#ops (2019-11)

Interested in thoughts on the TSB outage report if anyone has read it yet: https://www.tsb.co.uk/news-releases/slaughter-and-may/

Hi everyone! This seems like the most appropriate channel to ask for help. Does anyone have any experience setting up user-content domains? I.e. githubusercontent.com ?

We have set ours up, but it looks like it’s being somehow magically throttled/blocked by some ISP’s/Enterprise firewalls and the like. And I’m curious whether someone knows how to go about making sure that a domain like that doesn’t get blocked as suspicious

Do you mean like hotlinking to [raw.githubusercontent.com](http://raw.githubusercontent.com)?

(for this you need a proxy)

…it’s not intended to be used as a CDN

No, no, what I mean is that we have our own CDN (i.e. janis-user-content.com) that serves the content our users upload. Basically a user-upload sandbox domain to make sure it doesn’t share any cookies with our main domain. We then serve all user-content from that CDN/Domain inside of our app. Well some Enterprise firewalls seem to not trust our user-content domain and sporadically block it. I’m wondering if someone else has any tips/tricks on how to make the domain look… less suspicious?

@Janis Peisenieks the domain name itself should not be suspicious to any enterprise firewalls unless it’s explicitly blocked (blacklisted)

it must be something else, e.g. headers, security settings, etc.

for example, take a look at Content-Security-Policy header, it can block many resources from loading on a site

The main problem here is that it’s nowhere near consistent, and seems to happen sporadically for some users, but usually quite a few

which makes me think that there is something wrong (or at least not right) with our domain

Which makes me think that it shouldn’t be Content-Security-Policy realted

so, since Content-Security-Policy could be diff on each site, the behavior could be different

hmm

also, do you use SSL to load assets from your domain?

Yes

And the weird thing is that we always serve the user-content from CDN from our main domain. That part doesn’t change, which (if I understand CSP correctly) means that CSP shouldn’t be changing as well. At least we don’t change it in any way

take a look at headers and compare them on working and not working sites

something should be diff there

these are just some of the headers that could affect it

The thing is that I’ve never been able to replicate on my own, and for users it usually starts working if they switch networks from their work to another network (like a hotspot). It seems to be an all-or-nothing for some users. So either all of the things from the CDN load, or none do.

Ok, I’ll take a look at that, thanks!

I just got a report from a user, and what they see is this. This to me would indicate that something is trying to show something else than what is supposed to be there, since the certificate is issued by AWS, and is working for 99% of our other users.

Anyways, thank you for your time and help!

https://www.guildcafe.com/fix-net-err_cert_authority_invalid-error.html

Your system date and time are not correct could be the issue

Question here. I’m trying to run the following on a cron like schedule.

docker run --rm -it -u $(id -u):$(id -g) linkchecker/linkchecker <https://somesite.com> -t 40 -o html > ourreport.html

Spinning up an aws fargate cluster + vpc and running this on a schedule, seems like way overkill. Is there a better on-demand approach here? Lambda would timeout.

@Andriy Knysh (Cloud Posse) Looks like blacklisting is the issue here. This is from Cisco/Talos’ site:

I guess this means that one of the core problems in my case is that I didn’t know where to look to see if the domain was being blacklisted.