We have built an online platform which allows businesses to sign up and show off their services, along with having a shop on that platform.
Currently, the url for a business profile would be something like:
example.com/businesses/132/some-company
...and the shop:
example.com/businesses/132/some-company/shop
Now, to make the business profiles more appealing to companies, I was wondering whether it would be possible to connect a domain to that page on our platform, so that the url could instead simply be:
some-company.com
...ideally with subpaths:
some-company.com/shop
...which points to above url.
I would NOT like to redirect, because that would remove the custom domain from the url bar in the browser.
As a frontend developer, I imagine this like having a full-screen iframe pointing to the business profile url on the custom domain. But this approach would require development per business on our platform, which might not be necessary, if there was a better solution.
Is there any way to do this?
You can use a reverse proxy engine like NGINX to accomplish this cleanly.
Here's a rough sample of what the some-company.conf may end up looking like:
server {
listen 80;
server_name www.some-company.com some-company.com;
location /shop/ {
proxy_pass http://www.example.com/businesses/132/some-company/shop/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
}
}
There are additional setting needed for SSL and other re-write options but this should get you rolling in that direction.
Related
i have a registration end-point.
If someone discovered it, they could send garbage registrations into my database using cUrl.
Is it possible to prevent all cUrl requests that do not originate from www.mydomain.com so i dont need to worry about malicious account being created?
Note I'm using nginx on ubuntu and under /etc/nginx/sites-available/default i set
location /
{
#save origin ip address
proxy_set_header X-Forwarded-For $remote_addr;
#...
}
and in my end-point I have
app.get('/api/register',function(req,res)
{
var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
console.log(ip);
but the console always logs my host ip address, whether i send the request from my hosted website (using html and a form) or if i send a cURL request from my pc at home.
I also tried tinkering with
app.enable('trust proxy')
from Express.js: how to get remote client address
The registration API can be trivially discovered by looking at the source of your web client application or at the network traffic, so it should not be considered a secret.
The X-Forwarded-For header will provide the name / IP of any proxies that the query traversed on the way from the browser to your API, it will not provide an indication of where the form was loaded from (during your tests you get the IP of your server because that is where you have your nginx reverse proxy setup). The header that shows where your client code loaded from would be the Referrer header, something which is easily spoofed and not much of a security control. You could use a session to check that the API comes from a user that has previously loaded your code, but again this is easily reproducible outside your app.
So, to answer your question: no, there is no way to ensure that HTTP requests to your API only come from your client code. In a way it is the beauty of the API, so that clients can be implemented by anyone.
One approach to avoid the abuse of an unauthenticated API call such as the "registration" you are trying to protect would be to implement a CAPTCHA challenge whose solution is a parameter to your API call, with a complex enough CAPTCHA algorithm you ensure that the requests cannot be automated to create a large number of users, which is the threat you are trying to protect against.
I think I screwed up something in my DNS configuration and now its bugging me for hours. Any help would be greatly appreciated.
I own a domain lets call it abc.com
Before all the issues happened DNS was configured in the following way at my registrar:
abc.com 'A' record Points to a wordpress server
www.abc.com 'A' record Points to a wordpress server
app.abc.com 'A' record points to amazon server.
We had a requirement where I had to achieve the following:
abc.com point to amazon server. //not the wordpress but amazon.
www.abc.com point to a wordpress server
app.abc.com point to amazon server.
*.abc.com point to amazon server
What I did to achieve this I believe is causing me all the issues. I went ahead and modified the DNS records in the following order
abc.com 'A' record points to amazon server. //earlier pointed to wordpress
www.abc.com 'A' record points to a amazon server
app.abc.com 'A' record points to amazon server.
I changed my nginx configuration in
such a way that
http://*.abc.com would always redirect to https://abc.com and I made the redirect permanent
server{
listen 80; # default;
server_name abc.com *.abc.com;
location / {
include proxy_params;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_headers_hash_max_size 8192;
proxy_headers_hash_bucket_size 256;
return 301 https://$server_name$request_uri;
}
}
After a while I realized I made a mistake as I wanted the www.abc.com to point to wordpres. So I went ahead and modified the DNS records again.
abc.com 'A' record points to amazon server.
www.abc.com 'A' record points to a wordpress //earlier pointed to amazon/nginx
app.abc.com 'A' record points to amazon server.
And whatever I do, the change to www.abc.com isn't reflected on the web. It just redirects to the amazon server. I tried it using different machines, installed browsers afresh still no luck.
I tried pinging abc.com and www.abc.com and they do point to amazon and wordpress (as configured in DNS), I even tried checking DNS propagation at whatsmydns.com and it shows the IPs based on my DNS conf. But I don't understand why they don't work in the browser.
I tried checking the redirect flow of the site at http://redirectcheck.com/index.php and it still shows 301 permanent redirect despite me going ahead and modifying the DNS records.
Any help would be greatly appreciated.
You've made what's called a "DNS propagation" - which can take up to 24 hours to take effect - Domain Names - How long do DNS changes take?
If 24 hours have passed, try Clearing the DNS Cache on Computers and Web Browsers
I'm running my site on a shared server and want to be able to capture the "real" ip address of users who are using the Puffin browser. Puffin renders web site content on its own cloud servers and then passes the result to the user's browser. The downside is that the user's ip address appears as that of the Puffin cloud server and not their own. Puffin does however pass the "real" ip address using the X-FORWARDED-FOR header. Unfortunately my host provider strips this out.
I asked them if there was any way round this and they have responded saying (regarding the X-FORWARDED-FOR header):
"You may be able to capture this with an environment variable within a .htaccess file."
At this point I'm way out of my depth so I was wondering if anyone could explain in simple terms how to go about this?
If they strip out the header, you may not even be able to capture it in your htaccess file. But you'd need something that looks like this:
RewriteEngine On
RewriteCond %{HTTP:X-FORWARDED-FOR} ^(.+)$
RewriteRule ^ - [L,E=X-FORWARDED:%1]
And you'd be able to get the environment variable via (using php) $_SERVER['X-FORWARDED']
After posting this question:
https://stackoverflow.com/questions/20891667/how-to-ignore-a-rule-if-the-rewrite-page-is-not-200-ok-status
I stumbled across this:
nginx as load balancer server out 404 page based on HTTP response from app server
Which, correct me if I'm wrong but, basically says Nginx can do what I need using
proxy_intercept_errors (From nginx.org)
Determines whether proxied responses with codes greater than or equal to 300 should be passed to a client or be redirected to nginx for processing with the error_page directive.
Yes!
This is exactly what I'm looking for.
Does IIS7.5 URL Rewrite 2.0 + ARR have this functionality? Or is this something that is exclusive for Nginx servers only?
I'm trying to create a website that will basically be my own custom "profile."
On this server, I have a project called "gradebook" that's a node app running on port 3030...
I want the site to be set up so that when you go to www.website.com, you see my picture and list of my accomplishments/projects/etc.
If you navigate to www.gradebook.website.com, you'll see my gradebook app.
Can this functionality be accomplished using nginx?
If so, could someone point me in the right direction with this...? I'm not very good with setting this kind of stuff up so any guidance is appreciated :) thanks!
you can proxy you request to node app
e.g.
location /gradebook {
proxy_pass http://localhost:3030;
proxy_set_header X-Real-IP $remote_addr;
}