We are using Apigee Cloud Edgeand want to log some additional information about our requests. The Syslog policy seems ideal, but I want to ensure that the log messages are encrypted over the wire. Is this possible using the policy.
Alternatively, I can expose a logging service in our back end and log over https: but I don't want to slow things down with a synchronous call.
Any thoughts on the best way to achieve this?
No. The syslog policy does not encrypt.
To use your own service to receive data asynchronously, you can try a service callout policy in the PostFlow - Response section of a proxy and make it asynchronous by setting async="true" attribute in the policy XML.
Some variables however (e.g. request-scoped default variables) are not available in the PostFlow. So you may need to create your own variables at appropriate point in the flow to log correctly.
Related
We have a gRPC based client and server. And we use gRPC call authentication. That is, we use the (username, password) with each gRPC call from the client to the server. We have an RPC that gets called every minute.
The problem is this:
On the server:
/etc/pam.d$ grep unlock *
login:auth required pam_tally2.so file=/var/log/tallylog deny=3 unlock_time=300
sshd:auth required pam_tally2.so file=/var/log/tallylog deny=3 unlock_time=300
If someone logs into the server manually using (username, <wrong_password>) 3 times, the user gets locked. At this point the gRPC call starts failing as UNAUTHENTICATED. After this, the gRPC calls which use the right (username, password) also gets counted by pam_tally2.so, resulting in the user never getting unlocked.
The only way out is to do:
pam_tally2 -r
This is a very simple way to create a DOS attack for the gRPC service.
Is there anyway to make pam_tally not account for valid login attempts when the user is locked.
Is there a way to still protect the gRPC service while still using call level credentials?
Thanks for your time.
I think gRPC doesn't have a built-in authentication module using pam so it's more likely a custom-made plugin. My guess is that you may need to take a look at the pam configuration about its lock; https://man7.org/linux/man-pages/man8/pam_tally2.8.html
I am writing an application using SignalR which acts as a push service of resources for clients. The service sends notifications to its clients regarding state change of resources at regular intervals. Sometimes, the resource state remains the same. In such cases I need a way to convey the same to clients without sending the same resource again. In a way, I want to implement something like ETags with SignalR. To do that I need to modify SignalR response headers (or I could use query string).
Is there a way to do this?
you are saying to pass the same state to clients (But with NOT MODIFIED kind of header) as well not to pass if it is same.
In such case you should actually not pass any message to the clients if the server hasn't anything new to give to the clients. This is how realtime applications are supposed to work.
Also instead of adding an overhead of extra HEADERS why don't you just send a simple actual signalR ping to the clients saying "Hey, nothing modified. Just chill!"
Using Rebus, is it possible to have more than one transport configured within an application?
Our business domain is image processing, due to the potentially large size of the images being processed, I would like to use an InMemory transport for communication within one service (WebApi 2) to tokenize (Guid) and persist the images to be processed into a database.
In addition, after the images are tokenized we would like to used the RabbitMQ transport to send the images for processing to the ImageProcessingService (Console App - using TopShelf), and reply back to the calling application (WebApi) once processing is complete.
I cant seem to figure out the correct way to handle the scenario where I would like to use messaging within an application (WebApi) using an InMemory transport, and also have the WebApi able to send to the ImageProcessingService via the RabbitMQ Transport.
Obviously I don't know the details of your problem, but did you consider saving the image data somewhere else (a network share, MongoDB GridFS, a SQL Server LOB, etc)?
In my experience everything turns out to be easier to handle if you use messages for coordination only, and not so much for transporting the actual bulk of the data.
PS: I did experiment with a multi-modal transport at some point, which would allow you to do something like this:
Configure.With(...)
.Transport(c => c.Multi()
.Add("amqp", t => t.UseRabbitMq(connStr, "rabbitqueue")
.Add("inmem", t => t.UseInMemoryTransport(network, "inmemqueue"))
.Start();
and then specify addresses on the form amqp://rabbitqueue and inmem://inmemqueue to address the configured endpoint via RabbitMQ and in-mem transports respectively.
It would simple wrap any number of transports which you would then need to qualify with a protocol, which could be anything you would feel would be appropriate.
This way of addressing turned out to raise a bunch of questions though, so it wasn't that simple to introduce.
I have a SoapUI Mock Service. I would like it to use WS-Security.
I configured the project WS-Security Configurations, both Outgoing and Incoming.
I use a Test Suite to send a request and it is properly processed with Timestamp, Signature and Encrypt WSS Entries. But the response from the Mock Service is a plain text fault:
Missing operation for soapAction [] and body element
[{http://www.w3.org/2001/04/xmlenc#}EncryptedData] with SOAP Version [SOAP 1.1]
From this message I guess that the mock service did not recognize encryption HTML elements. Am I right?
Is there a way to encrypt SoapUI mock service responses using WS-Security?
It is possible. The options can be found after clicking on the mock service in the bottom left part of the screen (unlike all other configuration options that are available in popups). There you can choose outgoing and incoming security configuration set from a dropdown.
It is hidden so well that I ran into the problem twice within three months, performed a research and found my own unanswered question in StackOverflow before a friend showed me the solution.
So I post the answer should anyone need that.
I am using JBoss JMX Console to monitor my Web Application.
How can i find what http requests are being processed at any point in time?
For eg: I see 25 busy theads - i want to know what http requests are these threads processing.
I am not really sure if there is an ability to map a specific request to a thread but you can certainly see what HTTP requests are made to Tomcat using AccessLogValve. You can probably use the timestamps to map those requests if need be.
Jasper;
The arduous way to do this is to examine every instance of the MBeans that have this pattern:
jboss.web:name=HttpRequest1,type=RequestProcessor,worker=http-0.0.0.0-18080
They are MBeans that represent the web request serving threads and they have an attribute called currentQueryString which is the query string of the request currently being processed. There are also attributes for currentUri and method. You could script the collection of this data as well.
An easier way, which is enabled in JBoss servers by default, is to use the available at:
http://localhost:8080/web-console/status
It handily aggregates those same MBean's and reports them in one page.
There is also options for a fuller report
http://localhost:8080/web-console/status?full=true
and an XML formatted output
http://localhost:8080/web-console/status?XML=true