and there is no mention of Kerberos/NTLM type of authentication. Now if one has worked with any security conscious enterprise, this would be difficult to get an exception. This has been requested by some enterprises, where they want to authenticate (security requirement) all Azure CLI requests at their external facing proxies before it leaves the perimeter.
The current answer is there is not a supported way to do this, unless an auth handler is implemented that does this, for the scenario where a proxy is in place. This is a request that would squarely belong to the Python HTTP library owners, if I am not mistaken.
For anyone still looking for the answer to this question the answer can be found here
# Non-authenticated HTTP server:
HTTP_PROXY=http://10.10.1.10:1180
# Authenticated HTTP server:
HTTP_PROXY=http://username:password#10.10.1.10:1180
# Non-authenticated HTTPS server:
HTTPS_PROXY=http://10.10.1.10:1180
# Authenticated HTTPS server:
HTTPS_PROXY=http://username:password#10.10.1.10:1180
Obviously not the most secure approach and be careful to url encode any special characters.
In my case I had to remove protocol "http|https" from variable string
# Non-authenticated HTTP server:
HTTP_PROXY=server.fqdn.int:8080
# Non-authenticated HTTPS server:
HTTPS_PROXY=server.fqdn.int:8080
I'm trying to create a self-hosted app. This app would provide a custom express server with some routes and also provides a CouchDB access using pouchdb-server. I would like the node server to be able to configure the database and create the admin username/password, and then create the roles functions. How can I configure CouchDB from my nodejs app?
I would like to:
Stop admin party and create an admin with a password. I found that the web client makes a PUT request to http://localhost:5984/_node/couchdb#localhost/_config/admins/<username> with password in payload, but I would like to do it using express-pouchdb, so HTTP is not possible
Create users roles I would like to set up several roles
Set up permissions which roles can update which databases, what databases are readable by who etc...
Please note that I can't do direct http requests to CouchDB, since I'm using pouch-db-express in my node app to serve the db to the client, and I would like my express app to configure the couchDB instance managed by pouchdb-express
Stop admin party and create an admin with a password
I'm pretty sure the only way to interact with the _config endpoint is with HTTP, as I see no config plugin on the plugins page. Even if there was a plugin, it would use HTTP. Is there some reason HTTP is actually not possible? Or you just don't want to use it?
Create users roles
The PouchDB authentication plugin can do this for you.
Set up permissions
The authentication plugin also gives you access to the _security endpoint for this. Then you'll also need to create the appropriate design documents, using the standard put() API.
What's the best security practice to follow while using PouchDB on the client-side to access a remote server?
The example on https://pouchdb.com/getting-started.html syncs with the remote server with the code:
var remoteCouch = 'http://user:pass#mname.example.com/todos';
The problem is I probably don't want the user to see the plaintext password with a file they can download -- even if that file is shown to the authenticated users only.
Please advise. Thanks in advance,
Here's a really good article regarding all things auth for CouchDB.
I've got a production server with CouchDB configured to use HTTP over localhost but external requests require HTTPS redirected via stunnel to CouchDB.
On the client I use PouchDB to maintain a local, replicated db. As part of the handshake to establish communication with CouchDB over HTTPS, the software acquires CouchDB credentials from another server - the credentials are never stored client side.
pouchdb-authentication is a good plugin, but I've found it better to handle auth personally.
Every site user should have his own CouchDB user. As #onno suggests, use HTTPS and the user's login credentials to access CouchDB. Passwords should never be available in client-side JavaScript.
This depends on your remote server. If you use a CouchDB server, you could configure it to communicate only via SSL (HTTPS), see the docs for details.
If you don't want to expose your CouchDB server directly to the internet, you could also hide it behind a reverse-proxy, e.g. an Apache server with the mod_proxy extension and SSL enabled.