elasticsearch: Cross-Origin Request Blocked despite configuring http module - elasticsearch

I am using version 2.3.2 of elasticsearch. In my elasticsearch.yml file I have added the below lines to allow Cross-Origin requests.
http.cors.enabled: true
http.cors.allow-credentials: true
http.cors.allow-methods: OPTIONS,HEAD,GET,POST,PUT,DELETE
http.cors.max-age: 0
http.cors.allow-origin: /http?:\/\/localhost(:[0-9]+)?/
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Content-Length
However, when i try to execute a query from Firefox, I get the following error;
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote
resource at http://localhost:9200/someIndex/_search?size=10&from=0.
(Reason: CORS header 'Access-Control-Allow-Origin' missing).
Replacing the http.cors.allow-origin parameter with "*", seems to work, but the documentation indicates this is a security requests.
The request headers from the browser are below;
Accept - application/json, text/plain, */*
Accept-Encoding - gzip, deflate
Accept-Language - en-US,en;q=0.5
Content-Length - 26
Content-Type - application/json;charset=utf-8
DNT - 1
Host - localhost:9200
Origin - null
User-Agent - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0
Could someone please suggest what I am doing wrong in the above?

You seem to have a small typo.
It should read
http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/
^
|
add this
i.e. you're missing the s before the ?, which means "either http or https"

Related

Kong proxy cache plugin - X-Cache-Status is always Bypass when cache_control is enabled

I have a registered service in Kong and currently trying to set up the proxy-cache plugin.
The plugin itself works fine when cache control is set to false, but when I enable it, the X-Cache-Status header is always Bypass.
The plugin configuration looks like this:
plugins:
- name: proxy-cache
service: echo
config:
response_code
- 200
- 301
- 404
request_method:
- GET
- HEAD
content_type:
- text/plain
- application/json
- application/json; charset=utf-8
- text/plain; charset=utf-8
cache_ttl: 300
strategy: memory
cache_control: true
memory:
dictionary_name: kong_db_cache
And the request looks like this:
curl --location --request GET 'http://localhost:8000/echo' --header 'Cache-Control: public, max-age=20'
I was experimenting with different Cache-Control values, registered also request-transformer plugin and was playing with headers there, but nothing seems to work.
Did anyone encounter this issue before? I'm pretty much stuck here and any kind of suggestion is more than welcome.
You have set the option
cache_control: true
So Kong will respect the Cache-Control behaviors defined in RFC7234
You need to have an cache header into the upstream answer.
Or you should set it to false

I can't access my apollo server through a proxy

I've set up apollo server on port 3000 on local host and it works fine. I can use the playground and make queries and they all work. ( some text pixilated for privacy )
However my front end is a Svelte application being served from port 8080 on localhost via snowpack. I've setup the snowpack config to proxy localhost:8080/api to localhost:3000
proxy: {
"/api": "http://localhost:3000/"
},
If I try to access the playground via http://localhost:8080/api then the web UI appears but there seem to be errors with the graphql protocol. The UI complains that the server cannot be reached
If I enter developer mode I see the following request failing
POST /api HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 1468
accept: */*
Apollo-Query-Plan-Experimental: 1
X-Apollo-Tracing: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
DNT: 1
content-type: application/json
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/api/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-AU,en;q=0.9,de-AT;q=0.8,de;q=0.7,en-GB;q=0.6,en-US;q=0.5
with request body
The response given back is
HTTP/1.1 400 Bad Request
connection: close
Date: Thu, 12 Nov 2020 18:40:59 GMT
Content-Length: 0
Does something need to be configured with the server to allow it to work through a proxy like this?

Resolving Laravel 5.5 cookie not set in request header that result in Page inactivity upon login

I am running Laravel 5.5 application in local development machine and in windows server 2012 production and there is no problem. However, when I deployed my application to Centos 6 Linux, the application produce Page inactivity error upon login. Investigation reveal that the cause of the error is that the request header cookie is not set.
My request header that works in my local development machine as follows:
...
Cache-Control max-age=0
Connection keep-alive
Cookie XSRF-TOKEN=eyJpdiI6InlGZ0l3OUV…3OGEzNWY5MDliOWVmZjYifQ%3D%3D
Host localhost
Referer http://localhost/abc/public/
Upgrade-Insecure-Requests 1
User-Agent Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/60.0
Response header as follows
...
Keep-Alive timeout=5, max=100
Server Apache/2.4.29 (Win32) OpenSSL/1.0.2l PHP/7.1.11
Set-Cookie XSRF-TOKEN=eyJpdiI6InFaMzI0QjV…:41 GMT; Max-Age=1799; path=/
Set-Cookie abc_app_session=eyJpdiI…5MjBkIn0%3D; path=/; HttpOnly
Transfer-Encoding chunked
X-Powered-By PHP/7.1.11
The corresponding request and response header from my linux production as follows
Request:
Connection keep-alive
Host www.abc.com
x-https 1
Upgrade-Insecure-Requests 1
User-Agent Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/60.0
Response:
Connection Keep-Alive
Content-Type text/html; charset=UTF-8
Date Sun, 24 Jun 2018 14:49:22 GMT
Keep-Alive timeout=5, max=100
Server Apache
Transfer-Encoding chunked
Without the XSRF token in the cookie, there is no way that Laravel 5.5 can verify against the session in the server and thus it will cause page inactivity. I have no clue but suspect it could be Linux permission issue that prevent cookie from being passed between client and server. I am using https connection for Linux. I tried the following but it is not working:
1- Using php artisan config:cache to clear all old cache and session
2- using php artisan view:clear to clear all views
3- chmod 755 to set permission to bootstrap/cache and storage folder recursively
4- chown apache to change owner grup of both bootstrap/cache and storage to apache.
5- session_driver=file
session_encrypt=false
Cache_driver=file
6- 'domain' => env('SESSION_DOMAIN', null),
'secure' => env('SESSION_SECURE_COOKIE', false),
'http_only' => true,
I am running out of clue what is the cause of the issue and how to fix it. Any help is appreciated.

Sinatra does nothing with requests from a phonegap application

I have a simple sinatra server with a post block. If I send a $.post from a browser the server receives the post, but when sent from my phonegap application it does nothing, no error code or any output whatsoever.
I previously wrote a simple TCPServer#accept process, and since I was successful with that I proceeded to sinatra, but found the following:
This post works well in sinatra and with TCPServer.accept
POST /api/v/1 HTTP/1.1
Host: localho.st:8015
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://api.jquery.com
Cookie: _fitter_session=[deleted]
Content-Length: 7
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/601.5.17 (KHTML, like Gecko) Version/9.1 Safari/601.5.17
Referer: http://api.jquery.com/jquery.post/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
The next one doesn't work in sinatra though it still does in TCPServer
POST /api/v/1 HTTP/1.1
Host: localho.st:8015
Connection: keep-alive
Content-Length: 362
Accept: application/json, text/javascript, */*; q=0.01
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip,deflate
Accept-Language: en-US
Cookie: _fitter_session=[deleted]
X-Requested-With: com.myapp.myphonegapp
I think I am missing something obvious but can't find what it is, I'm searching in google but find no soluction or similar problem, any help is welcome
Thanks in advance.
Edit:
- I tried running a rails server and it receives the post correctly.
- This problem affects both get and post sent from the phonegap application.
Edit2:
Sinatra file:
require 'sinatra'
# require 'sinatra/cross_origin'
set :port, 8015
#set :server, 'thin'
post '/api/v/1' do
puts 'it worked!'
end
Phonegap ajax request:
$.post('http://localho.st:8015/api/v/1', {
test: 'foo'
})
.done(function(s) {
console.log(s);
})
.fail(function(e) {
console.log(e);
})
If I run a node server and serve the application the request runs succesfully (with cors enabled in the browser) but on an android device, it doesn't, again, if I replace the sinatra with a rails in the same port, rails gets the request
Try to put in your codeset :bind, '0.0.0.0'. I guess that your server is listening only on localhost.

Apache and Headers presence in response for Ajax requests

I try to figure out a cross-domain API issue.
I have an application created with Sencha Touch 2.3.1 that is using Ajax to fetch data from remote server.
The issue that I am facing is that all Ajax requests against local server does not contain all headers in response.
On remote server, all works fine and headers are ok.
Here are two prints that show the headers sent and received for each server individualy
1 - headers sent and received from localhost (http://local.api - vhost)
Headers received:
Connection Keep-Alive
Content-Length 274
Content-Type text/html; charset=iso-8859-1
Date Mon, 07 Jul 2014 10:58:54 GMT
Keep-Alive timeout=5, max=100
Location http://local.api/fa/?ref.agent/lista-clienti&_dc=1404730734262
Server Apache/2.2.17 (Win32) PHP/5.3.3
Headers sent:
Accept text/html,application/xhtml+xml,
application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language ro-ro,ro;q=0.8,en-us;q=0.6,en-gb;q=0.4,en;q=0.2
Content-Length 33
Content-Type application/x-www-form-urlencoded; charset=UTF-8
Host local.api
Origin http://sencha.local
Referer http://sencha.local/fisa-agenti/index.html
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/30.0
2 - headers sent and received from remote server (http://adgarage.ro)
Headers received
Accept-Ranges bytes
Access-Control-Allow-Cred... true
Access-Control-Allow-Orig... *
Age 0
Connection keep-alive
Content-Length 375
Content-Type application/json
Date Mon, 07 Jul 2014 10:58:52 GMT
Server Apache/2.2.22 (Unix) mod_ssl/2.2.22
OpenSSL/0.9.8e-fips-rhel5
Via 1.1 varnish
X-Powered-By PHP/5.3.13
X-Varnish 562862498
Headers sent
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language ro-ro,ro;q=0.8,en-us;q=0.6,en-gb;q=0.4,en;q=0.2
Host adgarage.ro
Origin http://sencha.local
Referer http://sencha.local/fisa-agenti/index.html
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/30.0
Note the Access-Controll-Allow header.
It is missing from the header container received from localhost
And here is my .htaccess file:
Header set Access-Control-Allow-Origin *
Header set Access-Control-Allow-Credentials: true
this file is the same on both servers.
I have the headers_module acitive on local machine.
Another thing I noticed is that response status from local is 301 moved Permanently while the response status received from remote server is 200 Ok
What I am missing?
Thank you!
I've identified the problem.
As discussed in this this topic headers were not sent because of the 301 Moved Permanently status.
My local requests were made to http://local.api/fa?ref.agent/... instead of http://local.api/fa/?ref.agent/... - notice the trailing slash missing after /fa in the first link.
Everything it's ok now.

Resources