I have a problem I can't get my head around. On some pages of our website we use SignalR. Recently some clients, notably our clients that use our website from behind a corporate proxy/firewall, have issues with the SignalR pages. They cannot load the /signalr/hubs script, a HTTP status code 406 is returned.
For example, when one of our clients requests the page from a cloud environment, this is the result:
If I request the same page, it loads fine:
I can't explain why it would give a 406 status code, accept: */* and accept-language should do the trick. The only notable difference I see is the disabled caching in the 2nd image.
The necessary scripts are in the proper order:
<script src='//ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js' type='text/javascript'></script>
<script type="text/javascript" src="/Collectief/Scripts/jquery.signalR-2.2.0.min.js"></script>
<script type="text/javascript" src="/Collectief/signalr/hub"></script>
Has anybody encountered this issue? Would it help to disable the auto-generated hub script and generate a physical file as described here?
It appeared that the call to /Collectief/signalr/hub never reached our server, and was blocked by the corporate firewall of our client. They had a barracuda firewall. It seems that some firewall manufacturers (maybe more than just barracuda) have updated their filters and are now blocking SignalR functionality.
We replaced the autogenerated /signalr/hub with a physical file to circumvent the issue, but then the negotiate call would fail with another 406 status code.
We now tell our clients to change the firewall settings: whitelist our site or allow all SignalR calls.
Related
I am building a reverse proxy with NGINX that controls the access to a three docker containers which contain a little App I've developed. This proxy can only be accessed by an apy-key authorized by Kong with the key-auth plugin. The scheme is something like this:
If the clients don't have the api-key the request is denied. It seems to be working, but I have a problem with the static css files. From the browser I can access the application, but the CSS and JS does not load because they don't send the api-key in the request. For this reason I get a 401 HTTP unauthorized response when the browser tries to load the styles:
GET http://localhost:8000/myapp/r2/docs/stylesheets/library.css[HTTP/1.1 401 Unauthorized 1ms]
message "No API key found in request"
So my app is loading in the browser without styles. These are my style headers in the app:
<link href="myapp/r2/docs/stylesheets/library.css" rel="stylesheet" type="text/css">
How can I send my api-key to load the styles and js too?
I am working on an API in .NET core 2.
Everything works great when testing on https://localhost:44333, but when trying on http://localhost:44333 it does not work anymore. It just loads, and loads, and loads.... Nothing to see in the logs or anything like that.
The thing is, I need to get it working on HTTP because I want to try it on my phone in the app. So I use iisexpress-proxy to proxy it. This works when I can access the API on HTTP, but it doesn't work with HTTPS.
So therefor I need it to work with HTTP, but I have no idea why it does not work on HTTP. All my previous projects worked fine on HTTP and for some reason this one does not. I have looked in my startup if it might be forced or something like that, but I cannot find any...
You probably need more information than this, but I don't know what you need, so If you ask in the comments I will provide some more information/logs/code you name it.
The http version will be served on a different port. You'll need to look at your project properties to see which port it's being served on.
Just as some background:
There's effectively a client-side and server-side component to SSL. The http or https is the client-side component. That means the browser or other web client will either try to negotiate a secure socket or not, respectively. The server-side component is the port binding, which will either be a secure socket or not.
The forever-loading is because your client is trying to make a non-secure request, but the server's socket is attempting to negotiate SSL. It's like one person speaking Chinese and the other speaking Spanish. They're both communicating, but nothing gets accomplished.
I am working on Angular 1 / ASP.net tech stack based web application.
For some reason, I can not deploy api server on my local env, using Production server. And I launched UI side with nginx in local env.
Login page is:
http://localhost:8080/login.html
And when click login button, it calls API from production server.
http://devprod2.com/api/oauth/login
But I am getting error:
Response for preflight has invalid HTTP status code 400
I opened Cross domain option in browser, with chrome CORS extension.
But it seems this error is related with some CORS problem.
Would you like to help me to fix this problem?
A preflight request occurs when you use certain methods, e.g. POST
It is a request that automatically happens before the cross domain POST happens.
It is checking to see that the correct CORS headers are in place on the server before making the POST request.
It seems like your preflight OPTIONS request is giving an invalid response. On your server, make sure you return 200 for all OPTIONS requests and make sure the CORS headers are in place on the server for all requests.
I believe Angular 1 also has options for a POST request that will prevent preflight requests from being made but you would have to investigate this further yourself.
Alternatively, depending on your setup, it maybe possible to rewrite the request to avoid CORS which is only enforced by browsers.
I have a cookie which is sent from the client which is used as part of my MVC web service, however now that I have integrated a hub into this application the hub doesnt get sent the cookie, whereas the mvc app does.
Now after reading other similar questions (not that there are many) the cookies domain seems to be to blame, or the path is not set.
Currently my system has 2 web apps, the ui and service. In my dev environment it is like so:
Service
http://localhost:23456/<some route>
UI
http://localhost:34567/<some route>
So in the above example, the ui will send a query to the service, getting an authorisation cookie on the response, which is used elsewhere.
In this example the cookie domain from the service is localhost, as from what I have read and seen on other questions there is no need for a port, it will automatically just allow all ports.
Are HTTP cookies port specific?
SignalR connection request does not send cookies
So it would appear to me that the cookie above has correct domain, and the path is set to /, so it should work. However it doesn't send them in the request from javascript.
My request is a CORS request so I am not sure if there are any quirks around that but all normal jquery ajax calls make it to the server fine with the cookies, any ideas?
OH also my cookies are httponly as well, not sure if this makes a difference...
== Edit ==
Have tried to rule out some stuff, have turned off httponly and it still refuses to send the cookies to the server, I have also noticed a few outstanding cookie issues which mention adding the following code in somewhere to make ajax behave a certain way:
$.ajax({
xhrFields: {withCredentials: true}
})
Tried using that and still no luck, so I am out of ideas.
I raised an issue as there is an underlying issue with < version 2 beta of SignalR relating to CORS and cookies.
https://github.com/SignalR/SignalR/issues/2318
However you can manually fix this issue by appending:
xhrFields: {withCredentials: true}
to all ajax requests within the jquery.signalr-*.js, this will then send cookies over CORS, although I do not know if this has any adverse effects on older browsers or IE.
Is there a good example somewhere of an ASP script which accepts a GET request for a URL, and returns the contents of that URL, passing along any headers sent in the request?
I'm working on a Silverlight app and am trying to work around some cross-domain web service issues, so I'd like to just proxy the requests through my own domain. Searching for "asp proxy" gets me lots of irrelevant results.
The code in this Reverse Proxy on CodeProject should do the trick: http://www.codeproject.com/KB/web-security/HTTPReverseProxy.aspx.