I have two servers - Server A and Server B, each with their own public IP address.
Server A hosts my production web application:
http://client1.mydomain.com
http://client2.mydomain.com
http://client3.mydomain.com
Server B hosts my Shibboleth Service Provider instance:
http://sso.mydomain.com
I have successfully configured Shibboleth to protect a resource on Server B, but I'm wondering, is it possible to have it protect resources on Server A? (ie. have the Shibboleth service step in front of any requests going to client2.mydomain.com)
Here's an excerpt from my shibboleth2.xml file:
This line works for Server B:
<Host name="sso.mydomain.com">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
This line does NOT work
<Host name="client2.mydomain.com applicationId="admin" authType="shibboleth" requireSession="true"/>
Am I doing it wrong? Is it even possible? If it's not possible, do I need to also set up a Shibboleth configuration in my staging and qa environments? That seems excessive.
See the Shibboleth docs: NativeSPOneMany - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPOneMany
This directly addresses your question.
It's possible, but Server B has to act as a proxy for Server A, and no secured application traffic can flow directly from the client to Server A.
Related
I have hosted Flask Web application on Windows Server on AWS, I have done followings
hosted it on IIS and add new bindings(port 8090) to web site
Created inbound rule for the port(8090) given in bindings
And it works fine on the server, but when i'm trying to access it on my PC's web browser says
it cannot reach took too long to respond
What else i need to do ?
In your vm, different provider has their security policy. For aws even you have set inbound port rule, it will not work. You also need to set inbound rules in their potal.
👉(1) Open Windows firewall, Create an Inbound Port Rule.
👉(2) Directly in Amazon Web Service console, exactly in security groups/inbound.
I'm using traefik v2 as gateway. I have a frontend container running with host https://some.site.com which powered by traefik.
Now I have a micro-service server with multi services and all of them are listening on 80 port. I want to serve the backend server on path https://some.site.com/api/service1, https://some.site.com/api/service2 ...
I have tried traefik.http.routers.service1.rule=(Host(some.site.com) && PathPrefix(/api/service1)) but not worked and traefik.http.middlewares.add-api.addprefix.prefix=/api/service1 not worked too;
How can I implement this?
Can you post your services' docker-compose configuration?
If you use middlewares, you may need to specify the service. Like
traefik.http.routers.service1.middlewares=add-api
traefik.http.middlewares.add-api.addprefix.prefix=/api/service1
I have an issue I can't seem to figure how to solve. I am thinking of using Squid for this but not 100% sure how to configure. A developer is writing a script that will request an XML file from a secure web server.
The script will live in a cloud-based application and will send the request for this XML file to the web server, the script will then translate the XML file content into readable data using API calls and presented to the user in the application.
The problem is the following:
The application server (A) its load balanced and the IP address may not always be the same. We do not own this app server only have access to APIs
The Web server (B) that owns the XML is behind a firewall and it has to specify the incoming IP address allowed to access this content
I am thinking I would have to configure reverse proxy on Squid that will receive the script/request from any IP address (preferably from the application servers only) and would have to forward the exact request to the IP address of the Web server that owns the XML file.
This means that I would have to specify the IP address of the proxy server rather than the web server in the script and somehow allow the proxy server to know it needs to forward it to the web server.
I'm not sure how to do this securely since in this scenario as ANY external IP address coming the proxy server will be forwarded over.
(A) App server ======> Squid Proxy =======> (B) Webserver
I hope this makes sense thank you so much in advance for your help.
I am writing a javascript/strophejs xmpp client, and have been so far using it to connect to a xmpp server hosted at hosted.im, via a public BOSH service (http://bosh.metajack.im:5280/xmpp-httpbind). The html/javascript is also hosted online, at testserver.host56.com (not the real url).
Now, I decided to host the xmpp server on the amazon web cloud, and use my own Bosh service, hosted on this server as well.
Now, my ec2 instance is at myAWSDNS.us-west-2.compute.amazonaws.com (also not real url).
I also have a BOSH service up and running, at myAWSDNS.us-west-2.compute.amazonaws.com:7070.
Finally, I have also allowed traffic to this ec2 instance through both the instances firewall and through the AWS Security Group policy.
However, when trying to connect to this instance's xmpp server (openfire), using my JS/strophejs client, I get the following message in the Chrome javascript console:
XMLHttpRequest cannot load http://myAWSDNS.us-west-2.compute.amazonaws.com:7070/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://myAWSDNS.us-west-2.compute.amazonaws.com' is therefore not allowed access
Why am I getting this issue, if the origin is on the same domain as the requested resource?
The Ec2 instance is running Windows Server 2012.
This is the code I use to log in:
var conn = new Strophe.Connection("http://myAWSDNS.us-west-2.compute.amazonaws.com:7070/");
conn.connect("chris#myAWSDNS.us-west-2.compute.amazonaws.com", "myPassword", somecallback);
Thanks,
best regards,
Chris
As previously mentioned, even if you're on the same domain, the ports must also match otherwise CORS is required.
You may not be using the correct URL for your connection manager, all of the ones I've seen use an address ending in /http-bind/ or similar.
Have you tried connecting with Strophe.Connection("http://myAWSDNS.us-west-2.compute.amazonaws.com:7070/http-bind/");?
Also, you can test for the presence of the crossdomain.xml file by simply visiting http://myAWSDNS.us-west-2.compute.amazonaws.com:7070/crossdomain.xml to ensure that CORS has been successfully enabled.
The browser will not allow since the ports are different. I don't know what you have at AWS, but you can proxy the request in both direction, like as:
http://myAWSDNS.us-west-2.compute.amazonaws.com/http-bind/ <---------> http://myAWSDNS.us-west-2.compute.amazonaws.com:7070/
See item no 5: Connecting with Strophe.js of the tutorial for Apache use case.
I have an application (.war) deployed in a Websphere Application Server v8. This app consists in a web application which is accessed by browser.
Now I have an IP Address that I want to ban but I don't find the option in the Administrative Console. Where I should ban this ip for to avoid the access this specifically application?
In WebSphere you have 2 options (depends if you directly access app server or through http server):
1 Directly via WebSphere admin console.
Go to:
Application servers > server1 > Web container transport chains > WCInboundDefault > TCP inbound channel (TCP_2)
In the Address exclude list enter client addresses you want to block
restart the server
2 Use IBM HTTP Server (based on Apache) and WebSphere Plugin, which is available with WebSphere and define Deny list using standard httpd.conf configuration.
Probably an IP filter isn't implemented by default in your application server, but it's easy enough to include an IP filter implemented in a servlet filter.
There's a nice intro to what filters can do on the Oracle site and plenty of readymade IP filters all over the web, like here or here. As you can see, the code needed is pretty simple, and as servlet filters are part of the EE spec, the result is portable between appservers as well.