api gateway – How can API documentation helpful to exploit any application?

If you have an internal administration portal that only the Human Resources department has access to, and that portal is a web application that talks to its API, then the people working in HR would be able to figure the API out anyway by observing the requests in the browser or viewing the JavaScript code.

Hiding API documentation from users that use the application is therefore little use.

However, someone outside of HR (assuming they can’t get their hands on the static JavaScript files without logging in) will not be able to do the same thing. API documentation would allow them to learn how to talk to the API. Who knows, perhaps one of the endpoints mistakenly has no authentication check! (Quite recently we had a client who had authentication on all endpoints except one, because they forgot the @authenticated annotation in the source code. An attacker could request GET /accountinfo/<account-ID>/. This sort of thing is not uncommon.)

In this case, where the attacker can’t observe the API requests or read the client (JavaScript) code, hiding API documentation helps, but it is still security through obscurity: it takes more time for an attacker to figure things out, but it doesn’t completely disallow them from doing attacks. People know that passwords need to be kept secret (hence Kerckhoff’s principle), but nobody considers URIs (API endpoints) to be real secrets. It’ll leak or be guessed sooner or later.

You can withhold the documentation on a need-to-know basis, but don’t get a false sense of security: endpoints are not secrets; authentication tokens are.

django – Get 502 Bad gateway – Nginx & Gunicorn

I am trying to configure Nginx with Gunicorn and Django but I am getting an incorrect gateway error 502. Here are my files.

gunicorn.service

(Unit)
Description=gunicorn daemon
Requires=gunicorn.socket
After=network.target

(Service)
User=root
Group=www-data
WorkingDirectory=/root/apio/apio/
ExecStart=/root/sweetapi_env/bin/gunicorn 
         --access-logfile - 
         --workers 3 
         --bind unix:/run/gunicorn.sock 
        apio.wsgi:application

(Install)
WantedBy=multi-user.target

My nginx.conf file

server {
        listen 80;
        server_name MY_IP_ADDRESS;
        location / {
                include proxy_params;
                proxy_pass http://unix:/run/gunicorn.sock;
        }

}

Structure of my file

apio
    apio
        db.sqlite3
        manage.py
        static
        apio
            settings.py
            wsgi.py
            urls.py
            __init__.py

By hitting my IP address, I get below in /var/log/nginx/error.log

2020/05/15 12:08:15 (error) 31068#31068: *1 connect() to unix:/run/gunicorn.sock failed (111: Connection refused) while 
connecting to upstream, client: 117.203.***.***, server: ***.**.**.**, 
request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/"

My gunicorn.socket test also fails

gunicorn.socket - gunicorn socket
   Loaded: loaded (/etc/systemd/system/gunicorn.socket; enabled; vendor preset: enabled)
   Active: failed (Result: service-start-limit-hit) since Fri 2020-05-15 11:58:41 UTC; 12min ago
   Listen: /run/gunicorn.sock (Stream)

Please provide some advice. How can I debug this?

payment gateway for crypto, merchant accounts

MERCHANT SERVICES for C

Accept cryptocurrency payments from around the world

Accept Bitcoin and other cryptocurrencies, gain new customers and avoid the cost of high fees and chargebacks.

ExoCrow makes accepting blockchain payments fast and reliable. To get started, open an ExoCrow account.
SEMrush

With blockchain payments, there is no sensitive customer information to collect and store, and there are no cards to charge. Customers simply send cryptocurrencies (like Bitcoin, Ether or Ripple) from their computer or mobile device directly to a payment address.

Once received, the funds are deposited into your ExoCrow cryptocurrency wallet.

Do not hesitate to contact us for further assistance!
E-mail:
Or visit our website: www. exocrow.com

The VPN connection with WIN 7 cannot RDP to the server if I uncheck using the default gateway on the remote network

I'm on Windows 7 and created a VPN connection using the Windows client. I was able to connect very well and RDP to the server in question. I don't want all my traffic to be routed through this VPN, so I unchecked the Use default gateway on remote network option under advanced IPV4. When I uncheck it, I can no longer ping or connect to the server located on 192.168.182.235. Not sure what to do, can anyone help?

Here is my routing table that works with the use remote option checked:

C:UsersL702X>route print
===========================================================================
Interface List
 34...00 ff b2 9a ea 4d ......TAP Adapter OAS NDIS 6.0
 66...........................Consolidated
 32...00 ff 3d 54 b4 04 ......Sophos SSL VPN Adapter
 25...84 8f 69 c8 c6 f7 ......Realtek PCIe GBE Family Controller #3
  1...........................Software Loopback Interface 1
 37...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 35...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 38...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 36...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.2   4245
          0.0.0.0          0.0.0.0         On-link   192.168.180.231     21
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
      192.168.0.0    255.255.255.0         On-link       192.168.0.2   4501
      192.168.0.2  255.255.255.255         On-link       192.168.0.2   4501
    192.168.0.255  255.255.255.255         On-link       192.168.0.2   4501
  192.168.180.231  255.255.255.255         On-link   192.168.180.231    276
   206.116.22.170  255.255.255.255      192.168.0.1      192.168.0.2   4246
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link       192.168.0.2   4502
        224.0.0.0        240.0.0.0         On-link   192.168.180.231     21
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link       192.168.0.2   4501
  255.255.255.255  255.255.255.255         On-link   192.168.180.231    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 38    281 fe80::5efe:192.168.180.231/128
                                    On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

After unchecking use remote and does not work:
C:UsersL702X>route print
===========================================================================
Interface List
 34...00 ff b2 9a ea 4d ......TAP Adapter OAS NDIS 6.0
 66...........................Consolidated
 32...00 ff 3d 54 b4 04 ......Sophos SSL VPN Adapter
 25...84 8f 69 c8 c6 f7 ......Realtek PCIe GBE Family Controller #3
  1...........................Software Loopback Interface 1
 37...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 35...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 38...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 36...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.2     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link       192.168.0.2    276
      192.168.0.2  255.255.255.255         On-link       192.168.0.2    276
    192.168.0.255  255.255.255.255         On-link       192.168.0.2    276
    192.168.180.0    255.255.255.0        192.0.2.1  192.168.180.231     21
  192.168.180.231  255.255.255.255         On-link   192.168.180.231    276
   206.116.22.170  255.255.255.255      192.168.0.1      192.168.0.2     21
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.0.2    276
        224.0.0.0        240.0.0.0         On-link   192.168.180.231    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.0.2    276
  255.255.255.255  255.255.255.255         On-link   192.168.180.231    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 35    281 fe80::5efe:192.168.0.2/128
                                    On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Should I use Electrum Wallet OR Bitcoin Core as the payment gateway for my website?

I'm a developer who builds a website that needs to process Bitcoin payment requests. So I need a payment gateway.

In my last project, I used the Electrum wallet as a payment gateway, but my last project did not have too many Bitcoin payment requests, and Electrum works very well.
But I'm afraid of the limits of Electrum and I am not sure it is a good idea to use Electrum when processing many payment requests.

Bitcoin Core is running the bitcoin node but it is taking too much disk space (full node) or processor usage (plum mode) and I’m afraid it’s not a good idea too.

So tell me which one is best for you as a website payment gateway and why. Thank you all for responding.

amazon elb – Remote Desktop Services gateway behind AWS ALB connectivity issues

I have configured a Remote Desktop Services gateway behind an AWS ALB.

AWS ALB performs SSL offloading and talks to the RDS gateway server via HTTP (port 80).

The configuration works and I can RDP to the instances behind the RDGS gateway, but very often (every 15-20 minutes I would say on average) the RDP session spends a few seconds (5-10) reconnecting.

Does ALB have problems with very long connections spanning several minutes? What are the possible root causes of these frequent reconnections?

SSL certificate – Azure Application Gateway for hosting an e-commerce website on Azure

In fact, I have two questions about Azure Application Gateway:
1. If I want to host a website on Azure, do I need to get an SSL certificate? or does Azure provide it?
2. If not necessary, can I use Application Gateway only as a web application firewall?

Amazon Web Services – EC2 instance gateway changes automatically

Part of my instances are deployed with code in its /etc/rc.local

#!/bin/sh
# Managed by puppet - do not modify

/sbin/route del default
/sbin/route add default gw 11.0.0.254

Everything works fine at first, but after a few minutes, the gateway takes the default value (11.0.0.1)

I think this only happened recently.

Why is that?
How can I change it?

More information:

Immediately after start-up. The instance routing table looks like this …

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         11.0.0.254      0.0.0.0         UG    0      0        0 ens5
11.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens5
11.0.0.1        0.0.0.0         255.255.255.255 UH    100    0        0 ens5

After a while, it looks like this .. (and of course, lost internet access)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         11.0.0.1     0.0.0.0         UG    0      0        0 ens5
11.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens5
11.0.0.1        0.0.0.0         255.255.255.255 UH    100    0        0 ens5

If I modify the routing table manually. After a while, it looks like this …

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         11.0.0.254      0.0.0.0         UG    0      0        0 ens5
0.0.0.0         11.0.0.1        0.0.0.0         UG    100    0        0 ens5
11.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens5
11.0.0.1        0.0.0.0         255.255.255.255 UH    100    0        0 ens5

Internet access is working but I don't like this unsolicited change and I don't like this manual repair as these instances are in an auto-scaling group.

ssl – nginx load balancing and reverse proxy multiport: 502 Bad Gateway

I have used two Icecast servers which host many webradio streams.
Each stream uses a port between 8000 and 9000.

I use nginx for:

  • easily allow HTTPS for all streams
  • automatically change the server in case of failure (e.g. server stopped). (high availability / load balance)

In fact, this is what I want:

When the user listens to a stream on https://hosting.mydomain.com:8xxx,
I want to send the request transparently (proxy) to one of the two Icecast servers.

Example:

If HTTPS and Icecast_1 are active, send the request to Icecast_1.

If HTTPS and Icecast_1 are down, send the request to Icecast_2.

To do this, I have defined the following:

#Icecast's cluster :
upstream backend {
    ip_hash;
    keepalive 64;
    #Icecast 1 :
    server 10.1.0.101 ;
    #Icecast 2 :
    server 10.1.0.102 ;

}


#SSL for all
server {

        listen 8000-9000 ssl ;
        server_name nginx.mydomain.com;

        access_log /var/log/nginx/reverse-ssl-access.log;
        error_log /var/log/nginx/reverse-ssl-error.log;

        # ssl on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1 ;
        ssl_certificate /etc/letsencrypt/live/nginx.mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/nginx.mydomain.com/privkey.pem;

        location / {
               resolver 8.8.8.8;
               proxy_pass http://backend:$server_port;
        }

}

I have a problem when I try to do something like this: "http: // backend: $ server_port".

In the web browser, I got the error: 502 Bad gateway

In the server error logs: * 1 no resolver defined to resolve the backend.

Can you help me?

networking – Windows 10 as a router to accept connections via wifi and send to the VPN gateway

I am trying to send all traffic from a device from my local network to a remote network via VPN. Since the device itself cannot be a VPN client (the vpn client is not available), the idea is to send all traffic from the device device to a router that can establish a VPN connection to a remote network. As a router, I configured the Windows 10 box, enabled Routing and Remote Access Service (RRAS) and configured the device to use this win10 box as the default gateway. It works, but by the time Win Box has an established VPN connection, the device cannot reach the remote network. What am I missing?

More details: the device (D1) has the IP address: 192.168.1.12 (255.255.255.0) and the default gateway set to 192.168.1.10

Windows 10 box (win10box): 192.168.1.10 with the default gateway 192.168.1.1 which is connected to the ISP (Internet).

With this configuration device, D1 can successfully access the Internet using win10box because it is the default gateway and traceroute displays the correct path (win10box is included as the first hop).

When win10box establishes a connection to the remote network via VPN (using IPSec), it receives the correct settings (IP: 178.168.1.100, gateway: 178.168.1.1) and is able to access and exit resources on the remote network (to the Internet). But at the time the VPN connection is established in win10box, the D1 device is not able to access the Internet or remote network resources. Tracert displays the first jump followed by timeouts. The routing table on win10box after establishing the VPN looks normal – has two default gateways (my local network and def.

What am I missing? How can RRAS be configured to support routing in the VPN tunnel on win10 (not on the server)?

Why, when Windows 10 (with RRAS – Routing and Remote Access Service enabled) works properly as a router but shuts down when the VPN connection is established?

Thank you