Wednesday, December 19, 2018

How to configure a Proxy in a curl command HTP Request?

Imagine you need to invoke an endpoint which will always go through a proxy. As an example your company network might have configured through a network proxy. In that can, to invoke via CURL, You just need to do a simple thing.

You just have to add --proxy <Proxy_Host>:<Proxy_Port> at the end of your command.

E.g.,

curl -i -X GET https://<HOST>:<PORT>/test/login.jsp --proxy <Proxy_Host>:<Proxy_Port>

Testing for Supported HTTP methods - Testing for Vulnerable methods

Go to start of metadata

HTTP provides a number of methods that can be used to perform actions on the web server. Many of theses methods are designed to help developers in deploying and testing HTTP applications. These HTTP methods can be used for malfunctioning if the web server is misconfigured. Additionally, Cross Site Tracing (XST), a form of cross site scripting using the server's HTTP TRACE method, is examined.
While GET and POST are by far the most common methods that are used to access information provided by a web server, the Hypertext Transfer Protocol (HTTP) allows several other (and somewhat less known) methods. RFC 2616 (which describes HTTP version 1.1 which is the standard today) defines the following eight methods:
  • HEAD
  • GET
  • POST
  • PUT
  • DELETE
  • TRACE
  • OPTIONS
  • CONNECT

You can test for vulnerable test methods using a simple curl command as below.
Use a curl OPTIONS call as below to the Login page or the landing page.
 curl -i -X OPTIONS <URL> --proxy <host>:<port>
E.g., 
curl -i -X OPTIONS https://<Host>:<PORT>/test/login.jsp 

If this is vulnerable it should allow OPTIONS method as below and should display all the supporting methods.

HTTP/1.1 200 OK 
Allow: GET, HEAD,POST, OPTIONS

Unless it will return a response like 405 Method Not Allowed


Thursday, September 14, 2017

How to enable tracing logs on PCF DEV

Most of the time PCF does not show much error logs. After going through their documentation I found a catch. Since our calls are mainly API based, we can enable tracing logs for these calls and get an idea of the errors we get.

E.g.,  I had a situation, no matter how correctly developed app it is, when I push it in to dev environment, it keeps on crashing.

Only error log I could see was below

2017-09-14T15:23:56.84+0530 [API/0] OUT Updated app with guid 0163061c-0120-4662-a0b1-930d7ce6505b ({"state"=>"STOPPED"})

The  below command actually helped me to get more details of the error log.

What you have to do is append -vin to your cf command.

E.g.,


sudo cf push --docker-image test:test test -u process -v
  
This gives more error logs as below :

REQUEST: [2017-09-14T18:02:32+05:30]
GET /v2/apps/abc44f1f-3072-4c85-a72a-d0d6738dfb97/instances HTTP/1.1
Host: api.local.pcfdev.io
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Connection: close
Content-Type: application/json
User-Agent: go-cli 6.29.2+c66d0f3.2017-08-25 / linux



RESPONSE: [2017-09-14T18:02:32+05:30]
HTTP/1.1 200 OK
Connection: close
Content-Length: 96
Content-Type: application/json;charset=utf-8
Date: Thu, 14 Sep 2017 12:32:33 GMT
Server: nginx
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 09c44df1-7f8b-4147-6cd8-fa033dd68477
X-Vcap-Request-Id: 09c44df1-7f8b-4147-6cd8-fa033dd68477::ba3471cb-55be-46ac-a119-db14696c8f62

{"0":{"state":"DOWN","uptime":32,"since":1505392320,"details":"insufficient resources: memory"}}

REQUEST: [2017-09-14T18:02:32+05:30]
GET /v2/apps/abc44f1f-3072-4c85-a72a-d0d6738dfb97/stats HTTP/1.1
Host: api.local.pcfdev.io
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Connection: close
Content-Type: application/json
User-Agent: go-cli 6.29.2+c66d0f3.2017-08-25 / linux



RESPONSE: [2017-09-14T18:02:32+05:30]
HTTP/1.1 200 OK
Connection: close
Content-Length: 253
Content-Type: application/json;charset=utf-8
Date: Thu, 14 Sep 2017 12:32:33 GMT
Server: nginx
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 95f66d78-59b3-4e69-4b18-508de8d2c102
X-Vcap-Request-Id: 95f66d78-59b3-4e69-4b18-508de8d2c102::801fb2ec-4bc1-45a7-8726-10b57b7b6c73

{"0":{"state":"DOWN","stats":{"name":"working","uris":["working.local.pcfdev.io"],"host":null,"port":null,"uptime":32,"mem_quota":2147483648,"disk_quota":1073741824,"fds_quota":16384,"usage":{"time":"2017-09-14 12:32:33 UTC","cpu":0,"mem":0,"disk":0}}}}
0 of 1 instances running, 1 down

How can I reconfigure PCF DEV VM with different size of memory?

Sometimes you might get an error message as Insufficient memory wen you try to deploy apps in to pcf environment. Then you need to reconfigure your VM with more memory as below.

1. First you need to stop or destroy your running CF DEV env if there is already running environment.

cf dev stop
cf dev destroy

PCF Dev VM has been destroyed.


2. Then uninstall the current env

sudo cf uninstall-plugin pcfdev

Uninstalling plugin pcfdev...
OK
Plugin pcfdev 0.27.0 successfully uninstalled.




3. Then re install the plugin by running the below command in your extracted zip folder. E.g., pcfdev-v0.26.0+PCF1.10.0-linux.zip -> pcfdev-v0.26.0+PCF1.10.0-linux

./pcfdev-v0.27.0+PCF1.11.0-linux

Plugin successfully installed. Current version: 0.27.0. For more info run: cf dev help




4. Now re start allocating the memory in mega bytes

To change the allocated memory, run the following command, replacing NEW-ALLOCATED-MEMORY with the amount of memory you want to allocate in megabytes:
 
$ cf dev start -m NEW-ALLOCATED-MEMORY

By default, PCF Dev tries to allocate half of the memory available on your host machine, with a minimum of 3GB and a maximum of 4GB.


cf dev start -m 4000



Reference : https://docs.pivotal.io/pcf-dev/faq.html

Tuesday, September 5, 2017

Do you get a "Got permission denied while trying to connect to the Docker daemon socket" even after successful docker login?

Do you get a warning during the login to docker hub via terminal even after providing correct credentials?

Is the warning looks like below?

docker login
Warning: failed to get default registry endpoint from daemon (Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.30/info: dial unix /var/run/docker.sock: connect: permission denied). Using system default: https://index.docker.io/v1/
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.

Username: ushanib
Password:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.30/auth: dial unix /var/run/docker.sock: connect: permission denied

This is because you have to run the command as the super user as below:

sudo docker login

Thursday, August 3, 2017

WHY WSO2 ESB?

I have been writing lot of posts about WSO2 ESB. But have you ever thought why we should use WSO2 ESB over other competitors? Have a look at Samisa's article.
Below points are taken from his article.

WSO2 advantages over competitors

  • Ability to easily integrate any component framework. Support of Java based extensions and multiple scripting options. There is no need to have WSO2 specific code to integrate anything with WSO2 ESB
  • Numerous built-in message mediators, solution templates and connectors to third-party cloud systems to help cut down redundant engineering efforts and enable significant component reuse
  • Freedom for architects and developers to pick and choose message formats, transports, and style of services they want to expose using the ESB
  • Component oriented architecture and cloud and container support enables you to deploy the ESB using a topology of your choice based on your needs in a secure, scalable and adaptive manner
  • The ready-made scripts and tools help with rapid deployments, ensuring the ability to go to market quickly with your solution using the ESB
  • Continuous innovation that helps build future proof solutions on top of the ESB
  • Rigorous and frequent product update cycles and state-of-the-art tooling support for managing ESB deployments with DevOps practices. Using Docker descriptors and Puppet scripts
  • Proactive testing and tuning of performance and innovation around performance enhancements