I got banned from Ngrok after 10 requests!

Reverse Proxy

So in order to test a new payment provider for a site I was looking around for a quick and easy reverse proxy. I didn’t have to look far as Ngrok is clearly the market leader, with a free tier to boot. They also have a convenient Python library called pyngrok for integration with Flask.

Secure Payment

So the payment provider has an easy system where you generate a form and fill it with details (customer, order details, etc) which once posted redirects to their payment processing page – so your standard “Pay Now” procedure. My error in conception was I ignored the docs and thought that this could be handled through the back end (for “security”) so I sent the form from Flask and returned the “Pay Now” page to the front end – also through Flask.

What went wrong?

In hindsight it seems fairly obvious to me that this is exactly how a bad guy would behave – only changing the html along the way. Ngrok service, which my requests and responses was routing through – from my laptop to the payment provider and back – thought the same. They monitor for exactly this type of behaviour I found out.

What happened?

I was banned! The routing stopped working and an error message appeared instead of my self-hosted site. I did contact support and after explaining myself the free account was actually re-instated, but not before two days had passed.

Reverse proxy using WireGuard

So I learned something about what not to do when processing payments. I wanted to keep learning more (and hopefully get to the point where I can process payments for the service I’m working on) so I needed a reverse proxy to receive messages direct from the payment provider sandbox on my laptop. So I found this site (by ducking the term “alternatives to Ngrok”) here: https://github.com/anderspitman/awesome-tunneling and from there I got to this free, open source service built with WireGuard: https://tunnel.pyjam.as/

Now I can host my own reverse proxy (using DigitalOcean droplet) and get back to learning about payment providers, phew!

Don’t Copy VirtualHost files from https to http

This is really just a note to myself, regarding Apache VirtualHost files (probably applies to Nginx too). I spent a good hour trying to fix something that wasn’t broken today, isn’t that always the way. Turns out I left the part in that says “always load the https config” in which of course wasn’t there for an http only site (yes I’m using letsencrypt but not for this particular temporary setup..)

Also what is up with GoDaddy? I can’t get their Nameserver change thing to work. Apparently (according to the customer representative I chatted to) the initial DNS setup takes 5 (!) days on their side, after registering the domain. Actually first he told me to try it in an incognito window – which I had already tried after googling for a bit. I’m not entirely sure that the info I got was accurate but giving the benefit of the doubt for now, since I did forget and clicked on a few settings changes (and quickly changed them back) so it could be me.

End RAnt