So I need to connect to a mssql server via Windows Authentication from a Unix server. Here are the obstacles:
The db admin created a service account but made it Windows-Auth only, meaning I can't pass the username and password directly to the server to connect.
The admin also added my host's server to the firewall so that it would only accept requests from my host machine.
My host server has mssql enabled via freetds/sybase-dblib, but has the default 'secure-connections: Off' still set.
I have a similar set up on my personal machine, but with secure-connections on, but I can't connect that way since I'm firewalled.
So I'm wondering if it's possible to set up a proxy of sorts on my host so that I can start the connection on my personal machine using my local freeTDS library, but have the request pass to the host which would (in my dream world) not require secure connections to be on but simply would pass the request along so that it came from my non-firewalled host but using the correct authentication method.
If anyone is not familiar with how Windows-Authentication works, it's a type of Kerberos authentication where the client machine makes the request to the remote server so that credentials are never actually sent (and thus can't be compromised by a man-in-the-middle). So I'm very doubtful that this can be done, since at some level my host machine has to do the actual work. But i thought I'd ask since I'm not totally clear on the deeper mechanics and because I really want to get this to happen.
I guess another way of looking at it is I want to use my host as a kind of VPN.
Also, I am working with my host admins to find a more long-term solution but I need to see the database as soon as possible so I can have something working when the problem gets fixed.
Why don't you try SSH port forwarding? Ie. you connect to your host server, and tell it to forward a local port to the sql server. Then you connect on your local machine using localhost:port and your connection will be tunneled over ssh through your host server.
If your local machine is a Windows machine then just download PuTTY and follow these instructions to set up port forwarding : http://www.cs.uu.nl/technical/services/ssh/putty/puttyfw.html.
The question is of course whether your Windows credentials will be passed, but in theory this should work :p.
Related
I have hosted website and api on apache server on linux machine. I am trying to access the api through node js (using request module)which is on the same network. From outside that network, the api is accessible and working fine. I have many apis on the machine and only few are throwing this error. Recent change which was made to server is changing the cookie domain from foo.bar.com to *.bar.com in php.ini file. The website is working good. There is not much load on the server too. Any help appreciated.
A "connection refused" error means a TCP connection can't be established, so the cookie domain change should not have an effect here.
Are you sure it's a Node.js "connection refused" error, and not, say, the API itself being able to connect somewhere else? Can you give us the exact error message, with any traceback, etc., context?
You say there are many APIs (assuming API servers) on the machine and only some fail (assuming you tested this from the machine that is having problems connecting to the API server machine).
Are the working servers on different ports compared to the non-working ones?
Do those servers work from within the network? You say they're working fine outside of it. (It's possible that your local network has a firewall policy that prohibits this local connection.)
Can you double-check that the non-working servers are actually running? (An easy way to establish this would be running ss -ltpn; it should give you a list of listening TCP ports and their associated processes.)
I want to connect to a remote database from my localhost, but the remote DB only allows connections from whitelisted IPs.
Since I'm on a dynamic IP from my ISP, I can't have my home IP whitelisted, because it will just change again.
I have a VPS with full root access and a fixed IP, which is whitelisted.
What I want is to:
Run a php script from my local machine
Connect to the remote database via my VPS
Get the query results back to my local machine for handling
How do I do this?
Having a PHP proxy to execute arbitrary SQL statements from any IP address is really dangerous. I would suggest you abstract the SQL statements into an API, so rather than allowing any query through, you limit it to a specific set of queries to retrieve or update specific data. Your local machine could then just call that API to retrieve or update information.
The key problem you need to solve is finding a host with a static IP address you can add to the whitelist. You say that you have already solved that problem. However you have not mentioned what OS is running on the vps nor the client. If both are Linux, then you can do this with just iptables. If either or both are mswindows then you could use socat, but if it were me, I'd go with a stunnel link between the client and proxy (although if the whitelist on the server is only applied to the mysql connection, you could terminate the stunnel connection on the server and skip the proxy altogether) using client certificate authentication or an SSH tunnel.
I am working on a project for an app that allows Android to remotely connect to an MySQL Database using a PHP API.
Users have requested that the app should support SSH Tunneling which I have been looking into but I have a few concerns regarding this.
How the app works is the API runs on my web server (the user has the option to install on there own servers but most don't) so Android sends a post to the PHP API, and then PHP directly connect to a MySQL Host that was sent in the post message from android, this is all working fine.
However, if I want to support SSH tunneling, my understanding is that my Android app would still post to my PHP API, but instruct to open an SSH tunnel, for example forwarding local port 3307 to remote host example.com on port 3306. Then PHP would connect to MySQL via 127.0.0.1 on port 3307.
This is fine, except if another user then decides to use port 3307 at the same time another user is doing a tunnel the second user would clash as the first user already has 3307 open so they would need to pick a new port.
I thought that then the best work around for this would be the API has a pool of sockets that it can use and picks one that is free and connects via that local port via the specified remote port that android sent. E.g. the API will for example pick local port 5000 and forward to 3306.
My worry here is that although this would work, there is a potential risk that two users could make a request at the same time, and the API picks the same port number to use as a local port, e.g. 5000, as this port is technically free but then one user would successfully connect, and the second user would end up connecting to the first users servers, and hopefully fail to authenticate but still, potential risk here.
Am I thinking of this the correct way, or is there a better way, or should I only support the SSH tunneling option if the user is running the API from there own web server instead of mine so there would be no risk of clashing with another unrelated user.
I have set up a websockets chat with the purpose of learning. Everything is working but I can't figure this issue out.
When I supply 127.0.0.1 as the address of the connection on the client side then I can access the server from the computer that's hosting it, but when I change the address to the actual LAN address of the hosting computer I can't connect the server even from the host itself. See:
Server = new FancyWebSocket('ws://127.0.0.1:9300'); Appears to work but only the computer that's hosting the server can connect ( for obvious reasons )
Server = new FancyWebSocket('ws://192.168.1.3:9300'); No computers can connect. I confirm 192.168.1.3 is the LAN address of the hosting computer.
What address do I need to put in there so that other computers from my local network can connect?
I solved the problem. Since it was a combination of two answers I thought the only fair thing to do was add another answer with an explanation.
As #Mehran suggested, I have had the server address set up as 127.0.0.1 instead of the network address. After changing that to 192.186.1.3 I was able to connect from the server itself, but other machines were unable to connect. Then I did the steps from the guide provided in #vtortola's answer to add a new inbound rule into the server's firewall in order to allow that port to be used.
So finally it all works now, thank you very much for helping me. +rep to everyone!
I'm pretty sure this is due to the configuration of your WebSocket server. It must be listening to localhost (127.0.0.1) to accept incoming connections in which case it won't answer to those aiming 192.168.1.3.
Since you didn't mention which server you are using I can not be specific but in general there are two ways to instantiate a listening socket, binding it to a specific IP address or * to bind whatever addresses system has. You need to configure the later if you intend to answer server connections coming from any computer within your LAN.
It looks like a Firewall/Policies issue to me.
IIS 7 Windows 2008, Localhost work but not local ip or external ip
Your TCP 80 could be allowed because the IIS installation will open it, that will explain why normal web browsing works. But you are trying to connect to the TCP 9300, that is very unlikely that is allowed by default.
Give a try to this: How to Open a Port in the Windows 7 Firewall , and allow that port.
Here are some things that you can safely assume while troubleshooting this issue:
If the service is able to work on 127.0.0.1 on the same machine, you can assume that the problem is not in the code or the PHP configuration
If you are not receiving an error when the server tries to bind to 192.168.1.3:9003 you can safely presume that the service is working. Try opening the Resource Monitor to see if it is actually listening on this port to confirm. To do so, go to 'Start Menu' in Windows and type 'Resource Monitor' in the 'Search programs and files' box. After opening the Resource Monitor, click the 'Overview' tab and find the name of the server process (typically 'php' if your using a CLI). With your process selected, switch over to the 'Network' tab and you will be able to see if it is listening on any ports within the 'TCP Connections' panel. This will show you what address and port it is listing on, as well as the remote address and port of any clients connected to the service.
If you know the server is running, and you know that it is actively listening on the expected address and port, it is very likely a firewall issue within Windows or your router. Note that even though 192.168.1.3 is the IP assigned to your interface, this is not a local IP and all communication to and from 192.168.1.3 will still go through the Windows firewall, including if being sent on the same machine. If your already at this point, I would strongly suggest checking your windows firewall first. If it is not the Windows firewall, check your router to see if it is blocking the port, and also check port forwarding and other setting to make sure that the router isn't otherwise interfering. We can likely help you with router issues here, but have your router's manual handy.
HTTP is a common service port so it is very possible that the router is not blocking the port, and windows may have automatically opened it if you are using IIS. 9300 is not a common port so it is unlikely to be open by default under any situation, unless your default is "all in", which effectively means your not using a firewall.
Another thing you might try (if possible) is closing your existing HTTP service and bind to port 80 using your Websocket service, or if possible (and while exercising caution) turn off your windows firewall completely to see if it works long enough to connect.
In general, don't try to reach your local network IP address from your own machine. There are very confusing things that happen at the socket layer here that I'll try not to delve too far into. The OS goes out of its way to make this work. Sometimes. I would expect that you cannot reach 192.168.1.3 (the server I'm assuming) from itself. There's a translation between local endpoint addresses when you do that which complicates everything.
A network switch will typically not send a frame back down a port it just received it from, so what you're seeing when you ping your local IP in cmd prompt is a loopback shortcut the OS is taking.
Not being able to reach it from another machine causes me suspect that the socket is not bound correctly on the server. Double check that you are explicitly declaring the socket on the server (address and port), and that your're binding your listener to that socket. Also ensure that the address you're binding to is for the correct network adapter. I see this all the time with laptops or machines that have multiple connected adapters.
Unfortunately I cannot be more targeted with my response as I am unfamiliar with what a FancyWebSocket is or how it is constructed.
I can help you if its a linux system.
If there is no name server on the local network, it is still possible to establish a small table mapping IP addresses and machine hostnames in the /etc/hosts file, usually reserved for local network stations.
This file is available even during network outages or when DNS servers are unreachable, but will only really be useful when duplicated on all the machines on the network. The slightest alteration in correspondence will require the file to be updated everywhere. This is why /etc/hosts generally only contains the most important entries.
This file will be sufficient for a small network not connected to the Internet, but with 5 machines or more, it is recommended to install a proper DNS server.
Try adding all the 'ip:port' along with a hostname and copy the template in file /etc/hosts in all the system.
Hope it resolves the issue!
I have set up my wordpress site on my local machine and I would like it to talk to the live mysql database on the server. I accessed the wp-config.php file on my machine and changed the hostname to use the ip address instead of localhost, but it will not work.
What do I need to do?
It could be that your remote database is configured to accept connections only from localhost for security reasons. Most web providers set it up that way. In that case, you have no chance of making this work.
Anyway, even if you would get it to work, you will encounter two problems: It will be awfully slow, and the HTML served by the remote database will contain references to server URLs (as opposed to local ones).
If you need more detailed information, you will need to post any error messages you get from mySQL.
Alternatively, you can try running the mysql command-line utility to connect.
mysql -u username -h server -p wordpress_database
Make sure that works first before attempting to get Wordpress to connect.
My guess is you won't be able to connect due to firewall issues. MySql uses port 3306 by default, so if the server's firewall doesn't allow connections through that port, you'll either have to change the port mysql is using (probably a bad idea if other apps expect to see MySql on that port) or get that port opened on the server (make sure you only open it for local IPs, so someone else can't get to your MySql instance!)