I'm building a proxy using Apigee that transmits sensitive data. I need to ensure that clients of this API use HTTPS.
I've coded a Raise Fault policy that does something like this
proxies/default.xml
<PreFlow name="PreFlow">
<Request>
<Step>
<FaultRules/>
<Name>Require-HTTPS</Name>
<Condition>request.scheme != "https"</Condition>
</Step>
</Request>
<Response/>
</PreFlow>
policies/Require-HTTPS.xml
<RaiseFault async="false" continueOnError="false" enabled="true" name="Require-HTTPS">
<DisplayName>Require-HTTPS</DisplayName>
<FaultRules/>
<Properties/>
<FaultResponse>
<Set>
<Headers/>
<Payload contentType="application/json">\{
"status" : 400,
"message" : "Sensitive transactions may only be executed over HTTPS",
}
</Payload>
<StatusCode>400</StatusCode>
<ReasonPhrase>Requires HTTPS</ReasonPhrase>
</Set>
</FaultResponse>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>
The problem is, the fault is always raised, whether I use HTTP or HTTPS to access.
I can see in the debugging console that the condition in proxies.xml always resolves to true, whether I use HTTP or HTTPS to access the API. In fact, the request.scheme always seems to be HTTP.
However, I do see the following header using HTTPS access that's not present using HTTP
X-Forwarded-Proto : https
Can I depend on this header to enforce HTTPS only access to my API? Or is there some other recommended way to do this?
You might try detecting the virtual host rather than the scheme by using the virtualhost.name variable (default or secure).
However, I suggest you create a two proxies -- one for https and one for http. This will remove the possibility of a consumer slipping past your conditional roadblock. Click on the word "default" under Proxy to edit the entire proxy file and scroll down to the HTTPProxyConnection
<HTTPProxyConnection>
<BasePath>/testme</BasePath>
<VirtualHost>default</VirtualHost>
<VirtualHost>secure</VirtualHost>
</HTTPProxyConnection>
Just remove the VirtualHost for default and the consumer will no longer be able to connect using https. I beleive you can then create a second API with the same path, only then remove "secure" and create a RasieFault without a condition. Worst case, you can rely on the Apigee error if you just disable default in your API.
Related
WebSphere Liberty and Open Liberty, all version.
I want remove "Content-Language" header from Servlet/JSP response, because of browser translation function accidentally popup. It seems that Liberty adds this header on all response in default, and there is no setting option to prevent this behavior. I've tried response.setLocale(Locale.ROOT); and servlet filter that ignore setHeader/addHeader of Content-language. But I couldn't eliminate the header.
Does anyone have an idea?
There is no direct way to stop or remove the response "Content-Language" header. However, if you set response header "Content-Language" before the response is committed, the server won't change it and retain your setting.
Thanks,
As of Open Liberty 21.0.0.12 you can use the "Configurable Response Headers" support to remove any header you want. See the following blog post for additional details on how to use the feature: https://openliberty.io/blog/2021/11/26/jakarta-ee-9.1.html.
For instance you can do the following in your server.xml:
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9080"
httpsPort="9443">
<headers>
<remove>Content-Language</remove>
</headers>
</httpEndpoint>
I want to develop a Monitoring-WebApp for different things with AngularJS as Frontend. One of the core-elements is showing an overview of Nexus-Artifacts/Repositories.
When I request the REST-API I'm getting following error back:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:9090' is therefore not allowed access.
To fix this error, I need to modify the response headers to enable CORS.
It would be great if anyone is familiar with that type of problem and could give me an answer!
The CORS headers are present in the response of the system you are trying to invoke. (Those are checked on the client side [aka browser this case], you can implement a call on your backend to have those calls and there you can ignore those headers, but that could become quite hard to maintain.) To change those you'll need a proxy. So your application will not call the url directly like
fetch("http://localhost:9090/api/sometest")
There are at least two ways: one to add a proxy directly before the sonar server and modify the headers for everyone. I do not really recommend this because of security reasons. :)
The other more maintaneable solution is to go through the local domain of the monitoring web app as follows:
fetch("/proxy/nexus/api/sometest")
To achieve this you need to setup a proxy where your application is running. This could map the different services which you depend on, and modify the headers if necessary.
I do not know which application http server are you going to use, but here are some proxy configuration documentations on the topic:
For Apache HTTPD mod_proxy you could use a configuration similar to this:
ProxyPass "/proxy/nexus/" "http://localhost:9090/"
ProxyPassReverse "/proxy/nexus/" "http://localhost:9090/"
It is maybe necessary to use the cookies as well so you may need to take a look at the following configurations:
ProxyPassReverseCookiePath
ProxyPassReverseCookieDomain
For Nginx location you could employ something as follows
location /proxy/nexus/ {
proxy_pass http://localhost:9090/;
}
For node.js see documentation: https://github.com/nodejitsu/node-http-proxy
module.exports = (req, res, next) => {
proxy.web(req, res, {
target: 'http://localhost:4003/',
buffer: streamify(req.rawBody)
}, next);
};
I wish to change my URL of proxy service due enhanced application.
Previously my URL like differet than ESB default endpoint.
Now proxy providing this URL.
http://soccerhome:8280/services/Customer_Proxy
Where as my existing applications are running on some other endpoint's
like
http://soccerhome:8280/Customer_Proxy
So they can't able to change there endpoint how would i remove the service part in above URL any way to do that.
Thanks in advance.
Just provide a Service URL in your_proxy.
<parameter name="ServiceURI">Customer_Proxy</parameter>
Then You will get Your desire URL.
Change parameter servicePath in repository/conf/axis2/axis2.xml
Edit the repository/conf/axis2/axis2.xml in dispatcher phase :
<phase name="Dispatch" class="org.apache.axis2.engine.DispatchPhase">
to add the following handle.
<handler name="CustomURIBasedDispatcher"
class="org.apache.synapse.core.axis2.CustomURIBasedDispatcher"/>
Now if you go ahead to edit the proxy service, you can add a service parameter as,
serviceURI = Customer_Proxy
This will provide your desired URL.
you should change axis2.xml file in repository/conf/axis2/axis2.xml or create your service in proxy url
<parameter name="URL OF Service">CustomProxy</parameter>
I would like to write a generic server that could spawn many HTTP/HTTPS requests through a proxy, in a manner: every HTTP request through different proxy. How can I do it ? It seems that it is possible to tunnel all traffic through some one, specific proxy, but I would like to change proxy on every request (ex. reading from file containing lines like "109.121.144.17:8008").
Does anybody know how to do it ? I tried standard httpc module but I cannot find info how to use it in the way I would like to.
Have you considered using ibrowse? You can specify the proxy settings on each request like:
7> ibrowse:send_req("http://www.google.com/", [], get, [],
[{proxy_user, "XXXXX"},
{proxy_password, "XXXXX"},
{proxy_host, "proxy"},
{proxy_port, 8080}], 1000).
using Dojo, is it possible to make an Ajax call using xhrPost from an HTTP view to a HTTPS url ?
The url must be HTTPS (as defined in Struts).
If I simply set "MyCommand" as the 'url' parameter of the xhrGet, I get a 302 error code.
If I transform "MyCommand" using javascript to something like "https://......./servlet/MyCommand" I see the following error in Firebug : "uncaught exception: Permission denied to call method XMLHttpRequest.open".
I'm stuck using both approaches, the only solution I found is to remove the "https" clause in the struts configuration file, and of course this is not a correct solution :)
Thanks for any help.
Best regards,
Nils
connection to https from http involves a different port of the target. This violates the same-origin policy which should be enforced by the browser to the running javascript code.
It should work with an iframe..
dojo.io.iframe encapsulates this behaviour for you
http://docs.dojocampus.org/dojo/io/iframe
If your server responds with a redirect to a non-ssl (correctly to same-origin) page you should be able to read the response (because the iframe is now in the same-origin).