Stripe payment urls / IPs for whitelist

qctech

Hi All,

I have a captive portal setup with one pho page on my pfsense box that directs to a separate (but on the same lan) web server.

The web server allows the user to enter a token or purchase access via a stripe merchant account. Tokens are read from a mysql database, marked as used, and the user logged on.

Everything seems to work fine when I run it manually, when the captive portal is off / open however when I turn the portal on I start to have a few issues with remote resources being blocked. The main issue here being that js.stripe.com, which is responsible for building the card details form, is one of the resources that’s having problems. I’ve confirmed this by checking on the F12 console in chrome.

Obviously I jumped over to the “allow host names” box and add js.stripe.com (as well as several other stripe domains) but I still, more often than not, am unable to load the card payment form. Sometimes it does work but most of the time it does not.

I think my problem is that stripe use a CDN so sometimes js.stripe.com actually returns server1.yourcdnhere.com, another time it’s server_Y.bestcdn.net, etc.

Could anyone either advise how to whitelist domain names when they are actually cnames / CDN or if I’m off the mark here point me in the right direction?

As ever, the assistance is seriously appreciated.

Gertjan

@qctech

Consider this : Docs » pfSense software » Firewall > Aliases

Take note of the first Note, Warning and second Note.

A solution might be : copy and use the files you need from "js.stripe.com" to the local web server.
Plan B would be : try to resolve all possible IP's used, and list them.

@qctech said in Stripe payment urls / IPs for whitelist:

Could anyone either advise how to whitelist domain names when they are actually cnames / CDN .....

It would be possible, but the Alias functionality would need a DNSWL (DNS White list) overhaul.
And still, there would be issues, as CDNs could resolve to a whole list of IP addresses right now, and propose other IP addresses a couple of moments later (round robin, random, load based, etc).

qctech

@gertjan thanks for the pointer. I have looked at that page a few times and agree that it does not seem like a solution.

I am now wondering if adding a DNS entry for js.stripe.com to one IP that I know works and then whitelist that one IP might work. That way, I would miss out on the CDN / load balancing but I might get a more consistent result.

Gertjan

@qctech said in Stripe payment urls / IPs for whitelist:

I am now wondering if adding a DNS entry for js.stripe.com to one IP that I know works and then whitelist that one IP might work.

Why wonder ?
It will take less time to implement this (add the IP to the white list) as to write your "I wonder" ;)
Did it work ?

qctech

@gertjan Ah, because when I test in my office it works fine (it never seems to get a CDN address) so I need to test it on site and that is a little bit more complicated and required permission before I do it.

I will of course report back as soon as I have tried.