#ops (2019-11)
Archive: https://archive.sweetops.com/ops/
2019-11-20
![ols avatar](https://secure.gravatar.com/avatar/23705b60ae52ed6c4f125e9f11d5583c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
Interested in thoughts on the TSB outage report if anyone has read it yet: https://www.tsb.co.uk/news-releases/slaughter-and-may/
My new page metadescription
2019-11-25
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
Hi everyone! This seems like the most appropriate channel to ask for help. Does anyone have any experience setting up user-content domains? I.e. githubusercontent.com ?
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
We have set ours up, but it looks like it’s being somehow magically throttled/blocked by some ISP’s/Enterprise firewalls and the like. And I’m curious whether someone knows how to go about making sure that a domain like that doesn’t get blocked as suspicious
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Do you mean like hotlinking to [raw.githubusercontent.com](http://raw.githubusercontent.com)
?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(for this you need a proxy)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
…it’s not intended to be used as a CDN
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
No, no, what I mean is that we have our own CDN (i.e. janis-user-content.com) that serves the content our users upload. Basically a user-upload sandbox domain to make sure it doesn’t share any cookies with our main domain. We then serve all user-content from that CDN/Domain inside of our app. Well some Enterprise firewalls seem to not trust our user-content domain and sporadically block it. I’m wondering if someone else has any tips/tricks on how to make the domain look… less suspicious?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Janis Peisenieks the domain name itself should not be suspicious to any enterprise firewalls unless it’s explicitly blocked (blacklisted)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it must be something else, e.g. headers, security settings, etc.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
for example, take a look at Content-Security-Policy
header, it can block many resources from loading on a site
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
'Content-Security-Policy': 'frame-src <https://aaaaaaa.com>; default-src \'none\'; img-src \'self\' data: blob: *; script-src \'self\' blob: <https://aaaaaaaa.org>; style-src \'unsafe-inline\'; object-src \'none\'; frame-ancestors \'self\'; connect-src \'self\' <https://aaaaaa.com/>; base-uri \'self\'; form-action \'self\'; manifest-src \'self\'');
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
The main problem here is that it’s nowhere near consistent, and seems to happen sporadically for some users, but usually quite a few
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
which makes me think that there is something wrong (or at least not right) with our domain
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
Which makes me think that it shouldn’t be Content-Security-Policy realted
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so, since Content-Security-Policy
could be diff on each site, the behavior could be different
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
hmm
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
also, do you use SSL to load assets from your domain?
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
Yes
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
And the weird thing is that we always serve the user-content from CDN from our main domain. That part doesn’t change, which (if I understand CSP correctly) means that CSP shouldn’t be changing as well. At least we don’t change it in any way
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
take a look at headers and compare them on working and not working sites
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
something should be diff there
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
<https://medium.com/@tom.cook/edge-lambda-cloudfront-custom-headers-3d134a2c18a2>
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src>
<https://content-security-policy.com>
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
these are just some of the headers that could affect it
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
The thing is that I’ve never been able to replicate on my own, and for users it usually starts working if they switch networks from their work to another network (like a hotspot). It seems to be an all-or-nothing for some users. So either all of the things from the CDN load, or none do.
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
Ok, I’ll take a look at that, thanks!
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
I just got a report from a user, and what they see is this. This to me would indicate that something is trying to show something else than what is supposed to be there, since the certificate is issued by AWS, and is working for 99% of our other users.
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
Anyways, thank you for your time and help!
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Why net::err_cert_authority_invalid error occur?
Basically, there are two main reasons for receiving this kind of error:
The Certificate authority that had issued this certificate is not trusted or the certificate has expired
and *Your system date and time are not correct*.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![attachment image](https://www.guildcafe.com/wp-content/uploads/2019/01/Fix-net__err_cert_authority_invalid.jpg)
Are you getting net::err_cert_authority_invalid error on Google Chrome? If yes then read this guide to fix this error. As you … Continue Reading
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Your system date and time are not correct
could be the issue
2019-11-26
![Rich Allen avatar](https://secure.gravatar.com/avatar/09f045a9ab3a689d313ca5f03d4a05b4.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Question here. I’m trying to run the following on a cron like schedule.
docker run --rm -it -u $(id -u):$(id -g) linkchecker/linkchecker <https://somesite.com> -t 40 -o html > ourreport.html
![Rich Allen avatar](https://secure.gravatar.com/avatar/09f045a9ab3a689d313ca5f03d4a05b4.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
Spinning up an aws fargate cluster + vpc and running this on a schedule, seems like way overkill. Is there a better on-demand approach here? Lambda would timeout.
2019-11-27
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
@Andriy Knysh (Cloud Posse) Looks like blacklisting is the issue here. This is from Cisco/Talos’ site:
@Janis Peisenieks the domain name itself should not be suspicious to any enterprise firewalls unless it’s explicitly blocked (blacklisted)
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
![Janis Peisenieks avatar](https://secure.gravatar.com/avatar/9d4572111f1b24154a6fd8f16d7bcf1d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
I guess this means that one of the core problems in my case is that I didn’t know where to look to see if the domain was being blacklisted.