I have a web application where users can specify a custom website that they host to be displayed in an iFrame on the page.
The problem is, my web app runs in HTTPS where as user's webpages in the iFrames do not have SSL enabled and are in http. This causes their webpage to be blocked from showing for a mixed content security warning.
My idea, was to setup a reverse proxy on my Apache webserver. This reverse proxy would take something like https://example.com/reverse?theirsite=http://example.com
This reverse proxy would need to work for websocket connections as well:
wss:// -> ws://
and
https:// -> http://
Is this the best way to go about displaying a user's insecure webpage in an iFrame on my web app?
<VirtualHost *:443>
# Reverse proxy for iFrames
# https -> http and wss -> ws
# get the SITE querystring for the IP/Port
ProxyPass /proxy {site}
ProxyPassReverse /proxy {site}
</VirtualHost>
Apache would need to take a custom query string and forward it to the insecure site.
Is this the best way?
If you want to provide a way for everyone on the internet to surf for porn anonymously, attack other websites and generally do bad things, then you're spot on. Unfortunately it won't do what you intend.
First, you're going to need some application logic to implement this is - e.g. PHP, Python, Perl, Java....
Then you'll need a way to store mappings between URLs on your site and those of your users.
Then you write some code which listens at the iframe URL to translate a request using the map. When it receives a response from the origin site, it will hen need to re-write any URLs therein to something which will be routed back to your server.
Once you've done all this, you will have something which looks like it works, however anyone with a user account now has the ability to attack your sites security via XSS. So really you need a dedicated vhost within your domain such that each user's content runs within its own origin.
This is not trivial.
Related
I am injecting some script tags in a website, with source such as http:localhost:3000/css/my-page-css.css . While its working on almost all sites, there's this particular website that is somehow sending all my http requests as https. How do I handle such a case?
I have configured an https server also on my nodejs app which listens to port 8443 and http listens to 3000. But, when I inject my script tags, they have src URLS which point to port 3000. So even if I have an https configured on my nodejs app, it won't work since it would be listening to a different port.
You are using HTTP Strict Transport Security (HSTS)
Using the securityheader.com website on your URL, or Chrome Developer tools we see the following HTTP Header is sent back by your site:
Strict-Transport-Security max-age=7889238
This HTTP Header will be configured in your webserver and is a way of your webserver telling the browser "For the next 7889238 seconds only use HTTPS on this domain. If someone tries to use HTTP (either by typing or by clicking on a link) then automatically switch HTTP to HTTPS before you send it on to the server."
This is a security feature as currently the default (if a scheme is not explicitly given) is HTTP. This allows website owners to switch the default and, even strong that that, prevents it being able to be switched back.
HSTS is set at a domain level and it is not possible to have it on for one port (e.g. 443) but not for another (e.g. 3000) - it's either on for that domain or off.
If you really want to use HTTP then you need to remove this header and remove the remembered value of this header from your browser. While chrome allows you to do this by typing chrome://net-internals/#hsts in the URL and using the delete option, the easiest way to do this is to change the max age from 7889238 to 0, and then load the website again. And then remove the header completely.
This can be especially annoying for sites like localhost where you proxy requests and inadvertently set it for that dummy host name. You should see if your node proxy server allows you to strip off that HTTP header. Some might say it would be better if browser makers ignored HSTS for localhost, however I think it would be better if developers just stopped fighting HTTPS and used that even for development environments using a self-signed certificate that is added to your local trust store. This was you can avoid problems like mixed content, and also use features that are HTTPS only (including Brotli, HTTP/2, Geo Location...etc.) while developing (though some browsers like Chrome still allow these on http://localhost).
Alternatively set up a local DNS alias for each of your dev sites and use that with or without HTTPS as appropriate for the site in question.
I have this one page which has an iframe inside of which a survey page is embedded, unfortunately i'm getting "Your connection is not secure" error inside the iframe. Does anyone know how to fix this issue? By the way, the website is SSL certified, not the page i'm trying include inside the iframe. Also this is a php site not wordpress.
Thanks
You are always going to have this problem when an HTTPS page references non secured content. You options are:
move the page hosting the iframe (and its associated content) outwith HTTPS. Although, in theory a HTTP page should be able to reference HTTPS hosted javascript, CSS and images without emitting warnings, this will probably vary by browser
move the survey page into HTTPS. I am guessing that you don't host this yourself - have you contacted the provider to ask if they can provide the service via HTTPS? Have you considered using a different provider?
proxy the HTTP survey page via your server - this would require some clever configuration on the webserver or terminating the SSL connection in front of a proxy operating in reverse mode for your service and rewriting/forwarding mode for the survey. Basically, if you don't control the infrastructure this is probably a non-starter.
re-implement the survey capability within your own site.
Bear in mind that as soon as your site is exposed outside of HTTPS it becomes vulnerable to more attacks.
.htaccess is not going to help - it overrides the behaviour within a vhost - the HTTP and HTTPS sites will operate in seperate vhosts.
I have a node.js app.
I have it configured to redirect everything to https from http.
but i was thinking if the extra work to make the normal pages visible on http and the logged in pages only visible via https, would be worth the effort.
does having both in my app expose any security holes?
Yes multiple, including:
Cookies are shared between the two sites unless you remember to include the "secure" attribute each time you set a cookie.
You are vulnerable to MITM attacks (e.g. replacing a "login" link on http to either keep you on http or redirect you to another site instead).
Resources need to be loaded over https on the secure site or you will get mixed security warnings. It's easy to miss this when running mixed sites.
Users will not know whether pages should be secure or not.
Can forget to renew cert and/or see cert errors but this should be more obvious if whole site is https.
Cannot use advanced security features like HSTS.
And that's just off the top of my head.
Go https everywhere and redirect all http traffic to https. Unless you've a good reason not to.
There are other benefits too (user confidence, looks more professional, small SEO boast, Google sees this as two sites, easier management of sites, Chrome will soon block access to some features like location tracking on http, cannot upgrade to HTTP/2 until you implement https... etc.).
Our company has two sites
www.mysite.com -- Wordpress site
www.mysite.com/portal -- asp.net mvc site
We want to move the wordpress site (www.mysite.com) to Azure and the other site stays local. We need to url stay the same. How can we achieve this?
Since you state that you need the URL to stay the same, this can be achieved through a reverse proxy. You would set up a web server (typically nginx or IIS) answering on www.mysite.com.
This web server would have reverse proxy rules to forward requests for /portal to your on-premises server (in a given, non-public IP and port) and all other requests to another web server running WordPress (on the same server/cluster that runs the reverse proxy, or a separate one), also with a given IP and port.
All user requests, then, would reach the reverse proxy, that would serve them from cache if possible, or forward them to the internal web servers, and send the response back to the user, transparently. Notice that this is an internal operation, not a redirect response.
Although this setup is more complex than the simpler solution of using different subdomains (www.mysite.com for website and portal.mysite.com for application), it comes with certain advantages that are described in the referenced Wikipedia article, such as security and acceleration.
Alternatively you could create separate subdomains as described above, and use a redirect rule to redirect requests for www.mysite.com/portal/x to portal.mysite.com/x. In this case, the user would see the updated URL in their browser, but the old ones would still work.
The site needs to be accessible both from HTTP and HTTPS (in case the client wants the form submissions to be secure or not)
The site is hosted in IIS6 and ideally I'd like to be able to just have one website in there and it can handle both http and https..is this possible?
alternatively i was thinking maybe creating a "secure" subdirectory in the site and duplicating everything in there as well..is that feasible?
this is further complicated that it is using asp.net 3.5's routing ability to do url rewrites
so even if I create a secure subdirectory, i dunno if it will actually pick up that it's supposed to be SSL approved
It is possible. There is a checkbox on the security settings that allows you to "Require ssl" for connections. It is then up to you to manage transitions between https and http with redirects or links.
More information on this here. Just skip step 6.
You can have IIS 6 & IIS7 operate the same site with https as well as http. In IIS 6 there is a restriction that you can't use host headers. So you'll need a dedicated IP address for it. Simply bind it to the ip address and then setup the cert. Don't use the "require https" and just enforce it in the sections of your application that you want.
I m not sure about iis 6 but in iis 7 you select the site and go to bindings and click add select https it will automaticaly chose port 443 and then chose your ssl cerificate
This is all very possible but,
The site needs to be accessible both
from HTTP and HTTPS (in case the
client wants the form submissions to
be secure or not)
If you have the capability for them to use SSL I wouldn't give them a choice. Just make them use it. Most users don't know the difference between secure and unsecure connections or even why they should care. Just force everyone to use a secure connection for form submissions.
alternatively i was thinking maybe
creating a "secure" subdirectory in
the site and duplicating everything in
there as well..is that feasible?
Yes but what is far more common is to have a secure sub domain. Check out most shopping sites and while you're browsing products and such you'll be looking at www.someshoppingsite.com. The moment you begin checking out you'll be forwarded to secure.someshoppingsite.com. If you create an SSL subfolder I guarantee you at some point it will be disabled accidentally and no one will notice for weeks.