New around here? Register your SA Forums Account here!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
HoboMan
Nov 4, 2010

tps: i be all like "GET /" and the client app says "cant GET /" and i just have to sit here and imagine why i can't GET / because my browser's certainly not gonna tell me, and there's no precious logging to help me out either.

Adbot
ADBOT LOVES YOU

Qtotonibudinibudet
Nov 7, 2011



Omich poluyobok, skazhi ty narkoman? ya prosto tozhe gde to tam zhivu, mogli by vmeste uyobyvat' narkotiki

HoboMan posted:

tps: i be all like "GET /" and the client app says "cant GET /" and i just have to sit here and imagine why i can't GET / because my browser's certainly not gonna tell me, and there's no precious logging to help me out either.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

the

quote:

Who should read this article?

Everyone, really.

really should be followed by

quote:

Who actually reads this article?

nobody lol

it may well be some other reason but i am astounded by how many people who work with web apps have just somehow never heard of cors and have never looked at dev tools to see the big angry 'hey you should check out cors' warning that pops up when its constraints arent satisfied.

Shaggar
Apr 26, 2006
u can just put * everywhere and then the errors go away

Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'

HoboMan posted:

tps: i be all like "GET /" and the client app says "cant GET /" and i just have to sit here and imagine why i can't GET / because my browser's certainly not gonna tell me, and there's no precious logging to help me out either.

GET /out

ThePeavstenator
Dec 18, 2012

:burger::burger::burger::burger::burger:

Establish the Buns

:burger::burger::burger::burger::burger:
I just had a pull request accepted to tinkerpop gremlin, it's my first open sores contribution. :woop:

It was literally 1 character but fixed a bug where the graph database client would run out of connections after a few hours.

ThePeavstenator fucked around with this message at 23:42 on Apr 30, 2019

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat

ThePeavstenator posted:

I just had a pull request accepted to tinkerpop gremlin, it's my first open sores contribution. :woop:

It was literally 1 character but fixed a bug where the graph database client would run out of connections after a few hours.

i once signed some contributor agreement, logged into their system to setup a PR that moved one line of code into an existing try block, which then was looked over by multiple people, was assigned various emojis, and finally accepted.

CRIP EATIN BREAD fucked around with this message at 00:09 on May 1, 2019

HoboMan
Nov 4, 2010

in retrospect i wish i had done GET /flask rather than just GET /

MrMoo
Sep 14, 2000

I'm trying to run a C++ app with ASIO/Beast in AWS against ELB with HTTPS health checks. It looks like the checks consistently timeout. On one side you can have an SSL session cache but it rapidly grows up to cache 20,000 sessions by default which is more than the container has memory for, and on the other I find that the majority of OpenSSL ciphers are actually disabled because ASIO is fantastic and cannot set the necessary ECC parameters. The SSL elliptical ciphers would run faster and thus no longer hit the timeouts, allegedly. There is an app written in Go that is managing to survive by supporting the elliptical cipher set without TLS tickets or session caching, via Google's BoringSSL.

Going to try OpenSSL's TLS ticket support which apparently moves the session cache to the client (AWS load balancer). I have no idea if any of this works and clearly Amazon documents anything useful like a raging rear end monkey.

pseudorandom
Jun 16, 2010



Yam Slacker

florida lan posted:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

the


really should be followed by


it may well be some other reason but i am astounded by how many people who work with web apps have just somehow never heard of cors and have never looked at dev tools to see the big angry 'hey you should check out cors' warning that pops up when its constraints arent satisfied.


Maybe I'm dumb and stupid, but I loving hate CORS so much. As far as I can tell, it is only good for awful legacy apps that accepted requests like `GET /delete-everything`. But, GOD FORBID anyone like me wants to implement a `DELETE` route or use a non-standard header, because now I need to manually whitelist poo poo and endure a preflight `OPTIONS` request before anything can happen. :argh:

Browsers should have just let the lovely enterprise web apps implode.

Sapozhnik
Jan 2, 2005

Nap Ghost
Certain attacks were always possible through malicious IMG tags or post forms or combining the above with URLs that cause http to happen on non http ports.

New stuff that adds additional potential attack vectors beyond what already existed has to prove remote consent first. This happens through same origin policy or cors for, well, cross origin requests, or the websocket handshake to prevent arbitrary JavaScript from generating arbitrary TCP traffic to arbitrary hosts.

Why does a websocket handshake begin with something that looks like an http get? Because a malicious IMG tag could already generate those against arbitrary ports on arbitrary hosts long before even JavaScript was a thing.

pseudorandom
Jun 16, 2010



Yam Slacker

Sapozhnik posted:

Certain attacks were always possible through malicious IMG tags or post forms or combining the above with URLs that cause http to happen on non http ports.

New stuff that adds additional potential attack vectors beyond what already existed has to prove remote consent first. This happens through same origin policy or cors for, well, cross origin requests, or the websocket handshake to prevent arbitrary JavaScript from generating arbitrary TCP traffic to arbitrary hosts.

Why does a websocket handshake begin with something that looks like an http get? Because a malicious IMG tag could already generate those against arbitrary ports on arbitrary hosts long before even JavaScript was a thing.


Even though I like to stay up-to-date with it, maybe I'm behind the times on web exploits. Like, I don't know any way to use an IMG embed to exploit something that's not a `GET` request. And for off-site form/img things, I assume you'd need to have already compromised the target host if you want to access the auth/session tokens for performing requests that result in changes being made.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

pseudorandom posted:

And for off-site form/img things, I assume you'd need to have already compromised the target host if you want to access the auth/session tokens for performing requests that result in changes being made.

You do realise that the person who wrote a website might not be the same as the person accessing it through a web browser, right?

pseudorandom
Jun 16, 2010



Yam Slacker

Jabor posted:

You do realise that the person who wrote a website might not be the same as the person accessing it through a web browser, right?


Yes? By "compromised" I was mostly referring to XSS and a malicious party gaining access to cookies/localStorage.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

pseudorandom posted:

Yes? By "compromised" I was mostly referring to XSS and a malicious party gaining access to cookies/localStorage.

If you're on the website forums.somethingawful.com, and your browser sees an <img> tag that points to sitewhereyouareanadmin.com/delete_everything, what cookies are going to be used for the request?

Carthag Tuek
Oct 15, 2005

altid pamo når du går
veje du burd' kende
overleved' barneår
lig' til livets ende

augh latex expansion bullshit :negative:

Chalks
Sep 30, 2009

cors is a garbage implementation of a good idea

Sagacity
May 2, 2003
Hopefully my epitaph will be funnier than my custom title.

Chalks posted:

[something in webdev] is a garbage implementation of a good idea

Carthag Tuek
Oct 15, 2005

altid pamo når du går
veje du burd' kende
overleved' barneår
lig' til livets ende

Sagacity posted:

Chalks posted:

[something in webdev] is a garbage implementation of a [bad] idea

eschaton
Mar 7, 2007

Don't you just hate when you wind up in a store with people who are in a socioeconomic class that is pretty obviously about two levels lower than your own?
would your web pages work in NCSA Mosaic on a VAXstation running VMS, if it supported modern SSL and PNG images?

if not then you’re doing the web wrong

Wheany
Mar 17, 2006

Spinyahahahahahahahahahahahaha!

Doctor Rope

pokeyman posted:

I set up a simple pipelines thing a few months back and it took me about as long as it usually takes me to go from nothing to sorta working. I think there was some essential information in various forum posts and such, I don’t remember the documentation itself being super useful

yeah, i guess is need to set up a locak docker environment to explore the container and test the thing. which i didn't really even think about before rubberducking the thread

Wheany
Mar 17, 2006

Spinyahahahahahahahahahahahaha!

Doctor Rope

Wheany posted:

yeah, i guess is need to set up a locak docker environment to explore the container and test the thing. which i didn't really even think about before rubberducking the thread

here is what i think i want to do:
i want to build a java 8 spring boot project using maven
i want to copy the resulting jar over scp onto our [dev, staging, production] server into the correct directory.

how do i docker this?

Shaggar
Apr 26, 2006
just use maven for everything

gonadic io
Feb 16, 2011

>>=

Wheany posted:

here is what i think i want to do:
i want to build a java 8 spring boot project using maven
i want to copy the resulting jar over scp onto our [dev, staging, production] server into the correct directory.

how do i docker this?

Docker image contains the instructiobs to build from maven etc. Push image to a container registry, we use gcp
then most basic option is to SSH into server and docker run. More advanced options are docker swarm and kubernetes

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat

Shaggar posted:

just use maven for everything

Corla Plankun
May 8, 2007

improve the lives of everyone
how can i add auth to a thing that already exists and is written by someone not-at-this-company?

i basically want to MITM an internal website that we're serving to add auth on top of it and i have no idea how to do this at all

i guess i could just fork the original and add auth to the actual site but i really dont want to do webdev if i can help it

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat
Is there zero auth on the site, as in, anyone who views the page is the same as every other person? Because if you just want to authenticate users against some directory, you can use nginx nginx as a proxy with the auth request module, https://nginx.org/en/docs/http/ngx_http_auth_request_module.html which allows you to set up a small REST endpoint that nginx will pass requests to and let you do it that way.

basically you will just set up some small server that is essentially:

code:
// mapped to GET /
fun testAuth(params): int {
  user = params["user"];
  passwd = params["passwd"];

  if (user == "yospos" && passwd == "bithc") {
    return 200;
  }

  return 401;
}
then tell nginx to hit that endpoint using the auth_request directive

CRIP EATIN BREAD fucked around with this message at 15:37 on May 1, 2019

HoboMan
Nov 4, 2010

Corla Plankun posted:

how can i add auth to a thing that already exists and is written by someone not-at-this-company?

i basically want to MITM an internal website that we're serving to add auth on top of it and i have no idea how to do this at all

i guess i could just fork the original and add auth to the actual site but i really dont want to do webdev if i can help it

in barbossa voice: "you better start believing in webdev projects then corla plankun, you're in one!"

HoboMan
Nov 4, 2010

also in case anyone cares (i know you don't) the very helpful "cannot GET /" error i was getting was from angular silently failing to compile

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat

found your problem

Aramoro
Jun 1, 2012




CRIP EATIN BREAD posted:

found your problem

If you've managed to make your Angular compile fail silently you're problem starts before you get to the Angular part.

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat

found your problem

Shaggar
Apr 26, 2006

Corla Plankun posted:

how can i add auth to a thing that already exists and is written by someone not-at-this-company?

i basically want to MITM an internal website that we're serving to add auth on top of it and i have no idea how to do this at all

i guess i could just fork the original and add auth to the actual site but i really dont want to do webdev if i can help it

set the authentication mode from anonymous to windows Auth.

HoboMan
Nov 4, 2010

Aramoro posted:

If you've managed to make your Angular compile fail silently you're problem starts before you get to the Angular part.

i don't know man, just got whatever set up vs 2017 gives you by default when you select "new angular project"

Corla Plankun
May 8, 2007

improve the lives of everyone

CRIP EATIN BREAD posted:

Is there zero auth on the site, as in, anyone who views the page is the same as every other person? Because if you just want to authenticate users against some directory, you can use nginx nginx as a proxy with the auth request module, https://nginx.org/en/docs/http/ngx_http_auth_request_module.html which allows you to set up a small REST endpoint that nginx will pass requests to and let you do it that way.

basically you will just set up some small server that is essentially:

code:
// mapped to GET /
fun testAuth(params): int {
  user = params["user"];
  passwd = params["passwd"];

  if (user == "yospos" && passwd == "bithc") {
    return 200;
  }

  return 401;
}
then tell nginx to hit that endpoint using the auth_request directive

yeah its the same for everyone, this seems like the right thing to do except its in k8s so i dont know how to tell nginx to do the thing. maybe i should know or maybe this is a devop thing to do

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat
is your nginx config created by an ingress controller? if so then you can just add some annotations to the ingress resource for your unsecured web application.

Shaggar
Apr 26, 2006

Aramoro posted:

If you've managed to make your Angular compile fail silently you're problem starts before you get to the Angular part.

yeah you decided to use a javascript framework

DELETE CASCADE
Oct 25, 2017

i haven't washed my penis since i jerked it to a phtotograph of george w. bush in 2003

Shaggar posted:

yeah you decided to use a javascript

DONT THREAD ON ME
Oct 1, 2002

by Nyc_Tattoo
Floss Finder
i'm going to make the worlds first anti-capitalist terminal emulator and call it griTTY

Soricidus
Oct 20, 2010
freedom-hating statist shill

DONT THREAD ON ME posted:

i'm going to make the worlds first anti-capitalist terminal emulator and call it griTTY

"anti-capitalist", and yet fully 50% of the name is capitals :thunk:

Adbot
ADBOT LOVES YOU

HoboMan
Nov 4, 2010

nginx:
i imagine it's supposed to be said like n-gin-x (engine x) but i can't help but read it as n-ginx (en jinx)

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply