I have WebAPP and WEBAPI on same server. I have applied SSL certificate on both the sites under same server (both are separate applications under common IIS default website).
Now my point, Can I access same WEBAPI over http instead of https form 3rd intranet application on same server and which is not a secure application?
My intention to not hamper performance for 3rd site which is not secured and on the same server.
Actually It depends on your configuration.
Generally, when you apply SSL on web server your app can now be accessed over http and https both connections.
But, if you have configured it to redirect http version to https using CSP or server end configuration, then you can access http version as all requests will get automatically redirected to https version.
You should read IIS related materials to learn what is site binding. A web site can of course contain multiple bindings, both HTTP and HTTPS, so that clients (like web browsers) can access using both http:// and https://.
https://blogs.technet.microsoft.com/chrad/2010/01/24/understanding-iis-bindings-websites-virtual-directories-and-lastly-application-pools/
Related
We are using Auth0 integration to provide authentication for our spring boot application.
An application is deployed with docker in google cloud run.
But when I try to exchange tokens I receive an error from auth0 "Expected https://.. but go http://."
The reason why it is happening is that httpServletReuqest.getRequestURI() returns http instead of https.
The question is why getRequestURI returns http when our website deployed as https in cloud Run?
I also logged nginx headers and X-Forwarded-Proto = https.
Posting as Community Wiki since it is Based on the comments of #EmilGi and #GuillaumeBlaquiere.
As you can see in this documentation:
Cloud Run redirects all HTTP requests to HTTPS but terminates TLS before they reach your web service. If your service generates a web resources that refers to other web resources with unsecured URLs (http://), your page may be subject to mixed content warnings or errors.
And you cannot turn off this restriction since Cloud Run is deployed behind the GFE (Google Front End) in charge of the TLS communication.
When we access the WEB API service methods from a web application through Ajax calls, will there be any access restrictions for the following scenarios
“HTTPS” Web application accessing an “HTTP” WEB-API
“HTTP” Web application accessing an “HTTPS” WEB-API
Will there be any impact on request application or context, either it Http or Https the web API will behave same.
Please advice.
When you trying to access the "HTTP" Api or any service from the HTTPS or SSL enabled client, then the security itself is compromised.
SSL certificate is enable to maintain the higher level of security, in any HTTPS enabled client, when you access the Non SSL or HTTP ApI then you have to specify the Transport layer explicitly to allow the process of data [example IOS client - Application Transport]
Even if you have requirement to access the HTTP API, please go through this reference.
Make Https call using HttpClient
I have java scripts web application calling my ASP.NET web API 2 Service under same web site in my AppServer. The application is working fine.
I setup Proxy Server and URL Rewrite to my Application Server. Everything is working fine with Http but can't call web api from JavaScript with Https
I put CROS and add the Proxy Server but still doesn't work.
But I can directly call web api with https
Kindly Advice!
Regards,
Si Thu
Finally, I found out that it is because of Mixed Content Issue between proxy server and application server. App Server also need to be HTTPS
Issue is solved by adding certificate in App Server.
Is it possible in Silverlight to create a proxy client, meaning the Silverlight application knows the host, port, username and password of the proxy server, then establishes a connection to the proxy server?
The Silverlight application would then be able to issues HTTP requests to resources behind that proxy server.
This way, the Silverlight application would reach certain resources without having to install a thirdparty proxy client on the client-machine first, because the proxy client would be part of the Silverlight application itself.
I use the WebClient to issue HTTP requests from Silverlight.
WebClient has a Proxy property, but not in Silverlight.
So I made a webservice, that takes an url and some proxy-server information. The webservice uses the WebClient and the Proxy property to direct the HTTP request to the proxy-server.
Then the Silverlight application calls that webservice, gives it an url and some proxy-server information.
I'm using the AJAX Test Server in Rational Application Developer. I'm posting a form to another host for authentication. That host takes a URL to redirect to after authentication. However, it insists on using HTTPS whenever it sends the 302 response. The low hanging fruit would be to just use HTTPS locally.
Looking at the launch configuration, the AJAX Test Server appears to be a custom Apache HttpCore server. I haven't spotted anything in the configuration guide.
Is there a way to access this test server via HTTPS?
This is for demo and local development purposes; not production.
Speaking from working with WAS (WebSphere Application Server) in RAD, I'm pretty sure the answer would be yes. The server (at least with WAS) has both secure and "unsecure" ports.
What I have noticed is that when the server is built with the install (at least with the newer versions of the products 7.5+), the ports used are different per install. This is to help with not conflicting with other applications that may use those ports.
So https is probably fine. You just may have to use it over port 302 or some other port.
If there is no admin console for viewing your ports, you could always try the Window | Preferences option under your menu items. Sometimes IBM hides server config stuff in there.