We are using squid proxy along with the GreasySpoon ICAP server to modify responses for development purposes. We have a need to allow different developers to have different modifications to the responses because they are working on things relevant to different modifications. Initially, when we installed this setup insider our LAN, we were able to accommodate this by using the user_id script parameter inside the GreasySpoon response scripts. This parameter is populated with the local IP of the developer, and so we could base things upon the different IPs.
When we moved the setup to the cloud, everyone had our shared WAN IP for the user_id parameter, and so our scheme broke.
The comments in the default GreasySpoon script indicate that the user_id can be a user login:
// user_id : (String)user id (login or user ip address)
I configured authentication with the squid server, but the user_id is still set to our shared WAN IP. Is it possible to populate this script parameter in GreasySpoon with a proxy user's username using squid?
The GreasySpoon (1.0.10) configuration file service.properties contains a setting: SpoonScript.icapuserheader=x-authenticated-user. This is the header that GreasySpoon inspects to find the user_id. If this value is not found, then GreasySpoon falls back to the IP address. So you must configure squid to send the authenticated user's username in the same header as is configured in the properties file.
// in squid.conf:
icap_client_username_header x-authenticated-user
Related
I'm planning an API that will be used by a client on their internal office networks in multiple separate locations. Each location will have a separate instance installed.
They want it to be secure and running on HTTPS.
What I cant seem to understand how can a HTTPS certificate work when there is no externally facing fully qualified name. eg. MyApiServer.mycompany.com
Instead they will likely just be running it on a server/computer with just a hostname. ie. MyApiServer
The data being transferred is not necessarily sensitive but it places records in a sales system.
If HTTPS is not possible in this scenario whats an alternative method to secure the communication?
The server name has not to be "fully-qualified". For securing the call it will be enough to have the domain specified in URL equal to the domain name specified in certificate.
So your clients would call https://MyApiServer/endpoint in your LAN which should cause your service to provide server certificate where the subject would be MyApiServer.
I am trying to set up a secondary web site hosted on our local domain controller running IIS-8.
I already have one site working successfully thought our network, the default site.
I have successfully got the second one to work on the localhost (the domain controller Server 2012-R2), but I can't seem to access it from any of the other workstations on our network.
I added the new site.
Set the binding to IP address:192.168.1.1, Port:80, Host Name:dyo.mysite.com
I have modifed C:\Windows\system32\drivers\etc\hosts to show 192.168.1.1 dyo.mysite.com, and I have added an alias to the forward lookup Zone in the DNS Manager. (Name:byo.mysite.com, FQND:byo.mysite.com.mydc.com, Target Host: 192.168.1.1)
I can't seem to access the site from any of the network work stations. I have tried many combinations of addresses, http://byo.mysite.com, 192.168.1.1/byo.mysite.com, \mydc\byo.mysite.com, etc.
I would imagine that I am probably missing something simple. I just don't know it is.
Any insight would be greatly appreciated.
To get your server accessed from other workstation. You have to promise
Your IIS site can be accessed via IP address directly.
the client workstation is using your DNS
Your client workstation is not bypassing your DNS server by .pac proxy
So could you get access the website via IP address by disabling default website and set the site to unassigned IP or 192.168.1.1 with null domain name?
If you want to access the website via byo.mysite.com. Then you shouldn't set FQDN like byo.mysite.com.mydc.com. because Web browser will never consider byo.mysite.com as an alias but a different server. That's why When you set FQDN like byo.myDC.com, you could get work by access http://dyo and you could also access website via byo.mysite.com.mydc.com but fail with byo.mysite.com.
How to set DNS correctly
To get it work, please create an new primary Forward Loopup Zone named mysite.com. Then create a new HOST(A) record to map to your machine name like dc.mysite.com and 192.168.1.1. Then create an Alias(CNAME) called www to map to this A NAME. Then the FQDN will be www.mysite.com.
Finally bind your IIS site and access the website should work.
PS: Please make sure your other workstation is not using a proxy.
In one of my applications (ASP.NET/VB.NET), I need to read the Client Machine Name. Based on the Client Machine we trigger a Point of Sale payment device to accept the payment. On each of these systems we have a stand alone software installed which communicates to the bank using HTTP requests. I am using the following .NET code to read the Client Computer Name.
Dim name As String = String.Empty
Dim hostEntry = Dns.GetHostEntry(HttpContext.Current.Request.UserHostAddress)
If hostEntry.HostName.Contains(".") Then
name = hostEntry.HostName.Substring(0, hostEntry.HostName.IndexOf("."))
Else
name = hostEntry.HostName.Trim
End If
In the development environment, all our systems are in a domain ("xyz.com") and we don't have any issues. In the customer location they don't have a domain name setup. My above logic works well in some of the systems in the client environment and is able to make payments but in most of the systems our logic fails and is not able to read the host name. Any help will be appreciated.
Your question doesn't have the specifics required to answer your question. There are many questions that need to be answered about both environments to give a correct answer. Since I can't ask questions, I will make some assumptions which might apply to future readers of this post and be able to help them out.
I would ask a question but my profile was forked for some unknown reason and I don't have the required reputation to ask a question. That being said I will run through the list of issues I can identify off the bat and suggest solutions for the issue and hopefully one will lead you to a solution.
So...
1) You state you need to read the client machine name. However, if your application isn't running on an internal LAN (aka an intranet) you can't read client machine names period. So this could be your first problem.
2) Combining point 1 and given that you are reading the IP Address from UserHostAddress of the client to look up a DNS host name and when the host look up succeeds you are taking the first part of the name up until the first "." it should be safe to assume that this an intranet application running on a LAN in both your development environment and at the client environment. With that assumption and given the statement that all machines are given an domain of xyz.com it can be assumed that DNS in your development environment is being dynamically updated from presumably through Active Directory (AD). In such case, whenever a client machine on development network requests an IP address, presumably through AD, the DHCP server integrated with AD issues the new IP Address. When it does and the DHCP offer is acknowledged and accepted by the client AD updates DNS (which on a windows network is also AD integrated) by adding a host entry with the computer name of the client machine pointing to the IP Address. Additionally a DNS pointer, depending on configuration, can be added to AD's DNS which allows an IP Address lookup to resolve to the record (which in this case would be the Client's machine name). So with your development environment (presumably running on Windows Active Directory Domain) everything works. Addi tonally, by default the top level domain name (XYZ.COM) gets appended to the clients computer name in initial DNS requests from the client.
3) Your client is not running a domain which leaves further questions. Are they running windows? If they are running windows is it as a non-Ad environment, for example a work group. First assumption would be they are not AD integrated or otherwise you most likely wouldn't be having this problem although I can think of a few rare case scenarios where they might. However, odds are the relevant questions are What DNS server are they running and what DHCP sever are they running? Your application is trying to use a client IP Address on their network and the host name lookup based on their IP is failing so it tells me in their environment for one reason or another you can't get a host name from the IP Address of the client. Mind you if they could be on AD and configured entirely correctly their DNS server is just overwhelmed and not responding within 2 seconds causing the name lookup failure but that is the rate case. With more information I could help more.
3) Assuming in 2 that they are not on AD, do you have the ability manually code host names on the computer your application is running? For example, lets say yourapp.exe runs client-server-01 and clients connect to it. Then on client-server-01 you could add static DNS entries in the host file for each PC on the client network that you expect to connect. On the other hand if your application is running locally on the client PCs you could pass the machine name as a header in the web request and then read it from the Request.Headers variable on the server.
4) Again, making another assumption the clients are web based and your application in the client environment is being hosted on the server... Is the server on a DMZ outside the client environment? If so the client environment may likely be configured, per best practices, that the server host your web app is in a DMZ and DNS requests to the box are forwarded to the client's ISP and not back into their network that has the DNS server capable of resolving an internal IP to a client machine name. If this is the case you need to send the client machine name as a variable from your client or code local IPs to host names in the servers host file (assuming the internal network isn't behind NAT and exposes the real client machine's IP) or request that the DMZ'd server can access the internal DNS and configure the access accordingly.
....
The list really goes on and on but I think I highlighted the problems for 99% of the situations and provided answers to their various solutions.
You can try to take it from X-Forwarded-For header
The X-Forwarded-For (XFF) HTTP header field is a common method for
identifying the originating IP address of a client connecting to a web
server through an HTTP proxy or load balancer.
This is what X-Forwarded-For should return:
X-Forwarded-For: client, proxy1, proxy2
Here some example code:
string ip = Request.ServerVariables["HTTP_X_FORWARDED_FOR"] ;
if (!string.IsNullOrEmpty(ip))
{
string[] ipRange = ip.Split(',');
ip = ipRange[0];
}
else
{
ip = Request.ServerVariables["REMOTE_ADDR"];
}
There was an issue with Firewall setup on the client machine.Due to that our .NET code was failing. After adding an exception to all the incoming requests from xyz.com. My code is working without any issues.
Thank you guys #Alexander Higgins, #halfer for the help.
How can I specify detailed proxy settings in TweetSharp? By this I mean in addition to the server name, details like Port, Username, Password etc? As of now the only parameter, is
Dim X as New TwitterService(Key,Secret)
X.Proxy = "abcd"
Which accepts only a string, which I assume is the server name / IP Address.
My app is behind a corporate firewall and the proxy requires authentication and uses a custom port. Any ideas?
As I was completely unable to specify the authentication details for the proxy server, I was forced to come up with my own workaround. I installed ccproxy on the server, and had it cascade the authentication to the other proxy server.
This is working well as of now.
I setup a proxy machine (centOS) and I'm using Squid. I have php external ACL program that will handle proxy authentication.
On my external program (php cli) I have included a small logic that will remember a user's log-in. My goal is the piece of information i collected in external acl can be used in my redirector external program so i can redirect the user to a page i set-up (A message of a day page). and after redirecting to a page i just simply reset the flag.
My problem is this; the external acl is not always triggered by Squid during the Ident authentication process when we have same username/password entered. Unless I restart the Squid. Calling always the external acl during the proxy authentication process is important to me because I want the logic inside my external acl is also executed during the proxy authentication.
Is there any setting in the squid.conf to be configure so that it will behave as I want?
Am I understanding properly that you're expecting every incoming HTTP request to trigger a call to your acl helper, saving the credentials in the helper instead of using squid's internal auth cache? If so, add ttl=0 to the external_acl_type argument.