Facebook secure canvas url bypass - security

I want to make my app public, but I don't have validate SSL cert and hosting with unique IP for it. I read that the changes ommiting https:// will come in October. How can I change my app to working by http until October's changes?
Generally problem for now is: when i enter to facebook via https and go to app, there is a error about untrust cert and apps isn't loaded.
If there is no way to avoid "migration" changes, can any1 tell me is there any chance to run MySQL database on Heroku?

Related

Cant connect to my AWS node server through secure (https) connection

I am working on a 2-player card game. The two client facing pages are hosted on Github pages and the node server is running on AWS.
Everything works fine when I view my client side pages locally, but when I try to open them on Github pages I get this error:
Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ''. This request has been blocked; the content must be served over HTTPS.
So then I change the connection url to include https like this:
var socket = io.connect("https://ec2-18-191-142-129.us-east-2.compute.amazonaws.com:3000");
And I get this error:
index.js:83 GET https://ec2-18-191-142-129.us-east-2.compute.amazonaws.com:3000/socket.io/?EIO=3&transport=polling&t=N71Cs6c net::ERR_SSL_PROTOCOL_ERROR
Here are my security groups:
Do I need to do something with an SSL certificate? Is it even possible with my current setup as I don't have access to the domain I am hosting on (Github Pages). If it's not possible are there any online services I can host my client code on and get an SSL certificate, or do I have to buy a domain and hosting? Any help welcome, but please try to explain it because I am very new to all this. Thank you.
Ec2 doesn't support https like this ("out of the box").
There is several way of doing it, but I suggest you should create a application load balancer (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) and then configure https on it (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html).
Other solution can be using Cloudfront, or configure https directly on the instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html).
Hope that makes sense.
As mentioned by alcyon, changing from HTTP to HTTPS does not enable your application to run over HTTPS. There are many ways to achieve this. Checkout the detailed guide by AWS for your use-case at https://aws.amazon.com/premiumsupport/knowledge-center/configure-acm-certificates-ec2/ .

How do we show a page from our app but using a custom domain owned by a user

We host an angular app (e.g. render.our-app.com) hosted on now/zeit. This app allows a user to show a presentation. The presentationId needs to be included in the path e.g. https://render.our-app.com/. We are looking to be able use a custom domain owned by the user, to show a presentation we no redirects.
So for example, the user has a domain (website.mycompany.com) and we want to show the presentation under that custom domain but using our app.
website.mycompany.com => render.our-app.com/12345 (12345 = presentationId)
We are not sure how to do this properly. We tried to use a cname but we get an error saying:
404: NOT_FOUND
Code: DEPLOYMENT_NOT_FOUND
(The error is very now/zeit specific)
We thought that http://website.mycompany.com/12345 might work.
We are not sure how to do this :(
Thanks
The steps involved probably would be:
Set up a virtual host on your server for website.mycompany.com (or maybe use a ServerAlias directive if you are on Apache. This is where your app will be hosted.
Edit the host file of the computer that will be used for the presentation, in that host file you add an entry for website.mycompany.com, that points to the IP address of your server. By doing so, you bypass the normal DNS resolution process. Rather than connect to the 'true' address, the PC will connect to your demo server.
There is a gotcha: SSL. You can create a self-signed certificate on the server, and then you add it to the list trusted certificates on the client (demo PC). This can be done the first time you launch your browser and get an alert about the self-signed certificate.

ERR_SSL_PROTOCOL_ERROR with Heroku, Node, Express, SSL

I recently enabled SSL for my Heroku-hosted website, wildcodemonkey.com, but when I visit it in Chrome I see the error "ERR_SSL_PROTOCOL_ERROR".
My research indicated that the SSL connection terminates at Heroku's router, which then passes the request along via HTTP to my express/node site. Consequently, I did not set up 'https' in my server and have been expecting standard HTTP connections.
My SSL configuration is such that my CSR, key and cert were passed along to Heroku. I'm using the SSL option baked into Heroku, not a third-party resource/addon. After enabling SSL in my app's settings I changed my DNS to reflect the new endpoint (wildcodemonkey.com.herokudns.com instead of wildcodemonkey.com.herokuapp.com), this is the endpoint I was told to use when I configured SSL on Heroku, directly copied and pasted from the settings page after setting up ssl.
I do see morgan logging GET requests when I hit the domain, so it does look like everything is making it end to end, so I'm not sure where the issue is occurring.
Any assistance would be greatly appreciated. Thanks ahead of time.
According to the SSLLabs report the certificate chain of this site is incomplete. While desktop browsers often but not always will work around this problem mobile browsers and other applications will usually not. Check the documentation provided by your CA which chain certificates need to be configured.

Editing force_ssl option in shop.json of a Shopify store

Towards the end of February, Shopify set the force_SSL option true (even for dev stores) which is a problem for me because I'm working on a Shopify app locally (using localhost) and my computer doesn't have a SSL cert.
Is there any way to change this option in the admin of a Shopify store? If so how?
If not (I have the feeling that this isn't possible...) is there a way I can get a localhost SSL cert? I'm using Node.JS and Express.JS and two ports to run my app (port 2000) and my website (port 3000).
You're unable to turn off force_ssl yourself - however there shouldn't really be a need to do so.
Are you running into a particular error when developing? There may be some ways around it.
Outside of that, you can always check out OpenSSL.
So I'm the absolute biggest idiot ever... My new dev store was password protected, therefore it had the http header of X-Frame-Options set to DENY. When I removed the password everything worked perfectly.

FBML apps fail under HTTPS

When setting in the developer console a secure url (https), and trying to load the canvas under facebook:
https://apps.facebook.com/fanta-seriea/
I get the error saying that facebook received an empty responde.
Am I doing something wrong? The certificate is allright:
https://fanta-seriea.com
So why is this happening?
L.
If you enable SSL for your FBML app, please make sure that your SSL certificate includes all intermediate certificates in the chain of trust as our SSL validation is strict. You can use third-party SSL analysis tools (e.g., https://www.ssllabs.com/index.html) to check your certificate status and fix any errors (and warnings). If your SSL certificate has problems, you may see "Empty response received" error when you load your FBML canvas app."
From https://developers.facebook.com/blog/post/567/
Sorry for offtopic.
New Developer Roadmap says that FBML will die on 1st June 2012. Better go on iframe mode.
Have you definitely added a secure canvas URL in your app configuration? On the developer app, go to edit your app and under basic settings you should have URLs in both 'Canvas URL' and 'Secure Canvas URL'
I'm showing the HTTPS version as resolving correctly (although it doesn't fail gracefully if you access that url directly, it pukes errors all over the place) - https://www.fanta-seriea.com/fbfsapro/ - but when I try to access the HTTPS version of the canvas app, it redirects me back to the HTTP version. Is the SSL url set correctly in the SSL url section of your application settings?
You are referencing non-secure assets on that page. Facebook may be providing you with an invalid error message.
You should relativize all URLs that are simple assets.
If you need assets from other domains that are not yours, you can use protocol relative URLs : http://paulirish.com/2010/the-protocol-relative-url/

Resources