I have an issue with prerender.io Service and the node js middleware. My Server uses the https protocol. When I https://myserverurl/test?_escaped_fragment_=
than I get HTTP 504
Related
I'm testing TMS WEB Core 2 and DMVC 3.2.2 (latest) on Delphi 11.2 by me test machine locally.
I've created a simple DMVC server with all default's setup through the wizard nothing fancy except added the CORS option.
I've created a TMS Web core project with all default's setup as well with a WebHttpRequest and WebMemo components.
I ran the DMVC server and can get the result beautify on the browser.
I ran the TMS Web core project to send a request to the server using
WebHttpRequest which is like this:
WebHttpRequest1.URL := 'http://localhost:8080/api/test';
WebHttpRequest1.Execute(
procedure(AResponse: string; AReq: TJSXMLHttpRequest)
begin
WebMemo1.Lines.Add(AResponse);
end
);
However I got this error:
ERROR
HTTP request error #http://localhost:8080/api/test | fMessage::HTTP request error #http://localhost:8080/api/test fHelpContext::0
at http://localhost:8000/Project1/Project1.js [263:50]
and the browser developer console shows:
Access to XMLHttpRequest at 'localhost:8080/api/test' from origin 'localhost:8000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'localhost:8080' that is not equal to the supplied origin.
I want to send a request from the client to the server and get the respond in the WebMemo..
I've checked online to find that it's a backend-end problem, and some say its related to CORS, So How can I enable the CORS on server side using DMVC?
Your configuration prevents the client from connecting.
Both the server name and the port must match the CORS rule. To fix this, change the CORS header to a matching value.
This could be
Access-Control-Allow-Origin: http://localhost
or
Access-Control-Allow-Origin: http://localhost:8000
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
I have a scenario when server needs to do authorization request before an actual request. so, one request are served by 2 different services.
Nginx's location has to be handled by Auth-Service, and if the response status is 200 OK, then the request should be forwarded to the Feature-Service. Otherwise, if the response status 401 then this status should be replied to front-end.
upstream auth_service {
server localhost:8180;
}
upstream feature_service {
server localhost:8080;
}
location /authAndDo {
# suggest here
}
Code snippet in nginscript will be also OK.
Specifically for this purpose, http://nginx.org/r/auth_request exists through http://nginx.org/docs/http/ngx_http_auth_request_module.html (not built by default).
It lets you put authentication, through a subrequest, into any location you want, effectively separating the authentication from the actual resource.
In general, such not possible from web server. 401 is a response at front end plus gives HTTP WWW-Authenticate response header. Develop web application according to need or edit 401 file. HTTP 401 has RFC specification. Users, browsers should understand the message. Nginx doc described how 401 will be handled.
Nginx community edition's auth_request will only process if the subrequest returns HTTP 200, else for 401 will not redirect more than to 401 by default, other headers will not be process the response to protect the application & the users. Nginx community edition not even support all features of HTTP/2. It can go worser.
Apache2 web server has full HTTP/2 support and custom 401 location in auth module and works only on few browsers. Few browsers allow Apache2 to do that perfectly. Others show fail to load page. On Stack Exchange networks's various subdomains peoples asked before for Apache2 to make it working for all the browsers.
Hardly you can redirect on Nginx :
error_page 401 /401.html;
location ~ (401.html)$ {
alias /usr/share/nginx/html/$1;
}
Another way may be using reverse proxy with another server like peoples talking here on Github. I can not give warranty of failure of loading page.
I adapted the following OAauth2 Spring Cloud samples:
Authserver / SSO
The only change I made, was using JPA on the Authserver side to check the credentials from a database. Everything works well, except deploying it behind an nginx proxy. As used in the sample apps above, Spring Boot and embedded Tomcat is used. I also properly configured proxy headers:
server.tomcat.protocol-header=X-Forwarded-Proto
server.tomcat.remote-ip-header=X-Real-IP
Proxying HTTP is working:
accessTokenUri: http://uaa.sample.com/oauth/token
userAuthorizationUri: http://uaa.sample.com/oauth/authorize
So far so good, but I need to use SSL (obviously):
accessTokenUri: https://uaa.sample.com/oauth/token
userAuthorizationUri: https://uaa.sample.com/oauth/authorize
If I switch to SSL, I get a 401 from my client application after the auth server is redirecting back from authorize. I captured the HTTP traffic and everything seems to work:
GET request to client application
Client app redirects to /login
/login redirects to https://uaa.sample.com/oauth/authorize?client_id=reprisk&redirect_uri=http://test.sample.com/login&response_type=code&state=9prwi2
Auth server redirects to https://uaa.sample.com/login
After login, authorize is called again and the server finally redirects to http://test.sample.com/login?code=212eRK&state=9prwi2
The HTTP traffic for HTTP and HTTPS is exactly the same, except that for HTTP a proper referer is set for the last request (AFAIK, the referer isn't checked during OAuth authentication, right?):
HTTP:
GET /login?code=212eRK&state=9prwi2 HTTP/1.1
Host: test.sample.com
...
Referer: http://uaa.sample.com/login
Cookie: JSESSIONID=401EB8D1D1F4297160D518EC253A0CB5; XSRF-TOKEN=95a00a0d-3362-4e9b-b7eb-45addf2d10b4
...
---
HTTP/1.1 302 Found
HTTPS:
GET /login?code=212eRK&state=9prwi2 HTTP/1.1
Host: test.sample.com
...
Cookie: JSESSIONID=401EB8D1D1F4297160D518EC253A0CB5; XSRF-TOKEN=95a00a0d-3362-4e9b-b7eb-45addf2d10b4
...
---
HTTP/1.1 401 Unauthorized
Corresponding log message from client application:
Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token.
Any ideas why using a proxy and SSL isn't working? I'm happy to share more code and/or log output!
Thanks!!!
It looks to be failing where the SSO app tries to swap the auth code for a token.
All the steps prior to this were browser redirects, this is code on the SSO server trying to call the auth server.
What are you using for SSL certificates on the auth server? Are they signed by a trusted party with a CA in the Java trust store?
If not, that is probably why it's failing as the BadCredentialsException is the end result of the underlying HTTP request failing.
The other option is that there is no route directly from the SSO server to the Auth server address.
I believe it's ultimately the Apache Commons HttpClient code that will be handling the request, so you should try upping the debug for those classes (org.apache.http) and see what it reported.
It may be a little late but I ran into the exact same thing.
My Setup is a NGINX doing SSL proxying through to a running Spring Boot Application using Spring oAuth2.
To solve this in nginx config
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
And this in your spring application.yml
server.tomcat.remote_ip_header: X-Forwarded-For
server.tomcat.protocol_header: X-Forwarded-Proto
security.require_ssl: true
Source:
http://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html#howto-enable-https
And now Spring detects the right URL and also request.getRequestURL returns the right URL now including https://
#Controller
public class HomeController {
#RequestMapping("/")
#ResponseBody
public String rootLandingPage(HttpServletRequest request) throws Exception {
return "url: " + request.getRequestURL();
}
}
It may be worth taking a closer look at why the BadCredentialsException is bubbling up, and by this I mean stepping through the Spring Security OAuth2 code with your debugger.
The reason why I say this is because in my experience the BadCredentialsException may be due to an underlying InvalidRequestException with the following being the offending line:
throw new InvalidRequestException(
"Possible CSRF detected - state parameter was required but no state could be found");
I have raised a separate question related to the above here:
Why is AccessTokenRequest's PreservedState perpetually null with a resultant CSRF related InvalidRequestException?
So, in terms of your situation, with the newly introduced nginx proxy, I'm just wondering whether you might not be seeing a misleading exception. That is, misleading to the untrained in terms of oauth2 and spring security oauth 2 with CSRF as an additional complexity to deal with.
I want to route SOAP messages to different servers depending on the message content.
I tried the Application Request Routing (ARR), but it seems, that you can only route by server variables and the HTTP header.
I found this tutorial:
Developing a Custom Rewrite Provider for URL Rewrite Module
My Question is, can I route depending on the HTTP body with a custom ReplaceProvider (IRewriteProvider, IProviderDescriptor)?
This is not possible!
Application Request Routing (ARR) can only access information from the http header.
I'm setting up an app with some REST webservices, that respond with 200 or 201 according to the result of the request.
On the other hand, i'm developing a javascript web application that has to use this webservices, so i'm dealing with CORS in the server-side with nginx adding the proper headers to the response.
The problem as i can tell, is that when the service responds with 201, cors headers don't reach the client. The first thought was that it was a problem/restriction on browsers, but then i realized that nginx was not adding the cors headers in any response with 201 status code.
The nginx config i'm using is available at https://github.com/UPCnet/maxserver/blob/master/production/nginx.conf
Any clue? Please ask if you need any other information/details
Thanks!
nginx directive add_headers only work for a short list of status code, in which 201 it's not in..
Adding the headers_module and using it instead, allows to add custom headers to responses with 201 status