So I try to use the reverse proxy of Azure Service Fabric with https on a standalone cluster but I'm not able to made it happend.
I read many pages of the documentation but I must miss one or I'm not able to understand it.
So what I want is to call the reverse proxy with https (working fine with http) like https://localhost/SFTest/api/weatherforecast but It's wont work. If I use the "direct link" like https://localhost:xxxx/weatherforecast it's work
First I was using the web installer to setup my dev env on my local machine but from what I read if I want to be able to manage cluster settings it was better to switch to the "full mode" (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-for-windows-server)
With this I was able to create a cluster by using the config "ClusterConfig.Unsecure.DevCluster.json" but the https was not enabled for the reverse proxy.
The isssue is that I have trouble making the difference between securing a cluster and just enable https on reverse proxy. I don't want to have to use certs to connect to the cluster (like going to https://localhost:19081)
Can someone tell me how to enable the ssl (which config file to edit and what to put in it) to the reverse proxy without having to secure the cluster?
It will be a great help :)
So I manage to found how to do it
In the config of the cluster (ClusterConfig.json) or the template (in my case it was ClusterConfig.Unsecure.DevCluster.json) you have to add this
"security": {
"CertificateInformation": {
"ReverseProxyCertificate": {
"Thumbprint": "[ReplaceByThumbprint]",
"ThumbprintSecondary": "[ReplaceByThumbprint]",
"X509StoreName": "My"
}
}
}
Under the "properties" part
Related
I just configured an NGINX instance on the Jelastic platform.
In my environment's firewall inbound rules there are now a few default rules added.
With source All. (HTTP, HTTPS, ...)
I changed the source of these firewall rules to Local LAN.
So I expect that when I go to my Jelastic public URL in my browser on my own computer, I do not get a website but I'm blocked by the firewall.
This is not happening. I do not want the website to be used from the outside. This environment will host some REST API's and workers running on the inside and only triggered by other environments I have.
Kind regards.
Roel
We recommend following this guide to disable access to your container (CT) from the outside: https://docs.jelastic.com/release-notes-59/#restrict-node-access-via-shared-load-balancer-slb
However, please keep in mind that you'll not be able to access this CT from another CT too.
UPDATE:
little clarification
If "Access via SLB" disabled, the nodes within the layer are inaccessible via SLB (including the Open in Browser button in the dashboard) and return the 403 "Forbidden error" instead of the intended service. Herewith, access via the private network from the other nodes of the environment, access via SSH and access via endpoints from the public network is not affected.
We also want to draw your attention to that described feature is available from the Jelastic PaaS 5.9 release
What is the easiest way to route an externally hosted domain to my VM instance on GCP (with a fixed IP) and connect over HTTPS? Currently only HTTP works, forwarded via the entry in the A Records. Which service is best suited for this on GCP? I am happy about every suggestion.
You can point your domain to VM via adding A record in DNS. For managing the https you can setup the nginx or apache and generate or add the SSL/TLS certificate there.
For generating free SSL/TLS certificate you can use : https://certbot.eff.org/
it's easy to manage and install the SSL/TLS certificate with certbot also it's having functionality of auto-renewal of certificates.
Thank you very much. Certbot looks good. :)
A) Currently I have the following configuration:
Domain at Active24 (A record points to server)
Server is Alfresco on a VM instance on GCP
Server is Apache Tomcat on Debian 9
I can manage on the command line, but it's not my daily business.
I installed Certbot and had the certificate installed (sudo certbot --apache)
B) Now, after installing Certbot, here's the situation:
When I open the URL/Domain I get to the Alfresco Login Screen. Browser does not show HTTPS.
After entering my login data, HTTPS appears, but I cannot access the Share environment. Instead I see an Alfresco error page with a button to return to the dashboard.
When I click on the "Back to Dashboard" button, I return to the login screen.
I think I still have to configure Apache to forward to the appropriate destinations. But I can't find any instructions for this.
C) My next questions are:
Did Certbot install an additional server as a proxy, or did it configure the existing one?
In which directory do I find the appropriate server settings?
Thanks a lot!
I have a corporate proxy using Squid and kerberos for authentication, the proxy is configured for standard use, I.E allow http, https, a few others and block everything else. Now, there are many applications that support basic proxy authentication, but do not support Kerberos based authentication and many others that connect directly to the internet. I used Proxifier before the upgrade to kerberos to make my applications use the proxy, but I cannot do so now. I then installed an application called PX to create a proxy that connects to kerberos, but the proxy it creates is a simple HTTP Proxy and proxifier doesn't work correctly with it. Anyone has a setup for a situation like this?. I use Windows 10 and I obviously don't have access to the server where squid is configured. The application I need to connect to the internet uses standard https ports, it's not a torrent application nor anything that uses the ports blocked by squid. Thanks in advance.
Ok, for this particular case I've found the following setup to solve 99% of my problems.
First get Px here https://github.com/genotrance/px
Next get Fiddler: http://www.getfiddler.com/dl/Fiddler4BetaSetup.exe
Configure PX with your user and your domain and run it. By default it creates a running proxy on 127.0.0.1:3128
Configure your sistem proxy to use the proxy supplied by PX.
Execute fiddler, it should create ANOTHER proxy at 127.0.0.1:8888
Use this proxy in your apps. Proxifier should work as well.
Why use fiddler and not the direct 127.0.0.1:3128?, PX creates a pure http proxy and fiddler allows to tunnel https and connect request through it.
Any requests will pass through fiddler which will redirect them to the PX proxy which will redirect them to the squid proxy (So expect very slow speeds).
In the end since you're just redirecting your apps towards your proxy, if your proxy bans using regex expressions or direct IP connections some apps will NOT work, and in these cases using TOR or a VPN is the only real solution. Hope it helps someone avoid all the headaches I went through.
i'm using the WSO2 ESB to integrate several services on the Windows virtual machine.
I used the simple proxy to map the services deployed on it. But the problem is what i can't access them from outside it nevetheless the port 8280 where services are deployed is open for internet, but i can see only blank page instead. What could be wrong?
Another question is i was trying to map the WSO2 ESB management console itself to be availbe from outside the machine using simple proxy, and i'm failed, it loads me the this is what i see on trying the service.
Could you please give me a hint on how to resolve this issue? is it possible to share the esb mgmt console using the ESB itself?
Thanks a lot in advance,
Do u have proxy in the middle? It looks like on screenshot webpage missing all pictures, meanwhile css was loaded successfully.
Another question which kind of virtual machine u use? For example in virtualbox by default virtual machine behind NAT.
I wasn't able to connect to server on virtual machine from host only opposite way server on host available in virtual machine.
To make server in virtual machine available on host need to configure network as bridge.
Not sure if it helps, but I think I had a similar problem in our corporate network after I applied all the security patches (poodle,Diffie-Hellman etc.). I had to configure the addresses in catalina.xml (if i remember right) that are/under which allowed to access the admin console. Cannot tell you more details because I'm on holiday :-)
Maybe it's worth to give it a try.
Another example from real life. HTTP Response from external resource was application/json, status of response 200 OK. ESB configured to use
<messageFormatter contentType="application/json"
class="org.apache.synapse.commons.json.JsonStreamFormatter"/>
but content was simple text/plain.
During parsing body of http response exception was thrown and just silently was written to log, without any fault message processing. Just empty response to client.
To clarify that services reachable, there is echo service by default on server, which respond content equal to request. Try to use it.
was trying to map the WSO2 ESB management console itself to be availbe
from outside the machine using simple proxy
By default the management console tries to enforce the port 9443 for dynamic links (JSP) pages. That's why you see only part of the pages and you shouldn't be able to log on.
what you can do is edit the repository/conf/tomcat/catalina-server.xml and to the Connector running the port 9443 you can add an attribute proxyPort="443", the carbon console will be happy to run on 443.
For the services, my educated guess would be on the firewall / network rules, however without other information I cannot answer (or - they are working, just you may not try to access them by simple browser request)
I want to setup proxy server on our office. I have two proxy server's available i.e. (SQUID for Linux and WinProxy for Windows). I have following requirement.
All the rule's which I define in proxy server like block some specific sites etc. should likely to work.
The "Evolution Mail Client" for linux and "Outlook Express" for windows also should work.
So, can you tell me the guidelines how to achieve both the task especially no.-2 .
Thanks in advance.
Squid is a very good option for a caching proxy. It has a configuration file to block some specific sites, IPs, domains... and to tell him which files has to cache. Making a smart proxy is not easy. But you can find great configurations and tutorials in Google or in his wiki.
There are two ways for setting up a proxy:
Direct proxy: you have to manually configure every computer to use your proxy server.
This is the easiest option. I recommend you using this.
Please note, computers that don't use the proxy can access all pages (even if they're blocked).
Transparent proxy: this is the most secure, ideal option for most cases (including yours). You have to configurate your network and the proxy server to forward any requests to it. This is a hard option and very difficult to achieve in your case.
About your Evolution and Outlook problem, there can't be any problems related to the proxy, don't worry about that.