Is there a way to open a TCP Socket back to a non-standard Silverlight port such as port 80?
I don't quite understand the restrictions on Silverlight ports.
I would like to open a connection back to the server of origin using any port. I can serve a policy file from port 943 if needed.
Microsoft restricted the ports to a range well outside the "well known ports." This prevents Silverlight from communicating directly to most web-based resources like HTTP, POP, SMTP, etc.
The most common way to get around this is to set up a "proxy" service on your domain. The proxy accepts requests, forwards them through the port on the service you're using, and returns the result.
The allowed port range (after the policy server check) is 4502 through 4532 to my knowledge. Using port 80 would be an HttpWebRequest or the like.
Related
I am implementing a Web proxy (in C), with the end goal of implementing some simple caching and adblocking. Currently, the proxy supports normal HTTP sites, and also supports HTTPS sites by implementing tunneling with HTTP CONNECT. The proxy works great running from localhost and configured with my browser.
Despite all of this, I'll never be able to implement my desired features as long as the proxy can not decrypt HTTPS traffic. The essence of my question is: what general steps do I need to take to be able to decrypt this traffic and implement what I would like? I've been researching this, and there seems to be a good amount of information on existing proxies that are capable of this, such as Squid.
Currently, my server uses select() and keeps all client ids in an fd_set. When a CONNECT request is made, it makes a TCP connection to the specified host, and places the file descriptor of both the client and the host into the fd_set. It also places the tuple of fd's into a list, and the list is scanned whenever more data is ready from select() to see if data is coming from an existing tunnel. The data is then read and forwarded blindly. I am struggling to see how to intercept this data at all, due to the nature of the CONNECT verb requiring opening a simple TCP socket to the desired host, and then "staying out of it" while the client and host set up their own SSL sockets. I am simply asking for the right direction for how I can go about using the proxy as a MITM attacker in order to read and manipulate the data coming in.
As a brief aside, this project is solely for my own use, so no security or advanced functionality is needed. I just need it to work for one browser, and I am happy to get any warnings from the browser if certificate-spoofing is the best approach.
proxy can not decrypt HTTPS traffic
You are trying to mount a man-in-the-middle attack. SSL is designed to prevent that. But - there is a weak point - a list of trusted certificate authorities.
I am simply asking for the right direction for how I can go about using the proxy as a MITM attacker in order to read and manipulate the data coming in.
You can get inspiration from Fiddler. The Fiddler has its own CA certificate (certification authority) and once you add this CA certificate as trusted, then Fiddler generates server certificates for each connection you use on the fly.
It comes with serious security consideration, your browser will trust any site. I've even seen using the Fiddler core inside a malware, so be careful
What are the different ports used by consul? What is the purpose of each port? Is there any way to configure consul to run using different ports?
When reading the consul documentation you will find following information.
Ports Used
Consul requires up to 4 different ports to work properly, some on TCP, UDP, or both protocols. Below we document the requirements for each port.
Server RPC (Default 8300). This is used by servers to handle incoming
requests from other agents. TCP only.
Serf LAN (Default 8301). This is used to handle gossip in the LAN.
Required by all agents. TCP and UDP.
Serf WAN (Default 8302). This is used by servers to gossip over the
WAN to other servers. TCP and UDP.
HTTP API (Default 8500). This is used by clients to talk to the HTTP
API. TCP only.
DNS Interface (Default 8600). Used to resolve DNS queries. TCP and
UDP.
You can configure consul services to run on different ports by editing the config file. For example setting the dns interface on port 53 and the HTTP API on port 80. More details on port configuration is here.
{
"ports": {
"dns": 53,
"http": 80
}
}
Minor update to the response from #Brrrr:
https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#080-april-5-2017
All CLI commands that used RPC and the -rpc-addr flag to communicate with Consul have been converted to use the HTTP API and the appropriate flags for it, and the rpc field has been removed from the port and address binding configs.
So now the CLI uses TCP on 8500 like other clients.
I have installed my web application on 2 Windows based VMs of GCE.My application runs on 8080 port.
Steps followed for Netwrok Load Balancer :
1) I created health checks for 8080 port.
2) Added both my VMs and helathchecks to target pool.
3) In forwarding rule I created a rule for 8080 port for that particular Target Pool.
After this go to Target Pools and check the health of the VMs
Here a red symbol is shown against both the instances and message shown as "instance is unhealthy for ".
I have added port 8080 in Firewall rules.
If any one can help, if I am doing anything wrong or there is some other way to setup the Load Balancer.
I believe this issue is not related to the fact that you are listening in port 8080. Health check will pass as long as your instances are able to communicate with the Metaserver (169.254.169.254 [1]) and response with a valid HTTP page.
You must be sure you have allowed communication on port 8080 on the Google Firewall and on your Windows firewall instance [2]. As a debugging you can try to ping the Metaserver and capturing IP packages to confirm if there is a 3 way handshake between the Metaserver and your GCE instance. Additionally you might want to try to do the setup with the same instances on port 80 to confirm if it is actually related to the port.
[1] https://cloud.google.com/compute/docs/metadata
[2] https://cloud.google.com/compute/docs/networking
My question is, how to connect to socket on romote mechine?
I can only connect sockets on same network..
I wrote a simple code (in c), that simulate a server (open socket and listen for client). in Mac.
I'm trying to connect this socket as a client from iPhone (with simple objectiv-c code).
If my internet on both, server and client, is on the same network (WiFi) and in client I trying to connect to 192.168.1.x, it's working.
But when, in client, I'm trying to connect via external IP (with the same port) connection is failed.
I never did this bofore. Maybe I miss somthing.. I've tried to turn my FireWall off. It did not help.
Thanks.
Edit: If it's not clear.. my Mac is connected by router.
In a setting like this, the "external IP" would typically be the IP of the router. In all likelihood you'll need to configure the router to forward the relevant port to the internal IP address.
It could also be the case that for the port forwarding to work, the request has to come in on the external (WAN) interface. This depends on how the router is configured. If that's the case, you'll need to make sure that you're accessing the external IP via the cellular network and not the Wi-Fi connection on your iPhone.
If you're connecting to your server via a local IP address (i.e., you're connecting to another machine on the same local router via a delegated DHCP address), then your issue is on the network, not the IP-stack of the local machine.
You'll need to look into your router settings ... many routers will block a number of services, especially those on custom ports, in order to prevent malicious attacks from sources external to the local network.
I need one server to receive ip requests from clients(there are not in the same intranet), and I can
route all the response packets to a special gateway server, and then I send the response packages to
clients after some processing. it is like VPN, but I want to do some development based one
opensource project, so i can control it myself.
any suggestion? thanks!
There is OpenVPN which is as the name already suggests open source.
You could set up the server on the local one as a kind of proxy (or reverse-proxy depending on your viewpoint) and have the clients connect to it.
It depends what protocol you're using, maybe it has explicit proxy capability or you can get an existing proxy program, or just proxy it using a simple socket forwarder program.