I am trying to deploy my node app to my Cpanel however the page times out with an error
503 Service unavailable
The website works on Heroku, ngrok and localhost however on my hosting service, it doesn't.
I found out that the issue was due to port 27017 not being open.
On discussing with my hosting providers, they said
"We can open the ports for you but our policy is to open non-standard ports to specific IP's for better security of the server. Is it possible to get the exact IP addresses of the database server you are trying to connect to."
So I'm not familiar with mongodb database having a specific IP address. What could they mean?
To connect to your db, your node app needs a URL something like this.
const url = 'mongodb://hostnameOfMongo.example.com:27017'
Your database's hostname is the stuff after mongodb:// and before :27017.
Open up a shell (a command window) and type
ping -n 1 hostnameOfMongo.example.com
or maybe
ping -c 1 hostnameOfMongo.example.com
It should show you the IP address associated with your mongo server.
(Obvs, put your actual db hostname into the command, not my example.)
It's a little strange that your hosting provider didn't ask for the hostname when you didn't know the IP address. If they were my hosting provider, my confidence in the competence of their support would go down a notch because of that.
And please be aware that running a db in one data center and a node app (or indeed any app that uses the db) in another data center is a formula for poor performance and unreliability. The app and the db work best with a short and private network connecting them. With respect, it doesn't seem likely you have the network engineering chops to make that sort of thing stable and reliable.
Not to mention the security problems with exposing mongodb to the public network. Your hosting service is reluctant to open a port for a very good reason. Read this. Because cybercreeps
Related
I have an express server that uses nginx and monitors the X-Forwarded-For header.
The node server has the following lines of code:
app.set('trust proxy', '127.0.0.1');
app.use(morgan(':remote-addr')); // and other info too
Normally, when users make requests, independent of the client (mobile app, scripts, etc.) the IP displayed is the remote one.
Recently, I have observed that someone tried to hack into my server using python-requests/2.22.0 and the remote IP was not his IP address, it was 192.X.X.X. I tried to reproduce this myself by accessing the server from itself, but the remote address (global server IP address) was displayed.
Can you better explain to me how this works and if this is something I should be worried about?
They never accessed your server through Nginx; check the logs. They sent a local connection header directly to the IP:port hosting your server. This could be damaging if your security policies are not set correctly, it could leak site IPs and potentially allow an attacker to have a free path into your server without response back and no limits.
As we get scarier, the user could initiate a BGP hijack and take over the relay points sending users to your server end-points; this is one to YouTube or google more about.
As we finish off, know most hosting companies allow for private networking and do give somewhat of a firewall to use but most users assume this is secure when it actually is not! These private networks connect you to the hundreds->thousands servers in a rack or zone. So if the attacker bought a server next to yours (which would likely be a bot) they could scan the private networks for some fun-time which is against TOS but the hosts don't check this good enough or secure it.
In your case, it sounds like the server is responding to the entire internet and bots are having a go at it; Try setting your Node.js server up as localhost only, at port 443 or whatever and host that through nginx. That way anytime someone inserts your IP or domain name it is forwarded by nginx to the local resource. Someone couldn't just use the IP + Node.js port and play games. If you do this, a user may still send the header with fake IP but it won't result to IP Leak, or anything bad unless that IP had super powers on your site, which no filter on your site should say 192.168.x.x gets ADMIN mode. You can feel confident.
This has taken me about a year to understand and get to, but I am the limit of my capability so reaching out to a StackOverflow guru please...
I would like to, if possible, secure my network model. The model is as shown in the diagram. To explain:-
All the aspects I have control of, is within the green shaded area. I cannot change anything outside this.
I run a simple application web server which is the VPN IPsec/L2tpd client. Static IP.
My router is ISP provided. It receives a DHCP Dynamic IP from the ISP.
My Digital Ocean Virtual Private Server has a static IP. It runs an NGINX reverse proxy that channels traffic through the VPN tunnel. It also runs the IPsec/L2tpd server.
A IPsec/L2TPD VPN tunnel is established and working.
A working VPN tunnel.
A cellphone that runs an app that communicates with my application server app. My cellphone receives a dynamic IP from my Network Operator.
I have three IP camera feeds served by my application server. Not a great speed but watchable in real-time.
I cannot change my ISP, or bandwidth/download/upload speed.
I cannot install VPN clients on the cellphone and I may want to access my app server through another cellphone provided by work so cannot install apps on it but does have unfettered web access through a browser.
Everything is now working, can't believe I've done it !
Anyway, my question is:-
Is there any way to secure the network so that only traffic from my mobile reaches - or rather is accepted - by my application server.
I accept IPsec/L2tpd is not great, but it is fast and I use this because I have tried OpenVPN, SoftEther and key based OpenSwan. These are waaaay to slow. The camera feeds are unwatchable and update one frame about every 5 seconds.
So with the limitations above, what can I do, what is possible? Please may I respectfully ask that you refrain from suggestions and concerns requiring a change to that which I cannot control, i accept all critique but that is not what I need here. I am asking for advice on how to secure , that which I can influence. Thank you
I cannot install VPN clients on the cellphone and I may want to access
my app server through another cellphone provided by work so cannot
install apps on it but does have unfettered web access through a
browser.
Due to the limitation that at the end, even a phone where you are not allowed to change anything but use the web, i suggest to configure proxy authentication on the nginx reverse proxy. I don't have experience with setting this up with nginx in particular but that's what should do the trick according to the network architecture and description you provided.
An example configuration on how to configure nginx for basic / client certificate auth can be found at: https://www.cloudsavvyit.com/1355/how-to-setup-basic-http-authentication-on-nginx/
In a local network (over which I supposedly have no control) I need to connect my local instance of a meteor app to a MongoDB that is running on another PC. Using something like MONGO_URL="mongodb://192.168.1.xx:27017" meteor I am able to connect to it; However is there some way to connect when I don't know the IP, given that it may change daily?
What I'm attempting here would be something like:
Meteor.startup(() => {
//Script to find the correct IP
//Connect my app to that MongoDB instance
});
In short: is there some way to set the MONGO_URL dynamically?
Thank you
Use the hostname of the MongoDB server. As long as you have a local DNS server and both computers are using the same DNS server (which is most likely the case unless you have customised the network settings on either PC), the name will be resolved to the IP address.
To get the hostname of the server, type hostname into Command Prompt (or Terminal if on a Mac).
Alternatively, even without control over the network you may be able to configure a static IP address on the MongoDB server as long as you have local administrator permissions. Just make sure it is within the same network range as the rest of the network, but try to steer clear of your DHCP range otherwise you may get IP conflicts.
I am trying to run a server on a different host to my website. How can I set it up so that if people connect to certain ports on my domain that they connect to my server, and so my website still works.
Ports exist on the level of TCP and UDP. There is nothing DNS can do to magically change what happens, at the client or your server, on that level.
For your web site, DNS provides translation of its name to a set of IP addresses. The client's browser will then try to talk to port 80 or 443 on one of those addresses. If you want the other server to use the same name as the web site, it must answer requests on other ports on the same set of IP addresses.
If your server is for a protocol that's new and smart enough to use SRV records, you can use that to actually run the server wherever is convenient but still tell the users to connect to the web server name. Check the documentation for details.
If you can't do that, another possibility is to run a small process on the web server machine that listens to the other server's port(s) and forwards all traffic to wherever the server is actually running. The feasibility and details of doing so depends a whole lot of what server it actually is, so I can't really say any more about that.
Or you could just tell the users to use www.tellusthesoddingname.com for the web site and server.tellusthesoddingname.com for the server and point those names at different IP addresses. Which is by far the simplest and most robust solution.
I am trying to connect to a university server using a VPN client. I can connect to the client. Also, if I ping the server by name and by IP address, they both work:
ping servername
ping serveripaddress
However, I cannot access the server from the browser if I type:
\servername
\serveripaddress
and also I do not see anything in Network apart from my own computer. I changed my Workgroup to the correct Workgroup, and it still doesn't work.
Also, as my DNS suffix I use the domain name as well as the FQDN, but it doesn't work either.
I restarted after each of these changes, but it didn't help.
I read that when I have a VPN connection working and I am also able to ping the server to which I want to connect, it is most probably DNS resolution problem. But I do not know anymore what to do (I checked and tried the correct DNS suffixes).
Do you know what should I do more? I am using Windows 7.
Thank you.
It sounds like you're trying to use UNC pathing. Assuming that you're getting your network settings from DHCP, are you getting a WINS server?