We are running spring boot admin console inside Istio and trying to connect to pods with actuator end points. When SBAC tries to connect to a pod, it gives 502. We checked the logs and it sounds that SBAC is duplicating the IP address in the request URL
boot-admin-console 2023-01-12 19:26:54.480 DEBUG 1 --- [or-http-epoll-3] r.n.http.client.HttpClientOperations
: [db6578e5-10, L:/172.30.208.27:34026 - R:172.30.198.29/172.30.198.29:8080] Received response (auto-read:false) : RE
SPONSE(decodeResult: success, version: HTTP/1.1)
spring-boot-admin-console HTTP/1.1 200 OK
spring-boot-admin-console x-content-type-options:
spring-boot-admin-console x-xss-protection:
spring-boot-admin-console cache-control:
spring-boot-admin-console pragma:
spring-boot-admin-console expires:
spring-boot-admin-console x-frame-options:
spring-boot-admin-console content-type:
spring-boot-admin-console date:
spring-boot-admin-console x-envoy-upstream-service-time:
spring-boot-admin-console server:
spring-boot-admin-console transfer-encoding:
spring-boot-admin-console 2023-01-12 19:26:54.480 DEBUG 1 --- [or-http-epoll-3] r.n.r.DefaultPooledConnectionProvider
: [db6578e5-10, L:/172.30.208.27:34026 - R:172.30.198.29/172.30.198.29:8080] onStateChange(GET{uri=/actuator/health,
connection=PooledConnection{channel=[id: 0xdb6578e5, L:/172.30.208.27:34026 - R:172.30.198.29/172.30.198.29:8080]}}, [r
esponse_received])
Any ideas?
We have the headless service for the target service to allow connectivity between SBAC and the application pod. I curled the target pod actuator endpoint from the sbac pod and it is accessible but from the UI is giving 502
Related
We are using Jenkins for Maven builds and JFrog artifactory to store our artifacts.
Jfrog Artifactory version - 5.0.0
Jenkins version - 2.7
The issue we are facing is many times our Jenkins build gets failed due to below error:
Content-Length: 70410552
2017-12-18 18:46:02,286 [ajp-nio-8019-exec-3] [WARN ] (o.a.w.s.RepoFilter :222) - Sending HTTP error code 404: Failed to read stream: null
2017-12-18 18:46:04,388 [ajp-nio-8019-exec-8] [INFO ] (o.a.e.UploadServiceImpl:516) - Deploy to 'libs-snapshot-local:com/aaaaaa/inventory-service/1.0.8-SNAPSHOT/inventory-service-1.0.8-20171218.114602-2.pom' Content-Length: 10080
2017-12-18 18:46:04,455 [ajp-nio-8019-exec-12] [INFO ] (o.a.e.UploadServiceImpl:319) - Deploy to 'libs-snapshot-local:com/aaaaaa/inventory-service/1.0.8-SNAPSHOT/inventory-service-1.0.8-20171218.114602-2.pom.sha1' Content-Length: 40
2017-12-18 18:46:04,462 [ajp-nio-8019-exec-15] [INFO ] (o.a.e.UploadServiceImpl:319) - Deploy to 'libs-snapshot-local:com/aaaaaa/inventory-service/1.0.8-SNAPSHOT/inventory-service-1.0.8-20171218.114602-2.pom.md5' Content-Length: 32
2017-12-18 18:47:39,021 [ajp-nio-8019-exec-10] [INFO ] (o.a.e.UploadServiceImpl:516) - Deploy to 'libs-snapshot-local:com/aaaaaa/inventory-service/1.0.8-SNAPSHOT/inventory-service-1.0.8-20171218.114738-3.jar' Content-Length: 70410552
2017-12-18 18:47:39,022 [ajp-nio-8019-exec-10] [WARN ] (o.a.w.s.RepoFilter :222) - Sending HTTP error code 404: Failed to read stream: null
2017-12-18 18:47:41,374 [ajp-nio-8019-exec-5] [INFO ] (o.a.e.UploadServiceImpl:516) - Deploy to 'libs-snapshot-local:com/aaaaaa/inventory-service/1.0.8-SNAPSHOT/inventory-service-1.0.8-20171218.114738-3.pom' Content-Length: 10080
2017-12-18 18:47:41,392 [ajp-nio-8019-exec-2] [INFO ] (o.a.e.UploadServiceImpl:319) - Deploy to 'libs-snapshot-local:com/aaaaaa/inventory-service/1.0.8-SNAPSHOT/inventory-service-1.0.8-20171218.114738-3.pom.sha1' Content-Length: 40
2017-12-18 18:47:41,397 [ajp-nio-8019-exec-3] [INFO ] (o.a.e.UploadServiceImpl:319) - Deploy to 'libs-snapshot-local:com/aaaaaa/inventory-service/1.0.8-SNAPSHOT/inventory-service-1.0.8-20171218.114738-3.pom.md5' Content-Length: 32
2017-12-18 18:49:07,275 [ajp-nio-8019-exec-14] [INFO ] (o.a.e.UploadServiceImpl:516) - Deploy to 'libs-snapshot-local:com/aaaaaa/bbbb/1.0.30-SNAPSHOT/bbbb-1.0.30-20171218.114907-6.jar' Content-Length: 76484245
2017-12-18 18:49:07,276 [ajp-nio-8019-exec-14] [WARN ] (o.a.w.s.RepoFilter :222) - Sending HTTP error code 404: Failed to read stream: null
2017-12-18 18:49:09,431 [ajp-nio-8019-exec-9] [INFO ] (o.a.e.UploadServiceImpl:516) - Deploy to 'libs-snapshot-local:com/aaaaaa/bbbb/1.0.30-SNAPSHOT/bbbb-1.0.30-20171218.114907-6.pom' Content-Length: 10870
2017-12-18 18:49:09,451 [ajp-nio-8019-exec-7] [INFO ] (o.a.e.UploadServiceImpl:319) - Deploy to 'libs-snapshot-local:com/aaaaaa/bbbb/1.0.30-SNAPSHOT/bbbb-1.0.30-20171218.114907-6.pom.sha1' Content-Length: 40
Any help would be much appreciated.
EDIT:
This was the first line in the artifacroty.log found:
2017-12-18 18:46:02,285 [ajp-nio-8019-exec-3] [INFO ] (o.a.e.UploadServiceImpl:516) - Deploy to 'libs-snapshot-local:com/halodoc/inventory-service/1.0.8-SNAPSHOT/inventory-service-1.0.8-20171218.114602-2.jar' Content-Length: 70410552
Request Log
20171218184602|1|REQUEST|X.X.X.X|non_authenticated_user|GET|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/maven-metadata.xml|HTTP/1.1|401|0
20171218184602|4|REQUEST|X.X.X.X|jenkins|GET|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/maven-metadata.xml|HTTP/1.1|200|778
20171218184602|1|REQUEST|X.X.X.X|jenkins|GET|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/maven-metadata.xml.sha1|HTTP/1.1|200|40
20171218184602|3|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/service-1.0.8-20171218.114602-2.jar|HTTP/1.1|404|70410552
20171218184604|64|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/service-1.0.8-20171218.114602-2.pom|HTTP/1.1|201|10080
20171218184604|4|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/service-1.0.8-20171218.114602-2.pom.sha1|HTTP/1.1|201|40
20171218184604|2|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/service-1.0.8-20171218.114602-2.pom.md5|HTTP/1.1|201|32
20171218184738|0|REQUEST|X.X.X.X|non_authenticated_user|GET|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/maven-metadata.xml|HTTP/1.1|401|0
20171218184738|3|REQUEST|X.X.X.X|jenkins|GET|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/maven-metadata.xml|HTTP/1.1|200|778
20171218184739|2|REQUEST|X.X.X.X|jenkins|GET|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/maven-metadata.xml.sha1|HTTP/1.1|200|40
20171218184739|3|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/service-1.0.8-20171218.114738-3.jar|HTTP/1.1|404|70410552
20171218184741|15|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/service-1.0.8-20171218.114738-3.pom|HTTP/1.1|201|10080
20171218184741|2|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/service-1.0.8-20171218.114738-3.pom.sha1|HTTP/1.1|201|40
20171218184741|2|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/service-1.0.8-20171218.114738-3.pom.md5|HTTP/1.1|201|32
20171218184907|0|REQUEST|X.X.X.X|non_authenticated_user|GET|/libs-snapshot-local/com/aaaa/bbbbb/1.0.30-SNAPSHOT/maven-metadata.xml|HTTP/1.1|401|0
20171218184907|2|REQUEST|X.X.X.X|jenkins|GET|/libs-snapshot-local/com/aaaa/bbbbb/1.0.30-SNAPSHOT/maven-metadata.xml|HTTP/1.1|200|770
20171218184907|1|REQUEST|X.X.X.X|jenkins|GET|/libs-snapshot-local/com/aaaa/bbbbb/1.0.30-SNAPSHOT/maven-metadata.xml.sha1|HTTP/1.1|200|40
20171218184907|2|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/bbbbb/1.0.30-SNAPSHOT/bbbbb-1.0.30-20171218.114907-6.jar|HTTP/1.1|404|76484245
20171218184909|17|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/bbbbb/1.0.30-SNAPSHOT/bbbbb-1.0.30-20171218.114907-6.pom|HTTP/1.1|201|10870
20171218184909|3|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/bbbbb/1.0.30-SNAPSHOT/bbbbb-1.0.30-20171218.114907-6.pom.sha1|HTTP/1.1|201|40
20171218184909|3|REQUEST|X.X.X.X|jenkins|PUT|/libs-snapshot-local/com/aaaa/bbbbb/1.0.30-SNAPSHOT/bbbbb-1.0.30-20171218.114907-6.pom.md5|HTTP/1.1|201|32
20171218184922|0|REQUEST|X.X.X.X|non_authenticated_user|GET|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/maven-metadata.xml|HTTP/1.1|401|0
20171218184922|6|REQUEST|X.X.X.X|user-name|GET|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/maven-metadata.xml|HTTP/1.1|200|778
20171218184923|1|REQUEST|X.X.X.X|user-name|GET|/libs-snapshot-local/com/aaaa/service/1.0.8-SNAPSHOT/maven-metadata.xml.sha1|HTTP/1.1|200|40
I am able to get a test running for a Spring Boot Project but I'm always getting a 404 on the #State test.
#TargetRequestFilter
public void exampleRequestFilter(HttpRequest request) {
System.out.println(request.toString());
request.addHeader("Authorization", JIMMY_CARTER_TOKEN);
}
#BeforeClass
public static void setupApplication() {
SpringApplication application = new SpringApplication(App.class);
application.setAdditionalProfiles("integration");
application.run("--server.port=9000");
}
#TestTarget
public final HttpTarget target = new HttpTarget("http", "127.0.0.1", 9000);
#State("user id") // Method will be run before testing interactions that require "default" or "no-data" state
public void toUserId() {
System.out.println("Test User Id");
}
What's strange is I can tell it's hitting the right endpoint by printing out the request information and the Authorization header. I put a debug statement in and verified that I can call with the same credentials and endpoint as the test. However the test is always failing with a 404. Is there something I'm missing in my setup?
"request": {
"method": "GET",
"path": "/api/user/XXXXXX"
},
"response": {
"status": 200,
"headers": {
"content-type": "application/vnd.api+json;charset=UTF-8"
},
"body": ...
},
"providerStates": [
{
"name": "user id"
}
]
}
You can see what requests are being made by enabling debug logging with the Apache HTTP Client and the pact-jvm libraries. For Apache HTTP Client, please refer to https://hc.apache.org/httpcomponents-client-ga/logging.html.
For an example of what the debug logs you are looking for, this is from the example ContractTest from pact-jvm (https://github.com/DiUS/pact-jvm/blob/master/pact-jvm-provider-junit/src/test/java/au/com/dius/pact/provider/junit/ContractTest.java):
13:09:20.012 [Test worker] DEBUG au.com.dius.pact.provider.ProviderClient - Making request for provider au.com.dius.pact.provider.ProviderInfo(http, localhost, 8332, /, myAwesomeService, null, null, au.com.dius.pact.provider.junit.target.HttpTarget$$Lambda$14/771479970#1dec1536, null, null, false, null, changeit, null, true, false, true, null, [], []):
13:09:20.018 [Test worker] DEBUG au.com.dius.pact.provider.ProviderClient - method: GET
path: /data
query: [:]
headers: [:]
matchers: MatchingRules(rules=[:])
generators: Generators(categories={})
body: OptionalBody(state=MISSING, value=null)
13:09:20.475 [Test worker] INFO au.com.dius.pact.provider.junit.ContractTest - exampleRequestFilter called: GET http://localhost:8332/data HTTP/1.1
13:09:20.537 [Test worker] DEBUG org.apache.http.headers - http-outgoing-0 >> GET /data HTTP/1.1
13:09:20.538 [Test worker] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: localhost:8332
13:09:20.538 [Test worker] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: Keep-Alive
13:09:20.551 [Test worker] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_131)
13:09:20.553 [Test worker] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate
13:09:20.553 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 >> "GET /data HTTP/1.1[\r][\n]"
13:09:20.554 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: localhost:8332[\r][\n]"
13:09:20.555 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
13:09:20.558 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_131)[\r][\n]"
13:09:20.559 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
13:09:20.560 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]"
13:09:20.774 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 204 No Content[\r][\n]"
13:09:20.775 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 << "Date: Sat, 23 Sep 2017 03:09:20 GMT[\r][\n]"
13:09:20.775 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 << "Server: rest-client-driver(1.1.45)[\r][\n]"
13:09:20.779 [Test worker] DEBUG org.apache.http.wire - http-outgoing-0 << "[\r][\n]"
13:09:20.784 [Test worker] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 204 No Content
13:09:20.785 [Test worker] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Sat, 23 Sep 2017 03:09:20 GMT
13:09:20.785 [Test worker] DEBUG org.apache.http.headers - http-outgoing-0 << Server: rest-client-driver(1.1.45)
13:09:20.842 [Test worker] DEBUG au.com.dius.pact.provider.ProviderClient - Received response: HTTP/1.1 204 No Content
13:09:20.867 [Test worker] DEBUG au.com.dius.pact.provider.ProviderClient - Response: [statusCode:204, headers:[Date:Sat, 23 Sep 2017 03:09:20 GMT, Server:rest-client-driver(1.1.45)]]
13:09:21.724 [Test worker] DEBUG au.com.dius.pact.model.Matching$ - Found a matcher for text/plain -> Some((text/plain,au.com.dius.pact.matchers.PlainTextBodyMatcher#29c3e77b))
returns a response which
has status code 204 (OK)
has a matching body (OK)
Angular v. v4.0.2
Spring Boot v. 1.5.2.RELEASE
Keycloak v.2.4.0.Final (will upgrade later)
I read this mail converstion about the same problem: http://keycloak-user.88327.x6.nabble.com/keycloak-user-NOT-ATTEMPTED-bearer-only-error-while-trying-to-access-server-from-client-td927.html and this http://slackspace.de/articles/authentication-with-spring-boot-angularjs-and-keycloak/
I use the following http service for making authorized requests:
#Injectable()
export class AuthHttpService extends Http {
constructor(backend: ConnectionBackend, defaultOptions: RequestOptions, private authService: AuthService) {
super(backend, defaultOptions);
}
private setToken(options: RequestOptionsArgs) {
if (options == null || AuthService.auth == null || AuthService.auth.authz == null || AuthService.auth.authz.token == null) {
console.log("Need a token, but no token is available, not setting bearer token.");
return;
}
console.log(AuthService.auth.authz.token);
options.headers.set('Authorization', 'Bearer ' + AuthService.auth.authz.token);
}
private configureRequest(f:Function, url:string | Request, options:RequestOptionsArgs, body?: any):Observable<Response> {
let tokenPromise:Promise<string> = this.authService.getToken();
let tokenObservable:Observable<string> = Observable.fromPromise(tokenPromise);
let tokenUpdateObservable:Observable<any> = Observable.create((observer) => {
if (options == null) {
let headers = new Headers();
options = new RequestOptions({ headers: headers });
}
this.setToken(options);
observer.next();
observer.complete();
});
let requestObservable:Observable<Response> = Observable.create((observer) => {
let result;
if (body) {
result = f.apply(this, [url, body, options]);
} else {
result = f.apply(this, [url, options]);
}
result.subscribe((response) => {
observer.next(response);
observer.complete();
}, (err) => observer.error(err));
});
return <Observable<Response>>Observable
.merge(tokenObservable, tokenUpdateObservable, requestObservable, 1)
.filter((response) => response instanceof Response);
}
...
Application.properties
The token is correctly logged.
server.port = 8081
keycloak.realm = apprealm
keycloak.auth-server-url = http://localhost:8080/auth
keycloak.ssl-required = external
keycloak.resource = appbackend
keycloak.bearer-only = true
keycloak.credentials.secret = ...
keycloak.securityConstraints[0].securityCollections[0].name = secure
keycloak.securityConstraints[0].securityCollections[0].authRoles[0]=frontenduser
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /r/s/*
logging.level.org.keycloak=DEBUG
The user which I use in the frontend has that role.
Error in backend
2017-04-22 15:40:00.517 DEBUG 14088 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/r/s/e/p/m
2017-04-22 15:40:00.540 DEBUG 14088 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Using provider 'secret' for authentication of client 'appbackend'
2017-04-22 15:40:00.543 DEBUG 14088 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret
2017-04-22 15:40:00.545 DEBUG 14088 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt
2017-04-22 15:40:00.552 DEBUG 14088 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret
2017-04-22 15:40:00.553 DEBUG 14088 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt
2017-04-22 15:40:00.625 DEBUG 14088 --- [nio-8081-exec-1] o.keycloak.adapters.KeycloakDeployment : resolveUrls
2017-04-22 15:40:00.631 DEBUG 14088 --- [nio-8081-exec-1] o.k.adapters.KeycloakDeploymentBuilder : Use authServerUrl: http://localhost:8080/auth, tokenUrl: http://localhost:8080/auth/realms/apprealm/protocol/openid-connect/token, relativeUrls: NEVER
2017-04-22 15:40:00.662 DEBUG 14088 --- [nio-8081-exec-1] o.k.adapters.RequestAuthenticator : NOT_ATTEMPTED: bearer only
2017-04-22 15:40:00.681 INFO 14088 --- [nio-8081-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2017-04-22 15:40:00.681 INFO 14088 --- [nio-8081-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2017-04-22 15:40:00.723 INFO 14088 --- [nio-8081-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 42 ms
2017-04-22 15:40:08.560 DEBUG 14088 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/r/s/e/p/m
2017-04-22 15:40:08.560 DEBUG 14088 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : NOT_ATTEMPTED: bearer only
Edit http
HTTP/1.1 401
Cache-Control: private
Expires: Thu, 01 Jan 1970 01:00:00 CET
WWW-Authenticate: Bearer realm="apprealm"
Access-Control-Allow-Origin: http://localhost:4200
Vary: Origin
Access-Control-Allow-Methods: GET,POST,PUT,DELETE
Access-Control-Allow-Headers: authorization, content-type
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 1800
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Content-Length: 0
Date: Sun, 23 Apr 2017 17:04:07 GMT
Edit 2: http raw request
OPTIONS http://localhost:8081/r/p/main HTTP/1.1
Host: localhost:8081
Connection: keep-alive
Access-Control-Request-Method: PUT
Origin: http://localhost:4200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Access-Control-Request-Headers: authorization,content-type
Accept: */*
Referer: http://localhost:4200/b
Accept-Encoding: gzip, deflate, sdch
Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4
What could be the problem?
I've just had this error and it was because the Authorization header is missing the text "bearer " before the actual token.
I'm using WSO2 API Manager 2.0 and have configured it to use a proxy by adding the following configuration to the axis2.xml and synapse.xml. However, when I try to access the test API I've made, I get the errors "Proxy Authorization required" or "Server Hangup". When I tried to see the requests made over the wire, I saw that there were two requests going - A GET request (which receives the Server Hangup error) that has the Proxy Authentication header, and a CONNECT request (which receives the Proxy Authorization required error) that doesn't. Why is this happening and how can I make the header appear in every request?
axis2.xml:
<transportSender name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpSender">
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="http.proxyHost" locked="false">10.1.0.236</parameter>
<parameter name="http.proxyPort" locked="false">80</parameter>
</transportSender>
<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="http.proxyHost" locked="false">10.1.0.236</parameter>
<parameter name="http.proxyPort" locked="false">80</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/wso2carbon.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</parameter>
<parameter name="HostnameVerifier">AllowAll</parameter>
<!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
</transportSender>
synapse.xml:
<definitions xmlns="http://ws.apache.org/ns/synapse">
<sequence xmlns="http://ws.apache.org/ns/synapse" name="WSO2AM--Ext--In">
<property name="Proxy-Authorization" expression="fn:concat('Basic ', base64Encode('smsapp:let$c0nnect'))" scope="transport"/>
<property name="POST_TO_URI" value="true" scope="axis2"/>
<property name="DISABLE_CHUNKING" value="true" scope="axis2"/>
<log level="custom">
<property name="TRACE" value="Global Mediation Extension2"/>
</log>
</sequence>
<!-- You can add any flat sequences, endpoints, etc.. to this synapse.xml file if you do
*not* want to keep the artifacts in several files -->
</definitions>
Requests and their responses:
GET
GET https://apiurl.com/api/apiname HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET https://apiurl.com/api/apiname HTTP/1.1\r\n]
[GET https://apiurl.com/api/apiname HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: https://apiurl.com/api/apiname
Request Version: HTTP/1.1
Proxy-Authorization: Basic XXXXXXXXXXXXXXXX\r\n
Credentials: username:pwd
Hypertext Transfer Protocol
HTTP/1.1 502 Server Hangup\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 502 Server Hangup\r\n]
[HTTP/1.1 502 Server Hangup\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Version: HTTP/1.1
Status Code: 502
Response Phrase: Server Hangup
Date: Thu, 08 Dec 2016 12:12:20 GMT\r\n
Connection: close\r\n
Via: HTTPS/1.1 localhost.localdomain\r\n
Cache-Control: no-store\r\n
Content-Type: text/html\r\n
Content-Language: en\r\n
Content-Length: 666\r\n
\r\n
[HTTP response 1/1]
[Time since request: 0.235017000 seconds]
[Request in frame: 456]
File Data: 666 bytes
CONNECT
Hypertext Transfer Protocol
CONNECT apiurl.com:443 HTTP/1.1\r\n
[Expert Info (Chat/Sequence): CONNECT apiurl.com:443 HTTP/1.1\r\n]
[CONNECT apiurl.com:443 HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: CONNECT
Request URI: apiurl.com:443
Request Version: HTTP/1.1
Host: apiurl.com:443\r\n
Proxy-Connection: Keep-Alive\r\n
\r\n
[Full request URI: apiurl.com:443]
[HTTP request 1/2]
[Response in frame: 595]
[Next request in frame: 880]
Hypertext Transfer Protocol
HTTP/1.1 407 Proxy Authorization Required\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 407 Proxy Authorization Required\r\n]
[HTTP/1.1 407 Proxy Authorization Required\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Version: HTTP/1.1
Status Code: 407
Response Phrase: Proxy Authorization Required
Date: Thu, 08 Dec 2016 12:12:22 GMT\r\n
Proxy-Connection: keep-alive\r\n
Via: 1.1 localhost.localdomain\r\n
Cache-Control: no-store\r\n
Content-Type: text/html\r\n
Content-Language: en\r\n
Proxy-Authenticate: Basic realm="Websense Content Gateway"\r\n
Content-Length: 666\r\n
\r\n
[HTTP response 1/2]
[Time since request: 0.002752000 seconds]
[Request in frame: 589]
[Next request in frame: 880]
[Next response in frame: 894]
File Data: 666 bytes
Here's a solution that worked for me (I use ESB 5.0.0, not API Manager).
In my case I had to add proxyProfiles to my HTTP and HTTPS sender in axis2. So I had to:
Delete proxy parameters in http and https sender:
<parameter name="http.proxyHost" locked="false">some_host</parameter>
<parameter name="http.proxyPort" locked="false">some_port</parameter>
Add parameter ProxyProfiles (in both http and https sender)
<parameter name="proxyProfiles">
<profile>
<targetHosts>*</targetHosts>
<proxyHost>some_host</proxyHost>
<proxyPort>some_port</proxyPort>
<proxyUserName>some_username</proxyUserName>
<proxyPassword>some_password</proxyPassword>
</profile>
</parameter>
In my .xml API I deleted the Proxy-Authorization and POST_TO_URI.
more details:
Working with Proxy Servers (wso2.com)
edit:
after few more tests seems that HTTP needs Proxy-Authorization and POST_TO_URI parameters in API, but HTTPS instead of them needs proxyProfiles as I mentioned before. Without this it's impossible to call HTTPS service.
The request fetching in on wensocket server is :
Upgrade: websocket
Connection: Upgrade
Host: 10.1.5.20:5555
Origin: http://localhost:8080
Sec-WebSocket-Protocol: sip
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: T3jkd1s0pRceQbgdTLoaiQ==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
The response I am trying to send back for the handshake is :
HTTP/1.1 101 WebSocket Protocol Handshake
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Origin: http://localhost:8080
Sec-WebSocket-Location: ws://10.1.5.20:5555/
But the error I receive is :
**Exception in thread "main" java.io.IOException: Handshake failed
at websocket4j.AbstractWebSocket.<init>(AbstractWebSocket.java:123)
at websocket4j.server.WebSocket.<init>(WebSocket.java:73)
at websocket4j.server.WebServerSocket.accept(WebServerSocket.java:119)
at websocket4j.examples.EchoServer.main(EchoServer.java:51)
Caused by: java.io.IOException: End of stream
at websocket4j.AbstractWebSocket.readBytes(AbstractWebSocket.java:230)
at websocket4j.server.WebSocket.handshake(WebSocket.java:203)
at websocket4j.AbstractWebSocket$HandshakeRunner.run(AbstractWebSocket.java:79)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)**
shouldn't you respond with the key?
try to add Sec-WebSocket-Accept: sha1(Sec-WebSocket-Key + magic string ) on your response