the most awesome guy ever.

The Blog of Darryl E. Clarke

  Random musings from a jaded coder who just needs a hug.

Archive for the ‘Security’ Category

Allowing the Facebook Debugger through nginx’s auth_basic

Friday, March 29th, 2013

In my prior post, Allowing the Facebook Debugger through .htaccess, I showed how you could do just that. But, as time goes on, I spend more and more time with nginx and I need to adapt my rules.

So, today, I decided I should do the exact same thing with nginx. All of the dev sites I work on are generally password protected with a standard auth_basic setup. This is great, keeps the robots out and prying eyes away. But it’s always an issue when you need to test sharing and other external scrapers.  As it turns out, doing so with nginx is just as simple as it was with Apache.

My initial ‘location’ block was a simple configuration:

location  /  {
  auth_basic            "Restricted";
  auth_basic_user_file  htpasswd;

  if (!-e $request_filename) {
    rewrite ^(.+)$ /index.php last;
  }
}

To allow Facebook debugger through the simple auth_basic was as easy as adding an if check and a secondary ‘location’ rule.

location  /  {
  error_page 418 = @allowed;

 if ($http_user_agent ~* facebookexternalhit) {
         # bypass httpauth.
        return 418;
  }
  auth_basic            "Restricted";
  auth_basic_user_file  htpasswd;

  if (!-e $request_filename) {
    rewrite ^(.+)$ /index.php last;
  }
}

location @allowed {
if (!-e $request_filename) {
              rewrite ^(.+)$ /index.php last;
 }
}

The first thing added was a rule for nginx to understand what I mean when I say ‘return 418’ – this is the http response code for “I’m a teapot” The if block simply checks if it’s a known facebook agent, and the third block is a custom location that strips out the authentication requirements.

It’s generally fairly simple the concept and can be applied to any other external scrapers that you may need.

Tags: , , ,
Posted in Security

You Want Us To Be Secure…

Thursday, August 4th, 2011

But you make it so complicated.

From a technical standpoint, I understand how simple it is to create certificates for SSL/TLS and put them into configs and use ’em.

From a user standpoint, I can not understand the who/what/when/where/why as to the whole security industry and being so damn complicated.

So many SSL providers out there off you packages from FREE to thousands of dollars and for what? It’s just encryption. It’s just a browser asking “Hey, is this certificate valid still?”

So many providers also make it hard to just register. You’ve gotta jump through hoops and do crazy things like create a CSR and upload it when they could just have a simple, secure (irony) web form to let you generate one on the spot. Sending documents back and forth to “verify” your identity.

Seriously, I just want some encryption.

I also like the “we need to verify you’re the owner” processes… so many loopholes.

There’s a huge opening in this industry for someone who wants to make this whole process simple and easy (and cheaper). Just sayin’.

Tags: , , , , ,
Posted in Linux, Randomness, Security

Don’t Allow Facebook Apps to Get Your Email

Wednesday, March 10th, 2010

Just say no to these prompts. There’s no need a Facebook application has any need to email you directly bypassing the “safe” realm of what Facebook already offers.

Applications that need to contact you can already do so via your in box, application counters, and emailing you via Facebook’s email proxy. (A proxy which protects you from the malicious behaviour I’m about to describe…)  There is just absolutely no reason that Mindjolt (no offense guys, you were the first that I saw this using and the rant below is not directed at you) needs to email me anything, ever… (more…)

Tags: , , , , , ,
Posted in Security

Don’t Trust Facebook’s Photo Privacy At All

Sunday, November 22nd, 2009

You constantly hear about things happening to people because of things on facebook.  Mostly pictures and how certain people who probably shouldn’t be able to see them somehow managed to see them.

And it goes sort of like this.  I have a photo album called ‘Pets‘ and this album on Facebook.  This album has the privacy setting “Friends Only” and as you will see if you click the link to the album a few things will happen depending on who you are and whether or not you are logged in to Facebook… (more…)

Tags: , , , , ,
Posted in Security