I'm trying out PHPloy for git deployments and I've run into a bit of a snag.
I've got the PHPloy.phar installed on my local machine, and have access to the phploy executable. I also have a phploy.ini file in the root of my project (below).
When I run phploy from the terminal, I'm getting the following error message:
Warning: ftp_systype(): Non-anonymous sessions must use encryption. in phar:///usr/local/bin/phploy/vendor/league/flysystem/src/Adapter/Ftp.php on line 453
phploy.ini (values for user, pass and host removed for this question)
[staging]
scheme = ftps
passive = true
user = username
; When connecting via SFTP, you can opt for password-based authentication:
pass = password
; Or private key-based authentication:
; privkey = 'path/to/or/contents/of/privatekey'
host = hostname
path = /public_html
port = 21
; You can specify a branch to deploy from
branch = staging
FTP on this server is configured for TLS Explicit, but I'm not sure how / if I can specify that in the phploy.ini file.
Try adding this to .ini file.
ssl = true
Try modifying these:
scheme: sftp
port:22
Related
So sorry to bother everyone, I'm new to PostgreSQL, but my project requires me to build an automation system that connects to a server running PostgreSQL server. Long story short, let's just say I am required to perform a data insertion/manipulation from a Web Form into the server via PHP pg_connect(). The Web Form is located locally in /var/www/html/web_form.html and calls to a PHP script that performs the data insertion,
<form name="some_name" action="script.php" method="POST">
so the data insertion is done to a local server.
I'm using a Raspberry Pi 3 to simulate the "server" (as so not to "disturb" the true running server during such an early development). The Raspberry Pi is running a Raspbian Stretch distro. Well, it was originally Jessie, but then I decided to involve the Stretch repo from
deb http://mirrordirector.raspbian.org/raspbian/ stretch main contrib non-free rpi
with a priority of 100. It also has postgresql-9.6.3 (from Stretch), php7.0.19-1 (also from Stretch), and apache2.4.25 (from official Raspbian). Please do note that the Stretch repo do replaces A LOT of Jessie's official stable packages, and also known to be "not quite stable" itself, so it might also be the source of the problem.
I can access the database in the server from remote computers, whether using direct psql, Python (psycopg2), or even the exact same Web Form via PHP (tried from remote computer), so it will mostly won't be because of PDO problems (I've checked phpinfo() , but feel free to give advice on this, since I don't really understand PDO myself). On local, I can access the database via psql, but not local access via PHP (pg_connect).
I've meddled with this problem for hours now in vain. Please help me.
Here's my Raspberry Pi's configurations:
1.
A snippet of the PHP code:
$conn_str="host=localhost port=5432 dbname=my_db_name user=my_user_name password=my_password";
$db = pg_connect($conn_str);
if(!$db){
$errormessage=pg_last_error();
echo "Error 0: " . $errormessage;
exit();
}
Please mind that this same code has perfectly worked on another computer. I've succeeded to perform data insertion when the Web Form is located in a remote computer accessing the said server, or when the Web Form is accessing the remote computer's own local PostgreSQL server, but not when it is done in this particular problem server. When running in browser, it only shows:
Error 0:
the result when running in console:
PHP Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL: password authentication failed for user "raspiserver"
FATAL: password authentication failed for user "raspiserver" in php shell code on line 1
I also have tried to change host=localhost to host=127.0.0.1 or host=0.0.0.0. I'm sure that the error came from that block of code, since that block is already on the first lines in my PHP code, while the other error reporting codes I put, each has distinct Error X: number.
2.
The PostgreSQL configurations:
For the pg_hba.conf content :
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local my_db_name my_user_name 127.0.0.1/32 md5
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
# local replication postgres peer
#host replication postgres 127.0.0.1/32 md5
#host replication postgres ::1/128 md5
#host all all 0.0.0.0/0 md5
host another_db_name my_user_name 192.168.52.0/24 trust
host my_db_name my_user_name 192.168.52.0/24 trust
I already tried to comment/uncomment LINE 7, or change both LINE 7 and 8 to either md5 , trust , or password . I also have tried to remove 127.0.0.1/32 from LINE 7, or change it to 127.0.0.0/24 or 0.0.0.0/0 . And, yes, I did performed
sudo /etc/init.d/postgresql reload
sudo /etc/init.d/postgresql restart
(even sudo reboot) for every change I've made.
For the postgresql.conf content :
I already set listen_addresses = '*' and password_encryption = on , with the rest remained unchanged.
3.
Firewall :
sudo iptables -L -n doesn't show any entries :
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
What is wrong with my configurations?
Are Stretch the cause?
Or is it because the implementation of PostgreSQL-9.6?
I've already googled here and there, but most of the solutions only advice to change the pg_hba.conf to trust , or assume that the user name is not exist.
I'm desperate, please help.
(Please do mind that I don't know anything regarding PHP, PostgreSQL, Apache, or server, so please don't expect that I really know what I've done so far. Please do analyze everything.... Also, English is not my native, so I might mixed around some "jargons" here and there (if any).... Sorry for that... )
This particular declaration in pg_hba.conf is incorrect:
# TYPE DATABASE USER ADDRESS METHOD
local my_db_name my_user_name 127.0.0.1/32 md5
because when the TYPE field is local, the line must have 4 fields, not 5: there is no ADDRESS field because it doesn't apply to Unix domain sockets (which is what local really means), only to TCP connections (which are declared with TYPE being host or hostssl)
When you reload PostgreSQL with a pg_hba.conf with this line, it will fail with
LOG: invalid authentication method "127.0.0.1/32"
but you will see that only if looking in the server log. As a result of the failure, it will ignore your new version of pg_hba.conf.
Anyway this other line already in your file
host all all 127.0.0.1/32 md5
probably does what you want. In this case just remove the offending line, reload again, and check the server log for a message indicating the success of the reload.
I built a php websocket server javascript clients to connect to it. It's working fine without SSL. My next Step is to improve security with using wss instead of ws (an so enabling https on the website).
My intention is to decrypt incoming traffic and redirect it to the websocketserver using stunnel on CentOS 6.
The first step is to simply redirect the requests from the clients to the server:
client-request: ws://soundjack.eu:9030/wsServer2.php
server: socket created listening on 144.76.81.210:9090 running php -q wsServer2.php
coresponding stunnel config:
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel/
;setuid = nobody
;setgid = nobody
; PID is created inside the chroot jail
pid = /stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel/stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[wsServer]
accept = 127.0.0.1:9030
connect = 127.0.0.1:9090
stunnel starts correct and is listening to port 9030.
Every request that is sendet by a client gehts abortet (checked firebug console). On Chrome it says status: finished, without any further information.
I quite don't know what the error is, so any help would be great. Thanks!
It finaly works!!! Even with SSL it works great.
The clue was to chance the config of stunnel to work correct (Update using SSL now):
/etc/stunnel/stunnel.conf:
; Certificate/key is needed in server mode and optional in client mode
cert = /path/to/<myCert>.pem
key = /path/to/<myKey>.key
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel/
; PID is created inside the chroot jail
pid = /stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel/stunnel.log
;foreground = yes
; Use it for client mode
;client = yes !! turn to server mode
; Service-level configuration
[wsServer]
accept = 0.0.0.0:9030 !! listen to all addresses
connect = 127.0.0.1:9090
Note: marks with !! are no valid comments! I inserted them only to show the changes.
I just ran into this same problem and I wanted to add to this answer for someone else googling around because it was killing me. In my php I wrote a websocket using ratchet that I was invoking with a laravel artisan command. If you're developing locally, I believe you can add the stunnel.pem and CAFile to your keychain (if on a mac... on second thought I don't even think you necessarily need the CAFile if working locally) and you should be able to access your websocket with stunnel over wss. However, if you are working on your live webserver you need to get your keys certified. In my case I generated my stunnel keys for the stunnel.pem using openSSL and got them certified using positive SSL. I then added the CAFile option and linked the crt file they sent me back. If you are getting "stunnel vision", use the option foreground =yes in your stunnel.conf and remember as DrakeBlack pointed out DO NOT USE client = yes. You are not the client in this case you are the server.
In our web based application we support LDAP authentication. It works fine with the code below. Now we want to support LDAP over TLS. We host our product for our customers on SUSE Linux Enterprise Server 11 and each customer can have different TLS certificate.
My questions are:
how to set up out SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file?
how to make LDAP authentication over TLS with different certificates from php. What would be exact php syntax?
does it matter what type of the server is? Exchange, OpenLDAP etc?
right now we have .cer certificate from Exchange. Is that ok for OpenLDAP or it must be converted (how) to .pem?
SUSE server = LDAP client configuration
SUSE Linux Enterprise Server 11 (x86_64)
ldapsearch: #(#) $OpenLDAP: ldapsearch 2.4.26 (Sep 26 2012 13:14:42)
PHP Version 5.4.9
Zend Engine v2.4.0
From reading http://php.net/ldap_connect I understood that I can use different certificates but I didn't get how.
function authenticateZendAuth($username, $password){
require_once 'Zend/Auth.php';
$auth = Zend_Auth::getInstance();
$ldapOptions = getConfigVariableValue('->ldap');
$options = $ldapOptions->toArray();
unset($options['log_path']);
require_once 'Zend/Auth/Adapter/Ldap.php';
$adapter = new Zend_Auth_Adapter_Ldap($options, $username, $password);
$authenticated = $auth->authenticate($adapter);
$log_path = $ldapOptions->log_path;
if ($log_path) {
$messages = $authenticated->getMessages();
require_once("Zend/Log.php");
require_once("Zend/Log/Writer/Stream.php");
require_once("Zend/Log/Filter/Priority.php");
$logger = new Zend_Log();
$logger->addWriter(new Zend_Log_Writer_Stream($log_path));
$filter = new Zend_Log_Filter_Priority(Zend_Log::DEBUG);
$logger->addFilter($filter);
foreach ($messages as $i => $message) {
if ($i-- > 1) { // $messages[2] and up are log messages
$message = str_replace("\n", "\n ", $message);
$logger->log("Ldap: $i: $message", Zend_Log::DEBUG);
}
}
}
return $authenticated;
}
How to set up our SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file?
If you are using openssl (slapd) it doesn't really matter where you put the certificate, as long as you can set the configuration file to point to. It will look something like this perhaps:
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
You will need to request (or create your own) Certificates, these are the same as the certificates you use for HTTPS. This is where the domain name is imported, when you create/request the cert, it needs to match the domain name that you are going to be using it on. See: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html for more details.
How to make LDAP authentication over TLS with different certificates from php. What would be exact php syntax?
You really don't need to do anything special here. Make sure you set your LDAP server up with the appropriate domain named certificate. And make sure that the signing authority for that cert is recognized by your local openladap client (running your php) via it's config file. Then notice that many of the Zend Examples (http://files.zend.com/help/Zend-Framework/zend.auth.adapter.ldap.html) use a config file to set up the Zend LDPA client and turn on TLS. You can also use Zend_Ldap::setOptions() - see the notes on http://framework.zend.com/manual/1.12/en/zend.auth.adapter.ldap.html
Does it matter what type of the server is? Exchange, OpenLDAP etc?
No, not really. I mean, configuring the LDAP server will matter, but the php client won't really care at all.
Right now we have .cer certificate from Exchange. Is that ok for OpenLDAP or it must be converted (how) to .pem?
See: http://www.sslshopper.com/article-most-common-openssl-commands.html
openssl x509 -inform der -in certificate.cer -out certificate.pem
In the project I am working on right now, I am trying to add the functionality where I can change the status of a ticket from 'closed' to 'reopened' when the user sends an email to the support desk. I would also like to save their email reply to the database.
The problem I am running into is that I cannot get PHP's IMAP functions to work on my current Apache configuration. From looking at quite a few posts here at stackoverflow and other places, it seems that the problem is OpenSSL is not enabled in the standard configuration. So for example, when I run this code:
<h1>IMAP testing!</h1>
<?php
$connect = "{imap.gmail.com:993/imap/ssl/novalidate-cert}INBOX";
$user = "my email address #gmail.com";
$pass = "my password";
$mailbox = imap_open($connect, $user, $pass);
?>
I get the error:
Can't open mailbox {imap.gmail.com:993/imap/ssl/novalidate-cert}INBOX: invalid remote specification.
Is there anything I can do, short of recompiling PHP, to mimic IMAP functionality on my local machine to be able to continue developing the functionality of working with email (email piping)?
Some notes on my current configuration, just in case it helps:
OS X 10.7.4
PHP v.5.3.1
UPDATE -
I am almost there (thanks to dAm2K)!
I installed Stunnel (using Mac Ports), got everything configured finally and ran the command:
sudo stunnel /opt/local/etc/stunnel/stunnel.conf -c -d 127.0.0.1:443 -r imap.gmail.com:993
(For whatever reason I had to add the path to the .conf file)
Now my code looks like this:
<?php
$connect = "{localhost:443}INBOX";
$user = "my email address #gmail.com";
$pass = "my password";
$mailbox = imap_open($connect, $user, $pass);
?>
Now when I load the page, it just hangs for 30 seconds or so and gives the warning:
Notice: Unknown: Connection failed to localhost,443: Operation timed out (errflg=2) in Unknown on line 0
What is interesting is that if I change $connect to:
$connect = "{localhost:443/ssl}INBOX";
or
$connect = "{localhost:443/novalidate-cert}INBOX";
I get the original error, which was:
Notice: Unknown: Can't open mailbox {localhost:443/novalidate-cert}INBOX: invalid remote specification (errflg=2) in Unknown on line 0
Any ideas? Just a guess but could it maybe be something to do with the setup of stunnel, like having a self-signed cert or something with the stunnel.conf file I am missing?
Thanks a lot.
Tim
You probably have a firewall that blocks outgoing TCP packets going to imap.gmail.com on port 993.
Ask your sysadmin to check for outgoing TCP on dport 993 (imaps).
Also check if your DNS is resolving imap.gmail.com:
The command:
telnet imap.gmail.com 993
should give you a valid connection. If it doesn't succeed you found the problem.
You may want to install a IMAP server on your development machine so to continue the development offline... you can install "courier imap" package but it's not a very simple task...
If the connection succeded and the command:
openssl s_client -connect imap.gmail.com:993
give you a valid connection, the problem could be that your libc-client doesn't have SSL support compiled in. In this case you cannot use imaps with PHP, and you could use the "stunnel" command to forward clear traffic originating on your local machine going encrypted to gmail IMAP servers.
The command:
stunnel -c -d 127.0.0.1:443 -r imap.gmail.com:993
should do the trick. This way you can connect your PHP script to 127.0.0.1:443:
<?
$connect = "{localhost:443}INBOX";
?>
I'm having issues using Windows to connect to a secure LDAP server, and I see the same thing everywhere online with no solution thats worked so far.
I have tried using both IIS and WAMPSERVER. I have put libeay32.dll and ssleay32.dll in my SYSTEM32 directory and enabled the LDAP extension.
Here is my code:
putenv('LDAPTLS_REQCERT=never');
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$resource = ldap_connect("ldaps://{redacted}/", 636) or die ("Could not connect.");
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3)
$bound = ldap_bind($resource, "{redacted}\ldap", "****");
echo ldap_error($resource);
I get Can't contact LDAP server from ldap_error and the PHP warning Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in C:\wamp\www\ldapTest.php
The server I am attempting to connect to is running Active Directory and I have confirmed that I can connect by using other LDAP tools. I know this server has an issue with it's certificate - the LDAP tool I am using says The server you are trying to connect to is using a certificate which could not be verified! - Issuer certificate not found
My suspicion is that the bad certificate is causing the bind issue which is why I've tried the LDAPTLS_REQCERT=never.
I can't recall where I found this one article; however I found out that by default even if you specify the TLS_REQCERT never it is ignored.
What I found out / then forgot about and found out again is you need to do the following (for windows machines)
Create the following directory structure on your drive c in the root
c:\OpenLDAP\sysconf (create the two folders)
Inside the sysconf folder create a text file called "ldap.conf"
In the text file you created put the following on the first line and then save
"TLS_REQCERT never" (Without the quotes)
Restart Apache and it should work now.
Give it a try. and good luck!
You can try changing the following line:
$resource = ldap_connect("ldaps://{redacted}/", 636)
To use your port number directly in the URI instead
$resource = ldap_connect("ldaps://{redacted}:636")
This has been known to work when the other will not.