How to correctly set up AspNet Core 2 authentication behind a load balancer?

I’ve set up AspNet Core 2 authentication successfully, but now would like to get it working behind a load balancer.

Because the load balancer address is different from my app address I’m changing the redirect Uri in my startup.cs ConfigureServices like this…

options.Events.OnRedirectToIdentityProvider = async n =>      {                                 n.ProtocolMessage.RedirectUri = "https://frontfacingaddress.com";         await Task.FromResult(0);      }; 

This works fine and I successfully authenticate and the callback from the identity server calls https://frontfacingaddress.com/signin-oidc. That is correctly handled and handling OnTokenResponseReceived shows that I successfully recieve the token.

The problem is: it is then making another call to the identity server but this time to the app’s actual (not load balancing) address. When that comes back it gives an error of: AspNetCore.Correlation.OpenIdConnect cookie not found.

So the Fiddler trace looks like this:

302 HTTPS  frontfacingaddress.com   /account/signin 200 HTTPS  identity.serveraddress.com /connect/authorize/callback etc... 302 HTTPS  frontfacingaddress.com   /signin-oidc -- this is where I successfully receive the code, but then: 302 HTTPS  actualwebaddress.com     /account/signin 200 HTTPS  identity.serveraddress.com /connect/authorize/callback etc... 400 HTTPS  frontfacingaddress.com   /signin-oidc -- this is the 400 cookie not found error 

Why, after successfully authenticating, is it then firing again from the actual address and failing?

I think someone built a network behind mine

So my stepson gets on the PS4 with WPS I disabled it changed password and while he’s still connected via WPS he asks PS4 what the wifi password is it gives it to him and he keeps changing his Mac address so I can’t block it and now Everytime I log into my router it says it isn’t secure I was trying to disable my 5 megahertz channel and it wouldn’t let me kept going back on and I tried to change the password it goes back to default n now there’s a hidden said on my router that I cannot get off! I have disabled everything the dchp port forwarding upnp remote login enter image description here

Which computational framework lies behind the Chinese “Social Credit System”?

BACKGROUND

The Social Credit System is a data-driven reputation system which draws on several sources to label various entities, namely businesses and individual citizens, with a trustworthiness score. One can only guess that Facebook implements similar systems, albeit for different goals. What these systems have in common is that they’re based on an ontology, i.e., a finite set of entity-relations, which fix the constraints on the correlations between the various entities to be scored. One could think of similar ontologies in, say, cybersecurity, whereby various entities (domains, IP addresses, e-mails, etc.) can be seeded with beliefs or initial scores of maliciousness which will then propagate to their neighbors according to particular rules. The same could be done with fault prevention or forensics in mechanical systems of interacting entities.

QUESTION

Conceptually speaking, is there a common framework that best represents these systems? I initially thought of Bayesian propagation, but it seems that it doesn’t easily account for

  • uncertainties in the scores,
  • loops in the ontology graphs (how does one avoid runaway “feedback”?),
  • non-linearities at the nodes (since scores can be generated at a node itself based on its attributes, regardless of its neighbors). For example: Bob is a successful surgeon, Bill is a drug addict. Therefore, Bob is less likely than Bill to commit a crime—and that’s independently of any inference from their respective environments.

The logic behind the switchers placement in the iOS Control Center

The iOS Control Center contains two rows of buttons at the top and bottom of the area. The previous implementation of it made more sense to me, as the top buttons were switchers, and the bottom buttons were mostly launchers (except for the flashlight, which feels out of place).

image
(source: wikimedia.org)

The most recent update introducing the Night Shift feature brought a new button to the Control Center. It’s now located in the middle of the bottom row and is responsible for toggling that feature on/off.

image

I can see how the Flashlight could have been a one-time trade-off because on the other hand, the interaction span with that particular feature is supposed to be short: you launch it, quickly use it, and get back to whatever you were doing (just like with the Camera, Calculator or Timer).

But now I don’t understand the logic behind those placement decisions completely. The Night Shift button is definitely a switcher, it can stay on for a long period of time, and it does feel like it belongs to the area where most of the switchers are. I do realise that the area will become too crowded, but then again, it is possible to have two rows of icons in there, with the secondary ones grouped in a collapsible/expandable area – just like the one that let’s you act on a banner notification (e.g. reply to a text message). That would also make it possible to include the switches for the Low Power Mode, Cellular Data and Auto Brightness in that quick access area, this way making it even more feature-rich.

Before you tell me this actually belongs to Apple’s feedback website, let me finally ask my question: is there any logic behind this placement? It just doesn’t feel right, consistent or predictable. Yet I’m sure they know what they’re doing, which makes me wonder if I’m missing something.

I did a search before asking to see if this is not going to be a duplicate.

Why do I get “Type does not correspond to an entity on this site” when POSTing to REST api behind an Apache Reverse proxy?

I have the REST api configured to allow POSTing new users to /entity/user. On my local machine, it works just fine. Once I push up to my remote host, it stops working.

The key difference is that on my local machine, my site is running in a docker container bound to port 6050, so all rest calls go to localhost:6050.

On my remote host, I have docker configured behind an Apache 2.4 reverse proxy. So the docker container is still bound to 127.0.0.1:6050, but all requests should go to https://sub.example.tld/.

To summarize, posting a new user to http://localhost:6050/entity/user?_format=hal_json, with the appropriate X-CSRF-Token and Content-Type headers set, works. It returns 200.

Posting to https://sub.example.tld/entity/user?_format=hal_json, with the appropriate X-CSRF-Token and Content-Type headers set, does not. It returns 422 Unprocessable Entity.

{"message":"Type https:\/\/sub.example.tld\/rest\/type\/user\/user does not correspond to an entity on this site."} 

I do manually set the user’s “_links” array:

"_links": {         "type": {           "href": "https://sub.example.tld/rest/type/user/user"         }       }, 

I know that authentication isn’t the issue. My code is successfully accessing views that require authentication.

Since I think it might be something to do with these settings, I do have the following set:

  • $ settings['trusted_host_patterns'] = ["$ sub\.example\.tld$ "]
  • $ settings['reverse_proxy'] = TRUE;
  • $ settings['reverse_proxy_addresses'] = ["internal network ip","172.18.0.1","127.0.0.1"];

I’m running Drupal 8.7.3.

My docker image is based on php:7.1-apache.

Any ideas what I’m doing wrong?

Site to Site VPN behind a NAT

I have a firewall “stormshield” bedind a NAT device, and I would like to establish an Azure site to site VPN, is that possible?

I have already configured it, the VPN connection is established but the traffic is not forwarded, it is not possbie to configure routing in the nat device.