I have been experimenting how to bypass captive portal(e.g. wifis that without password but redirect users to a https payment gateway pages). I know that if they haven't configure the captive portal properly (e.g.only limit browsers requests in such a way that I can ssh to a server or ping to anything website without issues), in which case there is a "IP OVER icmp tunnel" method where one can set up a tunneling to access the internet.
However, I'm just wondering what if pinging any website resulting in timeout or not researchable
does it mean the configuration allows only https request to the redirect website(payment gateway) only and there is no ways to bypass captive portal (e.g.via tunneling)
with thanks,
I
Related
In our Application, We have enabled Razorpay Webhook for seamless payment.
During development testing I have used ngrok. It is working fine.
My production server is protected by cloudflare and enabled with bot-fight-mode.
When the payment is success. POST request is sent by razor-pay web-hook. But it has been blocked by cloudflare bot-fight-mode.
So I created a firewall rule to allow it.
Still Webhook is blocked by cloudflare?
What should I need to do to allow razorpay webhook to bypass cloudflare by blocking other bots?
Thanks in advance.
I came here looking for an answer too but I don't think it is possible unless you have an enterprise account:
https://community.cloudflare.com/t/questions-about-cloudflare-super-bot-fight-mode/256213/40
Whilst this thread is referring to Super Bot Mode I believe the principal is the same and it is only with an enterprise account that you can chose which URIs to target and bots to allow through.
Update: I've ended up disabling Bot Fight Mode and will use Fail2Ban on my server and the CloudFlare API to block the IP addresses at their end.
I am trying to block all traffic from a Facebook app, iOS and Android, on a particular network. I can block web access, meaning if a user tries to log in to www.facebook.com from a computer, the router will detect and block it. The user won't be able to have access.
However, mobile apps go through just fine on the same network. I need to prevent users from using the Facebook app on their phone. How do I do this?
I was thinking of using WireShark to see what URL the phone app is connecting to and blocking that URL. I'm sure this is fine, but is there a baseURL I can block which prevents mobile users from accessing Facebook? Is there a list of Facebook URLS I can block which prevent app access?
Whatever tool you are using on the router, I am sure must be supporting pattern matching while filtering packets.
So I suggest you can block all traffic for
*.facebook.com and *.messenger.com.
Having said that it is probably not enough to just filter HTTP packets based on URL. There are ways of circumventing this using VPNs or proxy websites.
You should consider blocking all outgoing traffic on ports other than 80 and 443.
Similarly other protocols like ICMP or UDP too because they can be used to tunnel VPN connections.
I am saying this because we have applied all these methods to get unrestricted access at uni. :)
Probably you can use a proxy server like squid to control the traffic better.
I know DocuSign can send signed PDF and other stuff to a public URL using the DocuSign Connect module.
I want to know whether they will send to our own server listner page. Will DocuSign will send signed information to non-public URL
DocuSign Connect and eventNotifications (same notification mechanism, different subscription process), will send the notifications to any url that is available via the public internet.
There are different meanings for "non-public url." Your server/listener's url does not have to linked to by any other page, it does not have to be in the Google database, it can use long, obscure strings in the url, etc. But it has to be reachable via the public internet.
So if your listener is accessible via the public internet, you're golden.
Other options:
Put your listener on your company's dmz where it will be accessible from the internet and also have some access to your internal systems.
Put your listener behind your firewall and open a "pinhole" in your firewall to enable the incoming connection requests. DocuSign publishes the ip ranges it uses so you can limit the size of the opening in your firewall
Create a server/listener "gateway" on the public internet that your internal servers can connect to. Eg, start up a listener using Heroku, Azure, etc. I suggest their PAAS services.
Investigate ngrok, localtunnel, and this related blog post
Also:
Remember that your listener must accept requests via https. Only https is used for notifications by the DocuSign production platforms.
See the DocuSign webhook recipe for more info.
I am using the rest API
GET /restapi/v2/login_information
to get the login information.
This API returns a baseUrl. For example:
{[\r][\n]"
"loginAccounts": [[\r][\n]"
{[\r][\n]"
"name": "SomeCo",[\r][\n]"
"accountId": "555555",[\r][\n]"
"baseUrl": "https://demo.docusign.net/restapi/v2/accounts/555555",[\r][\n]"
"isDefault": "true",[\r][\n]"
"userName": "Marco Altieri",[\r][\n]"
"userId": "6b011111-1111-1111-1111-bc65f9bec41e",[\r][\n]"
"email": "maltieri#someco.com",[\r][\n]"
"siteDescription": ""[\r][\n]"
}[\r][\n]"
][\r][\n]"
}"
I am using the baseUrl https://demo.docusign.net/restapi/v2/accounts/555555 for the next calls to DocuSign.
Unfortunately, the application servers for a client do not have direct access to the DocuSign servers.
I could have used an http proxy because the client API that I am using has this option, but there is not a proxy available to forward the requests from the internal network to DocuSign.
We have been able to solve this problem redirecting the traffic for example using iptables.
The application server is configured to call DocuSign using the url (for the dev server):
https://demo.docusign.net/
On the application server, the hostname demo.docusign.net is mapped in /etc/hosts with the IP address of the redirector box (the internal server).
This means that the application server sends requests to the redirector and this redirects the requests to the actual DocuSign server.
Everything works fine but I am wondering if:
1) there is a better way to do it
2) the redirector needs to be configured to forward the requests and to do so we need to know the IP address of the DocuSign server. This IP address is documented in an article published by DocuSign and so it seems ok to use it. Is this correct ?
For your second question: Yes, DocuSign publishes the IP addresses of our servers for both Demo and Production environments and it is fine to reference those IP addresses in your configuration. We also recommend adding these IP addresses to your white list to avoid any issues.
I'm not a networking expert but I'm confused why you can make the initial API call to login_information but then have issues to work around with subsequent calls. It's the same root
I want to build a node js internet gateway/captive portal. So I can have a user 'authorize' his mac address or ip address if the mac address is not possible like used for wifi hotspots
So what I have in mind is node can have a dhcp server and it gives its ip address as the gateway. So if the user loads a page on the web browser it gives them an authentication screen and they can then log in and the gateway can then route its packets correctly.
How can I do the authorization step with node.js so if they're not logged in it presents a log in page & if they are to route the packets correctly?
You need couple of pieces to put this together.
#1: http proxy - If you can run a DHCP server and assign IP addresses, then you can run and http-proxy to capture all internet traffic.
#2: You'll then need to add authentication logic to this proxy which can check for a cookie, magic packet, token or something that verifies access and lets them through or redirects to login page.
node-http-proxy is a very popular and flexible node http proxy server that you can easily add your own logic to.
node-http-auth-proxy is another such project with an example of how to handle authentication built in.
Having a proxy also allows you to whitelist/blacklist sites/IPs, something you may wanna do based on your target audience.