I am looking for routing requests based on HTTP content. I would like to know if there are load balancers that would allow routing of traffic based on POST body.
Related
I have a load balancer setup with two clusters, each with a few balancer members. What I need to do is send traffic from a web browser (or GET requests) to one cluster and traffic from anything else (like api calls, so python, postman, etc, or POST requests) to another cluster. The urls used for both requests are the same.
I also may be making this more complicated than it needs to be. I have one load balancer that sends the traffic to another load balancer that strips ssl for tcpdumps, and the 2nd load balancer sends the request on to the app. The problem with this is when viewed in a browser all of the links on the page are converted to http links when I need them to stay as https links.
What I would like is to have some way to determine which type of traffic (via browser or method) at load balancer one and if it's a browser or a GET send it to the app cluster, otherwise send it to the cluster of the second load balancer for capture (and then on to the app) OR have all links from the 2nd load balancer returned as https.
I was going through official documentation to enforce HTTPS in ASP.NET Core. There I found a warning -
Do not use RequireHttpsAttribute on Web APIs that receive sensitive
information. RequireHttpsAttribute uses HTTP status codes to redirect
browsers from HTTP to HTTPS. API clients may not understand or obey
redirects from HTTP to HTTPS. Such clients may send information over
HTTP. Web APIs should either:
Not listen on HTTP.
Close the connection with status code 400 (Bad Request) and not serve the request.
What I know about [RequireHttps] attribute is It set 302 Found code and a redirect url. something like this -
GET http://api.example.com/values
302 Found
Location: https://api.example.com/values
On the other hand, official documentation recommends to use -
HTTPS Redirection Middleware (UseHttpsRedirection) to redirect HTTP
requests to HTTPS.
Uses the default HttpsRedirectionOptions.RedirectStatusCode (Status307TemporaryRedirect).
What I understood from this, it also redirects HTTP to HTTPS, with different status code 307.
To me they are doing similar thing. I don't clearly understand what benefit I am getting using HTTPS Redirection Middleware (UseHttpsRedirection) over RequireHttps Attribute. What I am missing here ?
I was going through official documentation to enforce HTTPS in ASP.NET Core.
What I know about [RequireHttps] attribute is It set 302 Found code and a redirect url.
On the other hand, official documentation recommends to use HTTPS Redirection Middleware (UseHttpsRedirection)
To me they are doing similar thing.
I suppose that the information you mentioned is from this official doc about "Enforce HTTPS in ASP.NET Core".
As we know, for Web APIs scenario, API client (consumer/caller App) could be not browser client, which would not understand or obey redirection from HTTP to HTTPS via HTTP status codes. We should avoid our API endpoint response client with redirection status codes, so as warning part suggested "Do not use RequireHttpsAttribute on Web APIs that receive sensitive information".
And in warning part it also shows two approaches to reject insecure HTTP requests for Web APIs: 1) not expose HTTP endpoints; 2) return an error code. In my view, talking about "reject insecure HTTP requests for Web APIs scenario" is over here.
Besides, we should note that topic of this doc is about redirecting HTTP requests to HTTPS in ASP.NET Core, RequireHttpsAttribute could be applied to specific controller/action(s), to enforce HTTPS for entire ASP.NET Core web apps, using HTTPS Redirection Middleware is recommended (not mean that we should use this Middleware to reject insecure HTTP requests for Web APIs).
I have setup load balancing server with Application request routing on IIS, it's working fine but I am facing issue with https requests, they are being redirect(301) and in post call it's losing the post data.
I have disabled SSL offloading but still the https post requests are failing and taking me to login page due to post data not being forwarded to ARR or something.
Thanks
for now, I have added * binding and that seems to be working, not sure why it doesn't work when I specify the domain name in binding. but it's sorted by problem so good for now, but will be better to know how it will work with domain name in the binding.
I have a beanstalk reflected in my API gateway with passthrough, where my client sends a direct multipart/form-data request to beanstalk. The image sends correctly and I can open it normally, but when I make the request from the API Gateway, I can't open the image. Looks like the API Gateway encode messes up the image content when performing the passthrough to beanstalk.
How I can set the Api Gateway encode or make a pure passthrough?
I need to add all traffic generated by google analytics to a "free of charge" traffic whitelist for mobile devices. But that whitelist does not support HTTPS connections.
Do Google Analytics send requests to somewhere, anytime, through SSL/HTTPS?
Is there a way to prevent it from exchange any traffic between the client and the server through SSL? So that no request on the webpage is made on HTTPS?
Thanks
Assuming you are using Analytics.js, the requests should handle both http and https. Looking at the documentation here:
"By default, tracking beacons sent from https pages will be sent using https while beacons sent from http pages will be sent using http. Setting forceSSL to true will force http pages to also send all beacons using https."