Stripe Integration without needing server communication to stripe.com (firewall)

  • Resolved maltfield

    (@maltfield)


    2 years, 5 months ago

    Are there any plugins for WooCommerce to integrate with Stripe that do not require the web server to be able to initiate connections (eg to api.stripe.com)?

    For security reasons, my server’s firewall blocks my web server (apache) from initiating outgoing connections. This is further reinforced by the following line in wp-config.php

    > define( ‘WP_HTTP_BLOCK_EXTERNAL’, true );

    As such, the above makes wordpress deny plugins’ calls to wp_remote_get() fail (via block_request() returning true). For example, wordpress will not allow WooCommerce to call-home to woocommerce.com. And wordpress will not allow “WooCommerce Stripe Payment Gateway” to call-home to api.stripe.com. Even if that failed, the firewall would drop it (and it would timeout). Most importantly, this means that Mallory will not be able to call-home to evil-c2.xyz if there’s a 0day in wordpress or one of my themes/plugins.

    WooCommerce works fine with this setting, as it’s not actually necessary for my web server to initiate connections to woocommerce.com

    I also accept payments in cryptocurrencies on my WooCommerce site, and that also works fine with these settings – as it sends the *user’s* browser to the payment processor’s website — rather than trying to have my server initiate the connection.

    Note that my web server of course allows incoming connections, so web hooks from stripe to my server should work fine. I just block *outgoing* connections, for security reasons.

    After installing and configuring the “WooCommerce Stripe Payment Gateway” plugin, I get this error on checkout

    > There was a problem connecting to the Stripe API endpoint.

    The error occurs after my server’s PHP tries (and fails) to reach the following locations:

    1. https://api.stripe.com/v1/sources/-src_<id-redacted&gt;
    2. https://api.stripe.com/v1/customers

    In both cases, wordpress blocked the call by returning true in block_request()

    So it appears that, maybe, the “WooCommerce Stripe Payment Gateway” is poorly designed such that the web server must communicate to api.stripe.com, rather than just having the user finish their checkout at stripe.com.

    * https://www.ads-software.com/support/topic/is-server-api-stripe-com-really-necessary-firewall/

    I would expect there to be a WooCommrce plugin for Stripe integration where communication with stripe.com be initiated by the client’s web browser, not my web server.

    My question is: are there any plugins for WooCommerce that integrate with Stripe that work when the server’s firewall blocks outgoing requests – where:

    1. The communication happens between the customer and Stripe via the customer’s web browser and

    2. The communication happens between Stripe and my web server via Stripe communication to my server via web hooks?

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi there!

    As for our Stripe plugin, there are currently no plans to rewrite it so as to route around the web server talking to Stripe’s API. This is just how the plugin is designed to work.

    Preventing your server from making outgoing connections may be beneficial from a security perspective, but it’s also a highly unusual configuration which seems unlikely to work very well with a large number of common plugins.

    Having said that, I know this plugin can use Stripe Checkout (Stripe’s hosted checkout form):

    https://www.ads-software.com/plugins/stripe/

    … so it may be possible to use that without your site actually having to talk to Stripe. That said, we don’t make that plugin ourselves or support it, and I’ve never used it myself, so I very well could be wrong.

    Sorry I can’t be of more help here! ??

    Thread Starter maltfield

    (@maltfield)

    Thanks Adam for your response ??

    I also asked about this in two other plugins related to WooCommerce + Stripe payments, but they also required the server to be able to reach api.stripe.com

    * https://www.ads-software.com/support/topic/is-server-api-stripe-com-really-necessary-firewall/
    * https://www.ads-software.com/support/topic/is-server-api-stripe-com-necessary-firewall/

    > Having said that, I know this plugin can use Stripe Checkout (Stripe’s hosted checkout form):
    >
    > https://www.ads-software.com/plugins/stripe/

    Indeed, it appears that “Stripe Checkout” is what Stripe calls “client-only” payments integration, which is exactly what I’m looking for.

    * https://stripe.com/docs/payments/checkout

    Unfortunately, I’m not sure if/how the above wordpress stripe checkout plugin would integrate with my WooCommerce store. I see no mentions about how to do that.

    But I came across this thread in-which @markmrk asked a similar question about integrating Stripe with woocommerce such that the customers could pay “via Stripe servers through Stripe checkout”

    * https://www.ads-software.com/support/topic/implement-stripe-checkout-with-woocommerce/

    They said they got it working using the “payment-gateway-stripe-and-woocommerce-integration” plugin.

    * https://www.ads-software.com/plugins/payment-gateway-stripe-and-woocommerce-integration/

    I tried it out, but it triggers the following error when you select “Stripe checkout” and click “Place order” during checkout

    > There has been a critical error on this website.

    The corresponding error logs come from CurlClient.php

    > PHP Fatal error: Uncaught Error: Call to undefined function curl_version()

    Of course, I don’t allow my web server’s PHP to run curl, so that’s expected. So I guess either the plugin is poorly written or also doesn’t support client-only mode.

    I’m still in-search of a way to have my customers checkout from my WooCommerce shop and pay via Stripe Checkout (client-only) without having to poke holes in my web server’s firewall.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Stripe Integration without needing server communication to stripe.com (firewall)’ is closed to new replies.

Tags