We are working on SAP XS Advanced that is based on Cloud foundry and we got into a funny situation, we need an app to be HTTP only (I know it's not secure...but our situation requires it to be HTTP).
Does anyone know how to disable default deployment to HTTPS?
You can have your application check if the connection came in over HTTP or HTTPS and if it's the latter, you can redirect the user to HTTP. Normally, you'd do the opposite, but it should work this way too.
On Cloud Foundry, you can check if the connection is HTTP or HTTPS by examining the X-Forwarded-Proto header. That will tell you either http or https. Alternatively, you could look at X-Forwarded-Port which would tell you 80 or 443.
How you do this and how you issue the redirect depends entirely on the application, language and frameworks you're using. Some may handle this automatically, some may require manual configuration or code changes.
Hope that helps!
Related
I have setup a nginx proxy to pass https url to internal http neo4j web. I can reach the neo4j login page without any issue, but I am forced to use the neo4j+s/bolt+s interface.
Just wondering how I can configure nginx to remove any ssl related info via proxypass module, in order to login in neo4j with ws, no wss?
Thanks,
Chance
I managed to get rid of wss by adding another nginx proxy to set the https url as upstream server in location.proxy_pass. It won't show wss/neo4j+s/bolt+s any more once you visit the web by the http url. Hopefully it will help for anyone has the similar issue as me.
my fathers job requires him to use a VPN to access anything work related (emails, websites, etc) outside his office, and the VPN blocks facebook, currently whenever he wants to use facebook, he has to log off the VPN first. He asked me if I could set up something to try and get around that, so I am attempting to setup NGINX on Debian 9 to act as a reverse proxy, however I have very little experience with NGINX. I have found that if I include proxy_set_header Host $host; then I can get to facebook but see
"Sorry, something went wrong.
We're working on getting this fixed as soon as we can."
But if I don't include it the VPN still blocks facebook.
Any advice?
nginx config
You're not going to be able to reverse proxy Facebook, for a few reasons:
facebook.com isn't going to load from an alternative hostname, such as kyles-facebook-proxy-clone.com. The browser sends a request header, Host. Facebook's servers won't serve for a hostname that they aren't expecting.
Undoubtedly there's some client-side JavaScript that will be hardcoded to other hostnames you're not proxying (for API access, CDNs for images/video, etc.) that will break, unless you rewrote the page in your code as well (which isn't reasonably possible due to obfuscation).
You can't serve traffic for facebook.com without having a properly signed certificate for HTTPS. HTTPS is required for facebook.com due to HSTS.
Even if you managed to get a certificate, it isn't going to work due to key pinning.
What can you do?
Use a proper proxy server.
Use Tor.
Ask for Facebook to be let through on the VPN.
I am currently working on a proxy. The software I use is 'Bettercap'. Personally, I like squid more, because its able to handle caching, and that makes things way faster.
The goal is to let https traffic pass through the proxy with no change, but inject a little js snippet in http content.
It should not be that complicated so SSl stripp and HSTS Bypass is not a must-have. Am I able to let the cache never expire, so that even when the proxy is turned off the script works?
How do I split the traffic up, so that no CA must be installed?
Alternatively, I could build a landing page to require the user to install the CA...
Thanks for your help!
I've recently setup a Crucible instances in AWS connected via a HTTPS ELB. I have a nginx reverse proxy setup on the instance as well to redirect HTTP requests to HTTPS.
This partially works. However Crucible itself doesn't know it's running over HTTPS so serves up mixed content, and ajax queries often break due to HTTP -> HTTPS conflicts.
I've found documentation for installing a certificate in Crucible directly...
https://confluence.atlassian.com/fisheye/fisheye-ssl-configuration-298976938.html
However I'd really rather not have to do it this way. I want to have the HTTPS terminated at the ELB, to make it easier to manage centrally through AWS.
I've also found documentation for using Crucible through a reverse proxy...
https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html
However this doesn't specifically deal with HTTPS.
All I really need is a way to ensure that Crucible doesn't serve up content with hard coded internal HTTP references. It needs to either leave off the protocol, or set HTTPS for the links.
Setting up the reverse proxy configuration should help accomplish this. Under Administration >> Global Settings >> Server >> Web Server set the following:
Proxy scheme: https
Proxy host: elb.hostname.com
Proxy port: 443
And restart Crucible.
Making configuration on UI is one way. You can also change config.xml in $FISHEYE_HOME:
<web-server site-url="https://your-public-crucible-url">
<http bind=":8060" proxy-host=“your-public-crucible-url" proxy-port="443" proxy-scheme="https"/>
</web-server>
Make sure to shutdown FishEye/Crucible before making this change.
AFAIK, this configuration is the only way to tell internal Jetty of FishEye/Crucible to be aware of the reversed proxy in front of them.
I'm trying to use nginx behind a Compute Engine http load balancer. I would like to allow Health Check requests to come through a port unauthorized and all other requests to be authorized with basic auth.
The Health Check requests come from IP block: 130.211.0.0/22. If I see requests coming from this IP block with no X-forwarded-for header, then it is a health check from the load balancer.
I'm confused on how to set this up with nginx.
Have you tried using Nginx header modules? Googling around I found these:
HttpHeadersMoreModule
Headers
There's also a similar question here.
Alternative. In the past I worked with a software (RT), which had thought of this possibility in the software itself, providing a subdirectory for unauthorized access (/noauth/). Maybe your software might have the same, and you could configure GCE health check to point to something like /noauth/mycheck.html.
Please remember that headers can be easily forged, so an attacker who knows your vulnerability could access your server without auth.