How do I prevent the "appspot.com" of my App Engine app? - node.js

I have a custom domain added that I added to App Engine. For example, let's say my custom domain is "example.com".
My app is served with Node.js, and I when I deploy my app through App Engine, it gives me this address to access to it:
"example.appspot.com".
How do I prevent this? I want to serve my app only on "example.com".
SOLVED: I'm using this middleware to prevent those hostnames and it works, at least for what I kind of wanted:
var redirect = function(req, res, next) {
if (req.hostname.search('appspot') !== -1) {
res.redirect(301, 'https://www.example.com');
next();
}
next();
};
app.use(redirect);

Related

node-sspi keep on asking for authentication after deploying on Azure

I'm working on an application, building front end using angular and back end using node JS. For authentication, since we have to go with windows authentication, i chose Node-sspi as it is simple to implement and found it effective. Below i'm posting a simple code similar to the code i'm working with.
var http = require('http');
var port = process.env.PORT || 8080;
var express = require('express');
var app = express();
app.use(function (req, res, next) {
var nodeSSPI = require('node-sspi')
var nodeSSPIObj = new nodeSSPI({
retrieveGroups: true
})
nodeSSPIObj.authenticate(req, res, function(err){
res.finished || next()
})
})
app.use(function(req, res, next) {
var out =
'Hello ' +
req.connection.user +
'! Your sid is ' +
req.connection.userSid +
' and you belong to following groups:<br/><ul>'
if (req.connection.userGroups) {
for (var i in req.connection.userGroups) {
out += '<li>' + req.connection.userGroups[i] + '</li><br/>\n'
}
}
out += '</ul>'
res.send(out)
})
app.listen(port, function(){
console.log('server is listening on port '+port);
})
console.log('Your application is listening on port '+port);
When i browse this on local, i'm able to do the authentication part and can see the landing page.
the problem is when i deploy it on azure or on IIS it is keep on asking me for the authentication.
Please let me know how to achieve windows authentication using node-sspi on IIS and Azure.
As far as I know, it's not possible to use windows authentication in Azure web apps. App Service PaaS VM instance(s) can't be domain joined. This is the reason why you always ask you login in.
Azure Active Directory is the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To do this, both VMs must be in the same network.
Please add the site to Trusted sites:

How to Restrict the anonymous domain accessing my webisite

! I have implemented a WebApp and SQL-DB.
added custom domain and SSL certificates (which bought at CA).
for SSL offloading purpose we configured an azure application gateway.
with all setup.
next, we configured azure traffic manager so that traffic manager decide active web app routing.
our concern is when I adding the CNAME record for traffic manager in GoDaddy it is routing to WebApp, everything is great.
but when I search "xxxx.com" Digwebinterface it shows all connections to WebApp
in this, I took the traffic manager CNAME record and added to another domain then the duplicate domain also accessing all my content of the website and even create a record in SQL also.
in this scenario I losing my website restriction unauthorized domain can map site
any suggestion and insights it would be grateful to
thank you
The simple way is to create a filter in your code for inspecting the host of headers of request to allow or deny the accessing from different domain.
Here is my sample code in Node.js with express.
const express = require('express')
const app = express()
const port = 3000
const allowedHosts = [`localhost:${port}`]
var domainFilter = function(req, res, next) {
if(allowedHosts.includes(req.headers.host)) {
next()
} else {
res.status(403).end()
}
}
app.use(domainFilter)
app.get('/', (req, res) => res.send('Hello World!'))
app.listen(port, () => console.log(`Example app listening on port ${port}!`))
It will allow the request from localhost:3000 and deny the request from 127.0.0.1:3000 or others, as the figures below.
Fig 1. Allow the request from localhost:3000
Fig 2. Deny from 127.0.0.1:3000 or others
Hope it helps.

Forbit CORS request in node.js

I have a nodejs Express app which serves a static front-end app. I have an endpoint that I'd like to prevent the access from all the others domains.
One solution could be using CRSF but I'd prefer avoiding this. Is there a simple way?
My app is very simple:
app.use(express.static(path.join(__dirname, '/dist')));
app.use(bodyParser.json());
app.post('/endpoint', (req, res) => {
res.send();
});
app.listen(process.env.PORT || 8080);
Does the domain have a static IP? You could add your domains IP to a whitelist blocking access to your endpoint from all IP's bar your own:
express-ipfilter
If you don't have a static IP so that you can block requests you could start by configuring CORS with the Access-Control-Allow-Origin header set to your domain. This will block cross origin access from the browser but isn't a complete fix for what you want.
Configuring CORS

SSL certificate propagation issue with custom domain on Bluemix app

I uploaded my SSL certificate in the section of my custom domain in the space of my organization. I linked the domain with my application and I have created the CNAME record in my DNS to my broken app xxxxx-gb.bluemix.net .eu.
When I try to reach my application through my domain custom, I served me the Bluemix certificate and not mine.
I tried to add a proxy on my server (NodeJS) but the situation does not change.
app.enable('trust proxy');
app.use(function (req, res, next) {
if (req.secure) {
// request was via https, so do no special handling
next();
} else {
// request was via http, so redirect to https
res.redirect('https://' + req.headers.host + req.url);
}
});
How can I fix the problem ? I need my certificate, to call my API, from my mobile application, it is the certificate must necessarily be mine and then TRUSTED
You need to map the CNAME to the secure endpoint for the Bluemix region you are using, in your case it should be secure.eu-gb.bluemix.net.
When receiving the request from your custom domain Bluemix will map it internally to your app.
More details in the documentation link below:
https://new-console.ng.bluemix.net/docs/manageapps/updapps.html#domain

Passport authentication not working in sails.js application

I have a Sails JS application. I am trying to setup authentication using Passport.js authentication layer sails-generate-auth. I have configured my app by following the steps given in their documentation.
But when I lift my sails app, authentication is not working. I am able to access the controllers, even when I am not logged in (It's not redirecting to my login page).
I added a console.log statement in api/policies/passport.js as follows:
module.exports = function (req, res, next) {
passport.initialize()(req, res, function () {
passport.session()(req, res, function () {
res.locals.user = req.user;
console.log(req.user); // added by me
next();
});
});
};
Now, when I access controllers before login or after logout, its printing undefined. But when I am logged in, its printing my user data. Any idea why it is not checking for authentication?
I am using local authentication strategy and I have commented out all others (twitter, facebook...)
The above answer provides useful information. I want to elaborare on that.
sails-generate-auth, by default doesn't deny access to controllers if the user is not logged in. For that, you can create another policy in api/policies/. For example: create sessionAuth policy as follows:
module.exports = function(req, res, next) {
if (req.user) {
return next();
}
return res.forbidden('You are not permitted to perform this action.');
};
Instead of showing forbidden page, you can also render login page. For that you need access to AuthController.login. So, add the policies in config/policies as follows:
'*': ['passport', 'sessionAuth'],
'auth': {
'*': ['passport']
}
This helps to restrict access all the controllers except auth controllers such as login, logout and register, if the user is not logged in.
Passport doesn't have a policy to deny access to a controller. For this, you have to create another policy.
See this link for more details.

Resources