Implement a Silverlight proxy client? - proxy

Is it possible in Silverlight to create a proxy client, meaning the Silverlight application knows the host, port, username and password of the proxy server, then establishes a connection to the proxy server?
The Silverlight application would then be able to issues HTTP requests to resources behind that proxy server.
This way, the Silverlight application would reach certain resources without having to install a thirdparty proxy client on the client-machine first, because the proxy client would be part of the Silverlight application itself.

I use the WebClient to issue HTTP requests from Silverlight.
WebClient has a Proxy property, but not in Silverlight.
So I made a webservice, that takes an url and some proxy-server information. The webservice uses the WebClient and the Proxy property to direct the HTTP request to the proxy-server.
Then the Silverlight application calls that webservice, gives it an url and some proxy-server information.

Related

WebAPI on same server, can it be accessed over http instead of https even though SSL applied on it?

I have WebAPP and WEBAPI on same server. I have applied SSL certificate on both the sites under same server (both are separate applications under common IIS default website).
Now my point, Can I access same WEBAPI over http instead of https form 3rd intranet application on same server and which is not a secure application?
My intention to not hamper performance for 3rd site which is not secured and on the same server.
Actually It depends on your configuration.
Generally, when you apply SSL on web server your app can now be accessed over http and https both connections.
But, if you have configured it to redirect http version to https using CSP or server end configuration, then you can access http version as all requests will get automatically redirected to https version.
You should read IIS related materials to learn what is site binding. A web site can of course contain multiple bindings, both HTTP and HTTPS, so that clients (like web browsers) can access using both http:// and https://.
https://blogs.technet.microsoft.com/chrad/2010/01/24/understanding-iis-bindings-websites-virtual-directories-and-lastly-application-pools/

Access restriction of WEB API service call based on request

When we access the WEB API service methods from a web application through Ajax calls, will there be any access restrictions for the following scenarios
“HTTPS” Web application accessing an “HTTP” WEB-API
“HTTP” Web application accessing an “HTTPS” WEB-API
Will there be any impact on request application or context, either it Http or Https the web API will behave same.
Please advice.
When you trying to access the "HTTP" Api or any service from the HTTPS or SSL enabled client, then the security itself is compromised.
SSL certificate is enable to maintain the higher level of security, in any HTTPS enabled client, when you access the Non SSL or HTTP ApI then you have to specify the Transport layer explicitly to allow the process of data [example IOS client - Application Transport]
Even if you have requirement to access the HTTP API, please go through this reference.
Make Https call using HttpClient

Web is external and client side application, how to make ajax call to reach internal App Server

We have this architecture:
Web Server: Web Application is deployed (html, javascript, css)
Application Server: WebApi is deployed
Problem is , I cannot make ajax request to reach Application Server because its behind firewall.
The Web Application is supposed to be used publicly to the internet users.
What changes should we do to make it work?
Should we move our Web Application to Application Server? But how would this be accessible on internet.
Thanks in advance for suggestions/advice.
You're going to have to put an exception in the firewall for the address of your web server... that way your web server can access the API but nothing else can (well, not quite nothing else - other stuff on that web server can but that can easily be solved by having your web app hosted on it's own/dedicated web server).
If your Web Application makes direct calls to the Web API endpoint (e.g. is a single page application that use a client-side javascript framework like AngularJS and/or it uses AJAX calls to your application server address), there is no way for your clients to access your API if you do not allow public access to your application server.
That's because your client resides inside your users web browsers.
You have to allow incoming connections to your Application Server through internet in your firewall.
Well, it all depends on how you look at things and how distributed your application should be (criteria like load, security).
In general, Web API might be just one more client (from your applications server perspective).
On the other hand, in robust/distributed system, you would have Web API only as an endpoint (controllers, mappers and things like that) that your mobile/ajax clients send requests to and then Web API communicates to Application server (where your business logic is).
Having Web API communicate to DB directly is not a good idea because as you add clients to application server (mvc, web api, services, etc...) then you have as many db access points as you have clients. So, its a code maintenance problem plus a problem of your view tier being aware of DB.
Ideally, you need Application server as a tier where all your business logic is and its the one that all your clients target (mvc web app, web api, desktop, services, etc...) and that is the one that should communicate to your DAL. Also, then you can set firewall rules on your application server to allow incoming traffic from trusted sources (your other servers) instead from the whole internet (ajax).

Web API 2 call from Proxy Server

I have java scripts web application calling my ASP.NET web API 2 Service under same web site in my AppServer. The application is working fine.
I setup Proxy Server and URL Rewrite to my Application Server. Everything is working fine with Http but can't call web api from JavaScript with Https
I put CROS and add the Proxy Server but still doesn't work.
But I can directly call web api with https
Kindly Advice!
Regards,
Si Thu
Finally, I found out that it is because of Mixed Content Issue between proxy server and application server. App Server also need to be HTTPS
Issue is solved by adding certificate in App Server.

Providing internet access to my self hosted web api on an internal network. A security threat?

Firstly, I'm relatively new to Web API / CORS and security implementation.
This question is specifically with regards to security. The Web API houses extremely sensitive data and provides clients with the ability to execute transactions online.
The context :
I have a Web API self hosted as a windows service with a fixed port.
The Web API is sitting behind a firewall / DMZ on an internal network.
The Web API (using CORS) only allows traffic from the external server.
The external server hosts our web site using IIS.
The Web API is making use of Token authentication (bound to client IP to avoid hi-jacking).
Both the external website and internal Web API force the use of SSL.
The problem :
The web page makes ajax calls via javascript to the Web API. However, the Web API is not directly exposed to the internet.
What would the security impact be on having the below setup?
What sort of vulnerabilities would I be exposing my network too by doing so.
Is there a better way of implementing such a setup!?
Eg
User enters https://test.mydomain.com into the browser and is served a page.
ajax call gets made to https://test.mydomain.com/api/test/action
external server routes https://test.mydomain.com/api messages to internal server https://myInternalWebAPI/api/test/action which is not exposed to the public.
So this requires a little bit of leg work, but it's implemented into a production environment so I thought I'd share the solution.
I created a WCF service and a WebAPI.
The primary WCF Service resides on the internal network and contains all the business logic, database connectivity.
The proxy WebAPI mimics the WCF service structure and is exposed to the public.
The proxy WebAPI is called from the client (javascript), the proxy WebAPI then calls the internal server hosting the WCF service and voila, victory.

Resources