I deployed a PWA app with my nginx server and I have no problems connecting with my laptop using chrome or safari. I only get an issue when I re-connect with my iPhone and with a particular file only: sw.js (service worker).
Since it is fundamental for a PWA to get this file downloaded in order to decide whether a new version of the app is available or not, having to clear the cache from safari iOS in order to get it done is really annoying.
ok so, let me explain:
The app is hosted on a nginx server with TLS + Mutual TSL.
Each client I'm connecting from has been configured with both the certs and works fine, so I guess this is not a cert problem (neither from the TLS nor from the M-TLS).
If I connect from my laptop with chrome or safari, I have no problems at all.
2023/01/16 08:54:18 [debug] 19158#19158: *4 http process request line
2023/01/16 08:54:18 [debug] 19158#19158: *4 http request line: "GET /sw.js HTTP/1.1"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http uri: "/sw.js"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http args: ""
2023/01/16 08:54:18 [debug] 19158#19158: *4 http exten: "js"
2023/01/16 08:54:18 [debug] 19158#19158: *4 posix_memalign: 00005566D933EEA0:4096 #16
2023/01/16 08:54:18 [debug] 19158#19158: *4 http process request header line
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Host: xx.xx.net:4765"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Connection: keep-alive"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Cache-Control: max-age=0"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Accept: */*"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Service-Worker: script"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Sec-Fetch-Site: same-origin"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Sec-Fetch-Mode: same-origin"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Sec-Fetch-Dest: serviceworker"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Referer: https://xx.xx.net:4765/sw.js"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Accept-Encoding: gzip, deflate, br"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "If-None-Match: "63c47f4b-2945""
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header: "If-Modified-Since: Sun, 15 Jan 2023 22:33:47 GMT"
2023/01/16 08:54:18 [debug] 19158#19158: *4 http header done
if I connect from my iPhone with safari mobile:
1) where connecting the first time with cleared cache: no issues
23/01/16 09:31:55 [debug] 19156#19156: *42 http process request line
2023/01/16 09:31:55 [debug] 19156#19156: *42 http request line: "GET /sw.js HTTP/1.1"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http uri: "/sw.js"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http args: ""
2023/01/16 09:31:55 [debug] 19156#19156: *42 http exten: "js"
2023/01/16 09:31:55 [debug] 19156#19156: *42 posix_memalign: 00005566D93FF330:4096 #16
2023/01/16 09:31:55 [debug] 19156#19156: *42 http process request header line
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header: "Host: xx.xx.net:4765"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header: "Cache-Control: max-age=0"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header: "Accept-Encoding: gzip, deflate, br"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header: "Connection: keep-alive"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header: "Accept: */*"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header: "User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 Safari/604.1"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header: "Accept-Language: it-IT,it;q=0.9"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header: "Referer: https://xx.xx.net:4765/index.html"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header: "Service-Worker: script"
2023/01/16 09:31:55 [debug] 19156#19156: *42 http header done
2023/01/16 09:31:55 [debug] 19156#19156: *42 http filename: "/var/www/html/sw.js"
2023/01/16 09:31:55 [debug] 19156#19156: *42 add cleanup: 00005566D93FF728
2023/01/16 09:31:55 [debug] 19156#19156: *42 http static fd: 23
2023/01/16 09:31:55 [debug] 19156#19156: *42 http set discard body
2023/01/16 09:31:55 [debug] 19156#19156: *42 xslt filter header
2023/01/16 09:31:55 [debug] 19156#19156: *42 **HTTP/1.1 200 OK**
2) where closing the app and then resuming it: I get a 496 on a specific file only: the sw.js (service worker) --> client sent no required SSL certificate while reading client request headers
I can't understand why but it definitely prevents my PWA from being updated.
2023/01/16 09:15:39 [debug] 19156#19156: *38 http request line: "GET /sw.js HTTP/1.1"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http uri: "/sw.js"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http args: ""
2023/01/16 09:15:39 [debug] 19156#19156: *38 http exten: "js"
2023/01/16 09:15:39 [debug] 19156#19156: *38 posix_memalign: 00005566D94111B0:4096 #16
2023/01/16 09:15:39 [debug] 19156#19156: *38 http process request header line
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header: "Host: xx.xx.net:4765"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header: "Origin: https://xx.xx.net:4765"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header: "Accept-Encoding: gzip, deflate, br"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header: "Connection: keep-alive"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header: "Accept: */*"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header: "User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 Safari/604.1"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header: "Accept-Language: it-IT,it;q=0.9"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header: "Referer: "
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header: "Service-Worker: script"
2023/01/16 09:15:39 [debug] 19156#19156: *38 http header done
2023/01/16 09:15:39 [info] 19156#19156: *38 **client sent no required SSL certificate while reading client request headers, client: 76.87.343.434, server: xx.xx.net, request: "GET /sw.js HTTP/1.1", host: "xx.xx.net:4765", referrer: ""**
2023/01/16 09:15:39 [debug] 19156#19156: *38 http finalize request: 496, "/sw.js?" a:1, c:1
2023/01/16 09:15:39 [debug] 19156#19156: *38 event timer del: 20: 202080132
2023/01/16 09:15:39 [debug] 19156#19156: *38 http special response: 496, "/sw.js?"
2023/01/16 09:15:39 [debug] 19156#19156: *38 internal redirect: "/custom_404.html?"
Here are my config files:
nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
site-available file:
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server {
listen 80;
return 301 https://xx.xx.net:port$request_uri;
}
server {
listen 4765 ssl;
server_name xx.xx.net;
# SSL
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# TLS
ssl_certificate /etc/ssh/TLS/cert.crt;
ssl_certificate_key /etc/ssh/TLS/key.key;
# M-TLS
ssl_client_certificate /etc/ssh/mutual-tls.crt;
ssl_verify_client on;
ssl_verify_depth 2;
# ERRORS
error_page 400 404 495 496 497 /custom_404.html;
location = /custom_404.html {
root /usr/share/nginx/html;
internal;
}
location / {
# Simple requests
if ($request_method ~* "(GET|POST)") {
add_header "Access-Control-Allow-Origin" '*';
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
}
# Preflighted requests
if ($request_method = OPTIONS ) {
add_header "Access-Control-Allow-Origin" '*';
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
}
}
location ~* \.(html|css|js)$ {
expires -1;
}
}
Strange thing: if I request the sw.js from my browser (typing https://xx.xx.net:sslport/sw.js), I get the file with no errors.
Do you have an idea on what's going on here? maybe is a header /response-header issue?
Update:
I've successfully tried to send the request via Postman: here is the result.
Again: it only happens with iOs, I really don't know how to solve it.
Related
I am using the mvn org.sonatype.ossindex.maven:ossindex-maven-plugin from command line to check the dependencies of a maven project for CVEs. Locally, everything works fine, but in my build pipeline in Azure Devops, I get the following error:
[DEBUG] Connecting to ossindex.sonatype.org/18.118.116.156:443
[DEBUG] Connecting socket to ossindex.sonatype.org/18.118.116.156:443 with timeout 0
[DEBUG] Enabled protocols: [TLSv1.3, TLSv1.2]
[DEBUG] Enabled cipher suites:[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[DEBUG] Starting handshake
[DEBUG] Secure session established
[DEBUG] negotiated protocol: TLSv1.2
[DEBUG] negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[DEBUG] peer principal: CN=ossindex.sonatype.org
[DEBUG] peer alternative names: [ossindex.sonatype.org]
[DEBUG] issuer principal: CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
[DEBUG] Connection established 172.21.1.242:33030<->18.118.116.156:443
[DEBUG] Executing request POST /api/v3/component-report HTTP/1.1
[DEBUG] Proxy auth state: UNCHALLENGED
[DEBUG] http-outgoing-2 >> POST /api/v3/component-report HTTP/1.1
[DEBUG] http-outgoing-2 >> User-Agent: ossindex-client/1.1.1 (Linux; 5.4.0-124-generic; amd64; 11.0.12) Maven/3.8.1 Maven-Plugin/3.1.0
[DEBUG] http-outgoing-2 >> Authorization: Basic {SOME_BASE_64_THAT_TRANSLATES_TO:AzureDevOps:ey...}
[DEBUG] http-outgoing-2 >> Accept: application/vnd.ossindex.component-report.v1+json
[DEBUG] http-outgoing-2 >> Content-Length: 6737
[DEBUG] http-outgoing-2 >> Content-Type: application/vnd.ossindex.component-report-request.v1+json; charset=UTF-8
[DEBUG] http-outgoing-2 >> Host: ossindex.sonatype.org
[DEBUG] http-outgoing-2 >> Connection: Keep-Alive
[DEBUG] http-outgoing-2 >> Accept-Encoding: gzip,deflate
[DEBUG] http-outgoing-2 >> "POST /api/v3/component-report HTTP/1.1[\r][\n]"
[DEBUG] http-outgoing-2 >> "User-Agent: ossindex-client/1.1.1 (Linux; 5.4.0-124-generic; amd64; 11.0.12) Maven/3.8.1 Maven-Plugin/3.1.0[\r][\n]"
[DEBUG] http-outgoing-2 >> "Authorization: Basic {SOME_OTHER_BASE64_NO_IDEA_WHERE_IT_COMES_FROM=[\r][\n]"
[DEBUG] http-outgoing-2 >> "Accept: application/vnd.ossindex.component-report.v1+json[\r][\n]"
[DEBUG] http-outgoing-2 >> "Content-Length: 6737[\r][\n]"
[DEBUG] http-outgoing-2 >> "Content-Type: application/vnd.ossindex.component-report-request.v1+json; charset=UTF-8[\r][\n]"
[DEBUG] http-outgoing-2 >> "Host: ossindex.sonatype.org[\r][\n]"
[DEBUG] http-outgoing-2 >> "Connection: Keep-Alive[\r][\n]"
[DEBUG] http-outgoing-2 >> "Accept-Encoding: gzip,deflate[\r][\n]"
[DEBUG] http-outgoing-2 >> "[\r][\n]"
[DEBUG] http-outgoing-2 >> "{"coordinates":[ A_LIST_OF_128_COORDINATES]
[DEBUG] http-outgoing-2 << "HTTP/1.1 401 Unauthorized[\r][\n]"
[DEBUG] http-outgoing-2 << "Date: Wed, 07 Dec 2022 13:51:42 GMT[\r][\n]"
[DEBUG] http-outgoing-2 << "Content-Length: 0[\r][\n]"
[DEBUG] http-outgoing-2 << "Connection: keep-alive[\r][\n]"
so I tried setting the clientConfiguration parameter described here.
it has a dead link but I believe it references this class which has this class as a member.
mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:3.1.0:audit -f $(Build.SourcesDirectory)/pom.xml -"Dossindex.authId=MY_SERVER" -"Dossindex.clientConfiguration={\"auth\": {\"username\": \"myemail#myorg.com\", \"password\": \"$(OSS_INDEX_API_TOKEN)\"} }"
but it didn't change anything.
Is this how one passes this parameter? Why am I getting a 401 in my build pipeline but everything works locally? I tried reading the docs on what requests are allowed/authorized but found them rather lacking...
I have the code below to initialise a setup of Selenium + Chrome driver + Browsermob Proxy to login to a certain website.
If I just use the setup above, the login fails with HTTP 403. However, if I had another Proxy (Selenium + Chrome driver + Browsermob Proxy + e.g. Fiddler Everywhere, see lines after "to pass requests from proxy server to Fiddler Everywhere") and force the requests from Browsermob Proxy to be proxied by Fiddler Everywhere, then the login works well.
Can anyone provide me a hint on how to debug and/or clear this problem?
I have investigated the headers between all legs:
"Via: 1.1 browsermobproxy" is being added by Browsermob but I replayed a login request after removing "Via" header from Browsermob, and did not have any effect.
BrowserMob is removing "Connection:keep-alive". Could this be the cause (or hint at the cause) ?
I also checked:
The body of the request is not changed across the full chain.
HTTP protocol version does not change across the full chain (HTTP/1.1).
Here is a detailed log of the request without Fiddler:
POST /api/sts/v2/oauth/auth?client_request_id=34634696-b122-40de-b144-ab812a4b3784 HTTP/1.1
Host: www.example.com
Connection: keep-alive
Content-Length: 147
AccountType: Real
X-STS-ClientTime: 2020-08-27T18:10:51
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
X-STS-AppDomain: https://www.example.com
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
X-STS-GatewayAppId: 90631448-9A01-4860-9FA5-B4EBCDE5EA1D
ApplicationIdentifier: Rexample
ApplicationVersion: 268.0.1
X-DEVICE-ID: 77f281a4-7914-4417-b144-4811998c3e5b
Origin: https://www.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.example.com/login
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: __cfduid=d722b1913f887e5df9b0c740ccef4744a1598548223; exampleLocale=en-gb; TS01047baf=01f1b32d7e1354b9f541c1bab1a81960be72277a638bce5a4865b5b1d5b2e0a9cfddddbcba0d21185b68a7d599391e972d5f065031; __cflb=02DiuEAg8LPSYevHEYiyx9rnANkoz3ETfpNySVtv8fQVr; TMIS2=9a74f2a90237486aab4dcb9d44dec14a0520aaf521b9e87e81f271264e25038c2919d29ee219162aa2ad6bdb68fbe78a86ce282ef510aa77456a3876e4e790d3fdbb0ca31af4d206c67f7b9b5fda93e11b80782ed9095c6a7d8766b4642a69785e7ba9d0a86cd98f3b42c2172a8821bbe6906b6fafc8178f0d742271591193; __cf_bm=50d03de4ce1301af67fa03c59387373fba4d8b3e-1598548241-1800-AZ39AzpjNXxDQ+qFhgfI0OYbMauZ3vXOA1MUejwqJsfE3kOEmEVmKXtsstKg5vZZ5ie/d3yHbgzM8RzzLqqSQEVnd5Vy+l06FUm5Z90kFf54ffUqgq+ywM4EOcGhdP22aetxTezQvFieWgfScPvH0SzqDmFpvrmZJmRuLvnywgcLX14Ys9uA2tMCLWSlDesiQA==; mp_dbbd7bd9566da85f012f7ca5d8c6c944_mixpanel=%7B%22distinct_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24device_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; _gcl_au=1.1.706805090.1598548242; G_ENABLED_IDPS=google; _uetsid=5c779e7394432399f739848297b9a350; _uetvid=d421e48c4acc1f88b81573014b4fa429; _fbp=fb.1.1598548244752.1489311425; __adal_ses=*; __adal_id=c4b052ee-96b4-4643-b30e-af4af0f7460d.1598548246.1.1598548246.1598548246.2a5a85bd-5415-4275-942c-e02a8048acc2; __adal_ca=so%3Ddirect%26me%3Dnone%26ca%3Ddirect%26co%3D%28not%2520set%29%26ke%3D%28not%2520set%29; __adal_cw=1598548245533; _ga=GA1.2.436171435.1598548249; _gid=GA1.2.1493657885.1598548249; _gat=1; _gat_UA-2056847-65=1
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ClientToProxyConnection.java:183) - (AWAITING_INITIAL) [id: 0x367d8cd0, L:/[0:0:0:0:0:0:0:1]:64108 - R:/[0:0:0:0:0:0:0:1]:64132]: Received raw request: DefaultHttpRequest(decodeResult: success, version: HTTP/1.1)
POST /api/sts/v2/oauth/auth?client_request_id=34634696-b122-40de-b144-ab812a4b3784 HTTP/1.1
Host: www.example.com
Connection: keep-alive
Content-Length: 147
AccountType: Real
X-STS-ClientTime: 2020-08-27T18:10:51
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
X-STS-AppDomain: https://www.example.com
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
X-STS-GatewayAppId: 90631448-9A01-4860-9FA5-B4EBCDE5EA1D
ApplicationIdentifier: Rexample
ApplicationVersion: 268.0.1
X-DEVICE-ID: 77f281a4-7914-4417-b144-4811998c3e5b
Origin: https://www.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.example.com/login
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: __cfduid=d722b1913f887e5df9b0c740ccef4744a1598548223; exampleLocale=en-gb; TS01047baf=01f1b32d7e1354b9f541c1bab1a81960be72277a638bce5a4865b5b1d5b2e0a9cfddddbcba0d21185b68a7d599391e972d5f065031; __cflb=02DiuEAg8LPSYevHEYiyx9rnANkoz3ETfpNySVtv8fQVr; TMIS2=9a74f2a90237486aab4dcb9d44dec14a0520aaf521b9e87e81f271264e25038c2919d29ee219162aa2ad6bdb68fbe78a86ce282ef510aa77456a3876e4e790d3fdbb0ca31af4d206c67f7b9b5fda93e11b80782ed9095c6a7d8766b4642a69785e7ba9d0a86cd98f3b42c2172a8821bbe6906b6fafc8178f0d742271591193; __cf_bm=50d03de4ce1301af67fa03c59387373fba4d8b3e-1598548241-1800-AZ39AzpjNXxDQ+qFhgfI0OYbMauZ3vXOA1MUejwqJsfE3kOEmEVmKXtsstKg5vZZ5ie/d3yHbgzM8RzzLqqSQEVnd5Vy+l06FUm5Z90kFf54ffUqgq+ywM4EOcGhdP22aetxTezQvFieWgfScPvH0SzqDmFpvrmZJmRuLvnywgcLX14Ys9uA2tMCLWSlDesiQA==; mp_dbbd7bd9566da85f012f7ca5d8c6c944_mixpanel=%7B%22distinct_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24device_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; _gcl_au=1.1.706805090.1598548242; G_ENABLED_IDPS=google; _uetsid=5c779e7394432399f739848297b9a350; _uetvid=d421e48c4acc1f88b81573014b4fa429; _fbp=fb.1.1598548244752.1489311425; __adal_ses=*; __adal_id=c4b052ee-96b4-4643-b30e-af4af0f7460d.1598548246.1.1598548246.1598548246.2a5a85bd-5415-4275-942c-e02a8048acc2; __adal_ca=so%3Ddirect%26me%3Dnone%26ca%3Ddirect%26co%3D%28not%2520set%29%26ke%3D%28not%2520set%29; __adal_cw=1598548245533; _ga=GA1.2.436171435.1598548249; _gid=GA1.2.1493657885.1598548249; _gat=1; _gat_UA-2056847-65=1
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ClientToProxyConnection.java:269) - (AWAITING_INITIAL) [id: 0x367d8cd0, L:/[0:0:0:0:0:0:0:1]:64108 - R:/[0:0:0:0:0:0:0:1]:64132]: Ensuring that hostAndPort are available in /api/sts/v2/oauth/auth?client_request_id=34634696-b122-40de-b144-ab812a4b3784
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ClientToProxyConnection.java:281) - (AWAITING_INITIAL) [id: 0x367d8cd0, L:/[0:0:0:0:0:0:0:1]:64108 - R:/[0:0:0:0:0:0:0:1]:64132]: Finding ProxyToServerConnection for: www.example.com
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ClientToProxyConnection.java:331) - (AWAITING_INITIAL) [id: 0x367d8cd0, L:/[0:0:0:0:0:0:0:1]:64108 - R:/[0:0:0:0:0:0:0:1]:64132]: Reusing existing server connection: org.littleshoot.proxy.impl.ProxyToServerConnection#7c392fd2
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ClientToProxyConnection.java:1084) - (AWAITING_INITIAL) [id: 0x367d8cd0, L:/[0:0:0:0:0:0:0:1]:64108 - R:/[0:0:0:0:0:0:0:1]:64132]: Modifying request for proxy chaining
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ClientToProxyConnection.java:1088) - (AWAITING_INITIAL) [id: 0x367d8cd0, L:/[0:0:0:0:0:0:0:1]:64108 - R:/[0:0:0:0:0:0:0:1]:64132]: Stripped host from uri: /api/sts/v2/oauth/auth?client_request_id=34634696-b122-40de-b144-ab812a4b3784 yielding: /api/sts/v2/oauth/auth?client_request_id=34634696-b122-40de-b144-ab812a4b3784
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ClientToProxyConnection.java:1093) - (AWAITING_INITIAL) [id: 0x367d8cd0, L:/[0:0:0:0:0:0:0:1]:64108 - R:/[0:0:0:0:0:0:0:1]:64132]: Modifying request headers for proxying
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ClientToProxyConnection.java:350) - (AWAITING_INITIAL) [id: 0x367d8cd0, L:/[0:0:0:0:0:0:0:1]:64108 - R:/[0:0:0:0:0:0:0:1]:64132]: Writing request to ProxyToServerConnection
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyToServerConnection.java:316) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Requested write of DefaultHttpRequest(decodeResult: success, version: HTTP/1.1)
POST /api/sts/v2/oauth/auth?client_request_id=34634696-b122-40de-b144-ab812a4b3784 HTTP/1.1
Host: www.example.com
Content-Length: 147
AccountType: Real
X-STS-ClientTime: 2020-08-27T18:10:51
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
X-STS-AppDomain: https://www.example.com
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
X-STS-GatewayAppId: 90631448-9A01-4860-9FA5-B4EBCDE5EA1D
ApplicationIdentifier: Rexample
ApplicationVersion: 268.0.1
X-DEVICE-ID: 77f281a4-7914-4417-b144-4811998c3e5b
Origin: https://www.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.example.com/login
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: __cfduid=d722b1913f887e5df9b0c740ccef4744a1598548223; exampleLocale=en-gb; TS01047baf=01f1b32d7e1354b9f541c1bab1a81960be72277a638bce5a4865b5b1d5b2e0a9cfddddbcba0d21185b68a7d599391e972d5f065031; __cflb=02DiuEAg8LPSYevHEYiyx9rnANkoz3ETfpNySVtv8fQVr; TMIS2=9a74f2a90237486aab4dcb9d44dec14a0520aaf521b9e87e81f271264e25038c2919d29ee219162aa2ad6bdb68fbe78a86ce282ef510aa77456a3876e4e790d3fdbb0ca31af4d206c67f7b9b5fda93e11b80782ed9095c6a7d8766b4642a69785e7ba9d0a86cd98f3b42c2172a8821bbe6906b6fafc8178f0d742271591193; __cf_bm=50d03de4ce1301af67fa03c59387373fba4d8b3e-1598548241-1800-AZ39AzpjNXxDQ+qFhgfI0OYbMauZ3vXOA1MUejwqJsfE3kOEmEVmKXtsstKg5vZZ5ie/d3yHbgzM8RzzLqqSQEVnd5Vy+l06FUm5Z90kFf54ffUqgq+ywM4EOcGhdP22aetxTezQvFieWgfScPvH0SzqDmFpvrmZJmRuLvnywgcLX14Ys9uA2tMCLWSlDesiQA==; mp_dbbd7bd9566da85f012f7ca5d8c6c944_mixpanel=%7B%22distinct_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24device_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; _gcl_au=1.1.706805090.1598548242; G_ENABLED_IDPS=google; _uetsid=5c779e7394432399f739848297b9a350; _uetvid=d421e48c4acc1f88b81573014b4fa429; _fbp=fb.1.1598548244752.1489311425; __adal_ses=*; __adal_id=c4b052ee-96b4-4643-b30e-af4af0f7460d.1598548246.1.1598548246.1598548246.2a5a85bd-5415-4275-942c-e02a8048acc2; __adal_ca=so%3Ddirect%26me%3Dnone%26ca%3Ddirect%26co%3D%28not%2520set%29%26ke%3D%28not%2520set%29; __adal_cw=1598548245533; _ga=GA1.2.436171435.1598548249; _gid=GA1.2.1493657885.1598548249; _gat=1; _gat_UA-2056847-65=1
Accept-Encoding: gzip, deflate, br
Via: 1.1 browsermobproxy
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyToServerConnection.java:348) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Using existing connection to: www.example.com/104.18.19.67:443
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyConnection.java:228) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Writing: DefaultHttpRequest(decodeResult: success, version: HTTP/1.1)
POST /api/sts/v2/oauth/auth?client_request_id=34634696-b122-40de-b144-ab812a4b3784 HTTP/1.1
Host: www.example.com
Content-Length: 147
AccountType: Real
X-STS-ClientTime: 2020-08-27T18:10:51
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
X-STS-AppDomain: https://www.example.com
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
X-STS-GatewayAppId: 90631448-9A01-4860-9FA5-B4EBCDE5EA1D
ApplicationIdentifier: Rexample
ApplicationVersion: 268.0.1
X-DEVICE-ID: 77f281a4-7914-4417-b144-4811998c3e5b
Origin: https://www.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.example.com/login
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: __cfduid=d722b1913f887e5df9b0c740ccef4744a1598548223; exampleLocale=en-gb; TS01047baf=01f1b32d7e1354b9f541c1bab1a81960be72277a638bce5a4865b5b1d5b2e0a9cfddddbcba0d21185b68a7d599391e972d5f065031; __cflb=02DiuEAg8LPSYevHEYiyx9rnANkoz3ETfpNySVtv8fQVr; TMIS2=9a74f2a90237486aab4dcb9d44dec14a0520aaf521b9e87e81f271264e25038c2919d29ee219162aa2ad6bdb68fbe78a86ce282ef510aa77456a3876e4e790d3fdbb0ca31af4d206c67f7b9b5fda93e11b80782ed9095c6a7d8766b4642a69785e7ba9d0a86cd98f3b42c2172a8821bbe6906b6fafc8178f0d742271591193; __cf_bm=50d03de4ce1301af67fa03c59387373fba4d8b3e-1598548241-1800-AZ39AzpjNXxDQ+qFhgfI0OYbMauZ3vXOA1MUejwqJsfE3kOEmEVmKXtsstKg5vZZ5ie/d3yHbgzM8RzzLqqSQEVnd5Vy+l06FUm5Z90kFf54ffUqgq+ywM4EOcGhdP22aetxTezQvFieWgfScPvH0SzqDmFpvrmZJmRuLvnywgcLX14Ys9uA2tMCLWSlDesiQA==; mp_dbbd7bd9566da85f012f7ca5d8c6c944_mixpanel=%7B%22distinct_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24device_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; _gcl_au=1.1.706805090.1598548242; G_ENABLED_IDPS=google; _uetsid=5c779e7394432399f739848297b9a350; _uetvid=d421e48c4acc1f88b81573014b4fa429; _fbp=fb.1.1598548244752.1489311425; __adal_ses=*; __adal_id=c4b052ee-96b4-4643-b30e-af4af0f7460d.1598548246.1.1598548246.1598548246.2a5a85bd-5415-4275-942c-e02a8048acc2; __adal_ca=so%3Ddirect%26me%3Dnone%26ca%3Ddirect%26co%3D%28not%2520set%29%26ke%3D%28not%2520set%29; __adal_cw=1598548245533; _ga=GA1.2.436171435.1598548249; _gid=GA1.2.1493657885.1598548249; _gat=1; _gat_UA-2056847-65=1
Accept-Encoding: gzip, deflate, br
Via: 1.1 browsermobproxy
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyConnection.java:237) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Wrote: DefaultHttpRequest(decodeResult: success, version: HTTP/1.1)
POST /api/sts/v2/oauth/auth?client_request_id=34634696-b122-40de-b144-ab812a4b3784 HTTP/1.1
Host: www.example.com
Content-Length: 147
AccountType: Real
X-STS-ClientTime: 2020-08-27T18:10:51
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
X-STS-AppDomain: https://www.example.com
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
X-STS-GatewayAppId: 90631448-9A01-4860-9FA5-B4EBCDE5EA1D
ApplicationIdentifier: Rexample
ApplicationVersion: 268.0.1
X-DEVICE-ID: 77f281a4-7914-4417-b144-4811998c3e5b
Origin: https://www.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.example.com/login
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: __cfduid=d722b1913f887e5df9b0c740ccef4744a1598548223; exampleLocale=en-gb; TS01047baf=01f1b32d7e1354b9f541c1bab1a81960be72277a638bce5a4865b5b1d5b2e0a9cfddddbcba0d21185b68a7d599391e972d5f065031; __cflb=02DiuEAg8LPSYevHEYiyx9rnANkoz3ETfpNySVtv8fQVr; TMIS2=9a74f2a90237486aab4dcb9d44dec14a0520aaf521b9e87e81f271264e25038c2919d29ee219162aa2ad6bdb68fbe78a86ce282ef510aa77456a3876e4e790d3fdbb0ca31af4d206c67f7b9b5fda93e11b80782ed9095c6a7d8766b4642a69785e7ba9d0a86cd98f3b42c2172a8821bbe6906b6fafc8178f0d742271591193; __cf_bm=50d03de4ce1301af67fa03c59387373fba4d8b3e-1598548241-1800-AZ39AzpjNXxDQ+qFhgfI0OYbMauZ3vXOA1MUejwqJsfE3kOEmEVmKXtsstKg5vZZ5ie/d3yHbgzM8RzzLqqSQEVnd5Vy+l06FUm5Z90kFf54ffUqgq+ywM4EOcGhdP22aetxTezQvFieWgfScPvH0SzqDmFpvrmZJmRuLvnywgcLX14Ys9uA2tMCLWSlDesiQA==; mp_dbbd7bd9566da85f012f7ca5d8c6c944_mixpanel=%7B%22distinct_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24device_id%22%3A%20%2217430e66d1679d-015c94d6c30eda-31647304-fa000-17430e66d17591%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; _gcl_au=1.1.706805090.1598548242; G_ENABLED_IDPS=google; _uetsid=5c779e7394432399f739848297b9a350; _uetvid=d421e48c4acc1f88b81573014b4fa429; _fbp=fb.1.1598548244752.1489311425; __adal_ses=*; __adal_id=c4b052ee-96b4-4643-b30e-af4af0f7460d.1598548246.1.1598548246.1598548246.2a5a85bd-5415-4275-942c-e02a8048acc2; __adal_ca=so%3Ddirect%26me%3Dnone%26ca%3Ddirect%26co%3D%28not%2520set%29%26ke%3D%28not%2520set%29; __adal_cw=1598548245533; _ga=GA1.2.436171435.1598548249; _gid=GA1.2.1493657885.1598548249; _gat=1; _gat_UA-2056847-65=1
Accept-Encoding: gzip, deflate, br
Via: 1.1 browsermobproxy
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyConnection.java:111) - (AWAITING_CHUNK) [id: 0x367d8cd0, L:/[0:0:0:0:0:0:0:1]:64108 - R:/[0:0:0:0:0:0:0:1]:64132]: Reading: DefaultLastHttpContent(data: SlicedAbstractByteBuf(ridx: 0, widx: 147, cap: 147/147, unwrapped: UnpooledByteBufAllocator$InstrumentedUnpooledUnsafeNoCleanerDirectByteBuf(ridx: 147, widx: 147, cap: 176)), decoderResult: success)
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyToServerConnection.java:316) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Requested write of DefaultLastHttpContent(data: SlicedAbstractByteBuf(ridx: 0, widx: 147, cap: 147/147, unwrapped: UnpooledByteBufAllocator$InstrumentedUnpooledUnsafeNoCleanerDirectByteBuf(ridx: 147, widx: 147, cap: 176)), decoderResult: success)
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyToServerConnection.java:319) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Retaining reference counted message
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyToServerConnection.java:348) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Using existing connection to: www.example.com/104.18.19.67:443
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyConnection.java:228) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Writing: DefaultLastHttpContent(data: SlicedAbstractByteBuf(ridx: 0, widx: 147, cap: 147/147, unwrapped: UnpooledByteBufAllocator$InstrumentedUnpooledUnsafeNoCleanerDirectByteBuf(ridx: 147, widx: 147, cap: 176)), decoderResult: success)
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyConnection.java:249) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Writing an empty buffer to signal the end of our chunked transfer
DEBUG [LittleProxy-0-ClientToProxyWorker-2] (ProxyConnection.java:237) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Wrote: DefaultLastHttpContent(data: SlicedAbstractByteBuf(ridx: 0, widx: 147, cap: 147/147, unwrapped: UnpooledByteBufAllocator$InstrumentedUnpooledUnsafeNoCleanerDirectByteBuf(ridx: 147, widx: 147, cap: 176)), decoderResult: success)
DEBUG [LittleProxy-0-ProxyToServerWorker-0] (ProxyConnection.java:111) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Reading: DefaultHttpResponse(decodeResult: success, version: HTTP/1.1)
HTTP/1.1 403 Forbidden
Date: Thu, 27 Aug 2020 17:10:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
cf-request-id: 04d27fab5700001bfece21f200000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 5c97688bbb9f1bfe-OSL
Content-Encoding: br
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
DEBUG [LittleProxy-0-ProxyToServerWorker-0] (ProxyToServerConnection.java:220) - (AWAITING_INITIAL) [id: 0xba528f83, L:/172.20.10.2:64134 - R:www.example.com/104.18.19.67:443]: Received raw response: DefaultHttpResponse(decodeResult: success, version: HTTP/1.1)
Thank you!
System.setProperty("webdriver.chrome.driver", "/usr/local/bin/chromedriver");
System.setProperty("webdriver.chrome.silentOutput", "true");
System.setProperty("webdriver.chrome.verboseLogging", "false");
ChromeOptions options = new ChromeOptions();
// route Chrome requests to proxy server
proxy = new BrowserMobProxyServer();
// to pass requests from proxy server to Fiddler Everywhere
// InetSocketAddress inetsockaddr = new InetSocketAddress('localhost', 8866);
// proxy.setTrustAllServers(true);
// proxy.setChainedProxy(inetsockaddr);
// start proxy server
proxy.start(0);
Proxy seleniumProxy = ClientUtil.createSeleniumProxy(proxy);
seleniumProxy.setHttpProxy("localhost:"+ proxy.getPort());
seleniumProxy.setSslProxy("localhost:"+ proxy.getPort());
options.setCapability(CapabilityType.PROXY, seleniumProxy);
options.setCapability(CapabilityType.ACCEPT_SSL_CERTS, true);
options.setCapability (CapabilityType.ACCEPT_INSECURE_CERTS, true);
//options.addArguments("headless");
//options.addArguments("window-size=1200x600");
options.setExperimentalOption("excludeSwitches", Collections.singletonList("enable-automation"));
options.setExperimentalOption("useAutomationExtension", false);
options.addArguments("--disable-blink-features=AutomationControlled");
driver = new ChromeDriver(options);`
Solved this by replacing the JDK, from OpenJDK to Oracle
I have configured Nginx reverse proxy server to listen on port 443 and pass the requests to an upstream SAAS client. Below is the configuration.
server {
listen 443;
server_name test.saas.someloggingserver.com;
ssl on;
ssl_certificate C:/nginx-1.13.8/nginx-1.13.8/ssl/server_cert.crt;
ssl_certificate_key C:/nginx-1.13.8/nginx-1.13.8/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
expires 0;
add_header Cache-Control private;
access_log logs/encrypted_access.txt;
error_log logs/encrypted_error.txt debug;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// https://;
proxy_pass https://test.saas.someloggingserver.com;
}
}
The SSL certificate here also includes a intermediate certificate for SSL handshaking with the upstream server. Now when I try to access the https://test.saas.someloggingserver.com from IE (having above proxy configured) I get below 400 bad request error. I am no Nginx debugging expert, appreciate if you can take a look at below logs and direct me towards the possible cause of this issue?
2017/12/28 07:04:45 [debug] 14640#9400: post event 02D76250
2017/12/28 07:04:45 [debug] 14640#9400: delete posted event 02D76250
2017/12/28 07:04:45 [debug] 14640#9400: accept on 0.0.0.0:443, ready: 0
2017/12/28 07:04:45 [debug] 14640#9400: malloc: 02D50808:256
2017/12/28 07:04:45 [debug] 14640#9400: *3695 accept: 10.92.67.192:49268 fd:496
2017/12/28 07:04:45 [debug] 14640#9400: *3695 event timer add: 496: 60000:2616257381
2017/12/28 07:04:45 [debug] 14640#9400: *3695 reusable connection: 1
2017/12/28 07:04:45 [debug] 14640#9400: *3695 select add event fd:496 ev:0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 post event 02D76340
2017/12/28 07:04:45 [debug] 14640#9400: *3695 delete posted event 02D76340
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http check ssl handshake
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http recv(): 1
2017/12/28 07:04:45 [debug] 14640#9400: *3695 plain http
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http wait request handler
2017/12/28 07:04:45 [debug] 14640#9400: *3695 malloc: 02D4CF80:1024
2017/12/28 07:04:45 [debug] 14640#9400: *3695 WSARecv: fd:496 rc:0 266 of 1024
2017/12/28 07:04:45 [debug] 14640#9400: *3695 reusable connection: 0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 malloc: 02DAF920:4096
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http process request line
2017/12/28 07:04:45 [info] 14640#9400: *3695 client sent invalid request while reading client request line, client: 10.92.67.192, server: test.saas.someloggingserver.com, request: "CONNECT test.saas.someloggingserver.com:443 HTTP/1.0"
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http finalize request: 400, "?" a:1, c:1
2017/12/28 07:04:45 [debug] 14640#9400: *3695 event timer del: 496: 2616257381
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http special response: 400, "?"
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http set discard body
2017/12/28 07:04:45 [debug] 14640#9400: *3695 HTTP/1.1 400 Bad Request
Server: nginx/1.13.8
Date: Thu, 28 Dec 2017 07:04:45 GMT
Content-Type: text/html
Content-Length: 173
Connection: close
2017/12/28 07:04:45 [debug] 14640#9400: *3695 write new buf t:1 f:0 02DB0018, pos 02DB0018, size: 152 file: 0, size: 0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http write filter: l:0 f:0 s:152
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http output filter "?"
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http copy filter: "?"
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http postpone filter "?" 02DB017C
2017/12/28 07:04:45 [debug] 14640#9400: *3695 write old buf t:1 f:0 02DB0018, pos 02DB0018, size: 152 file: 0, size: 0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 write new buf t:0 f:0 00000000, pos 00F25C68, size: 120 file: 0, size: 0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 write new buf t:0 f:0 00000000, pos 00F25758, size: 53 file: 0, size: 0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http write filter: l:1 f:0 s:325
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http write filter limit 0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 WSASend: fd:496, s:325
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http write filter 00000000
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http copy filter: 0 "?"
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http finalize request: 0, "?" a:1, c:1
2017/12/28 07:04:45 [debug] 14640#9400: *3695 event timer add: 496: 5000:2616202381
2017/12/28 07:04:45 [debug] 14640#9400: *3695 post event 02D76340
2017/12/28 07:04:45 [debug] 14640#9400: *3695 delete posted event 02D76340
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http lingering close handler
2017/12/28 07:04:45 [debug] 14640#9400: *3695 WSARecv: fd:496 rc:0 0 of 4096
2017/12/28 07:04:45 [debug] 14640#9400: *3695 lingering read: 0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http request count:1 blk:0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http close request
2017/12/28 07:04:45 [debug] 14640#9400: *3695 http log handler
2017/12/28 07:04:45 [debug] 14640#9400: *3695 free: 02DAF920, unused: 1771
2017/12/28 07:04:45 [debug] 14640#9400: *3695 close http connection: 496
2017/12/28 07:04:45 [debug] 14640#9400: *3695 event timer del: 496: 2616202381
2017/12/28 07:04:45 [debug] 14640#9400: *3695 select del event fd:496 ev:0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 reusable connection: 0
2017/12/28 07:04:45 [debug] 14640#9400: *3695 free: 02D4CF80
2017/12/28 07:04:45 [debug] 14640#9400: *3695 free: 02D50808, unused: 28
You can use Apache as a Forward Proxy, because nginx can only be used as a reverse proxy or as a http proxy.
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#forwardreverse
An ordinary forward proxy is an intermediate server that sits between the client and the origin server. In order to get content from the origin server, the client sends a request to the proxy naming the origin server as the target. The proxy then requests the content from the origin server and returns it to the client. The client must be specially configured to use the forward proxy to access other sites.
A typical usage of a forward proxy is to provide Internet access to internal clients that are otherwise restricted by a firewall. The forward proxy can also use caching (as provided by mod_cache) to reduce network usage.
Forward Proxy
ProxyRequests On
ProxyVia On
<Proxy "*">
Require host internal.example.com
</Proxy>
As mentioned in one reply, I also faced the same issue with nginx setup so we have done the setup using Apache and wrote a article for the community about steps, which worked for us. Please check it out - https://medium.com/#gaurav.k.sarawgi/use-apache-to-create-forward-proxy-server-on-ubuntu-3299ef91a7cb
When I enable SSL on NGINX, and I upload a file larger than 7MB, the file upload does not complete. This works fine if I remove NGINX and just put the SSL directly onto sails. I get the following from the debug file as if I am receiving a status 200 before the file is complete:
2017/01/24 12:25:16 [debug] 2645#2645: *5 sendfile: 1899007 of 54230479 #4670513
2017/01/24 12:25:16 [debug] 2645#2645: *5 chain writer out: 0000564D9740D5D0
2017/01/24 12:25:16 [debug] 2645#2645: *5 event timer: 14, old: 1485260776372, new: 1485260776465
2017/01/24 12:25:16 [debug] 2645#2645: *5 http upstream request: "/api/v1/project/56cd9e2aeabf5be95d6e9b35/report/?"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http upstream process header
2017/01/24 12:25:16 [debug] 2645#2645: *5 malloc: 0000564D9740F870:4096
2017/01/24 12:25:16 [debug] 2645#2645: *5 recv: eof:0, avail:1
2017/01/24 12:25:16 [debug] 2645#2645: *5 recv: fd:14 413 of 4096
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy status 200 "200 OK"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Vary: X-HTTP-Method-Override"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "X-Powered-By: Sails <sailsjs.org>"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Origin: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Credentials: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 posix_memalign: 0000564D97410880:4096 #16
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Methods: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Headers: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Expose-Headers: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Content-Type: application/json; charset=utf-8"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Content-Length: 94"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "ETag: W/"5e-dbzI0uHc1qmLjPTL2hIz3A""
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Date: Tue, 24 Jan 2017 12:25:16 GMT"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Connection: keep-alive"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header done
2017/01/24 12:25:16 [debug] 2645#2645: *5 xslt filter header
2017/01/24 12:25:16 [debug] 2645#2645: *5 HTTP/1.1 200 OK^M
Server: nginx/1.11.8^M
Date: Tue, 24 Jan 2017 12:25:16 GMT^M
Content-Type: application/json; charset=utf-8^M
Content-Length: 94^M
Connection: keep-alive^M
Vary: X-HTTP-Method-Override^M
X-Powered-By: Sails <sailsjs.org>^M
Access-Control-Allow-Origin: ^M
Access-Control-Allow-Credentials: ^M
Access-Control-Allow-Methods: ^M
Access-Control-Allow-Headers: ^M
Access-Control-Expose-Headers: ^M
ETag: W/"5e-dbzI0uHc1qmLjPTL2hIz3A"^M
Below is my nginx.conf file:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
send_timeout 60s;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60s;
client_max_body_size 0;
client_body_buffer_size 32K;
ssl_dhparam /ssl/dhparam.pem;
client_body_in_file_only clean;
client_body_in_single_buffer on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/sites-enabled/*;
}
Here is my sites-available\default file:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mysite.co.uk;
client_max_body_size 0;
client_body_buffer_size 32K;
location / {
client_body_temp_path /tmp/;
client_max_body_size 0;
client_body_buffer_size 32K;
keepalive_timeout 60s;
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
ssl_certificate /ssl/mykey.pem;
ssl_certificate_key /ssl/mykey.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:128m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA$
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
}
Any ideas?
We've configured NGINX to use mutual authentication. When a client makes a request to us, we get an info line in the NGINX log saying, "client sent no required SSL certificate while reading client request headers". We believe that the client actually is sending a certificate.
The evidence is that we saw the curl command the client used and it was sending a cert. We correlated their call to this log message. Also, we have an F5 proxy that is configured to use mutual auth and their same curl command is accepted if they change it to hit the F5. This call would be rejected if they were not sending a client cert. In the F5 logs we see that F5 is receiving a client cert. The client is not changing its behavior, we are changing the DNS to point between F5 and NGINX.
When I google for "client sent no required SSL certificate while reading client request headers" I can't find any official NGINX documentation about this message. How can I troubleshoot this better? Right now we're starting nginx with nginx-debug but the debug output doesn't seem to clearly explain why we're seeing this problem. Here are some of these logs:
2016/12/19 23:27:59 [debug] 179#179: epoll: fd:6 ev:0001 d:0000000000C7AEB0
2016/12/19 23:27:59 [debug] 179#179: accept on 0.0.0.0:443, ready: 0
2016/12/19 23:27:59 [debug] 179#179: posix_memalign: 0000000000B8D530:512 #16
2016/12/19 23:27:59 [debug] 179#179: *4539 accept: 172.20.72.125:23211 fd:3
2016/12/19 23:27:59 [debug] 179#179: *4539 event timer add: 3: 60000:1482190139859
2016/12/19 23:27:59 [debug] 179#179: *4539 reusable connection: 1
2016/12/19 23:27:59 [debug] 179#179: *4539 epoll add event: fd:3 op:1 ev:80002001
2016/12/19 23:27:59 [debug] 179#179: timer delta: 873
2016/12/19 23:27:59 [debug] 179#179: worker cycle
2016/12/19 23:27:59 [debug] 179#179: epoll timer: 60000
2016/12/19 23:27:59 [debug] 179#179: epoll: fd:3 ev:0001 d:0000000000C7B360
2016/12/19 23:27:59 [debug] 179#179: *4539 http check ssl handshake
2016/12/19 23:27:59 [debug] 179#179: *4539 http recv(): 1
2016/12/19 23:27:59 [debug] 179#179: *4539 https ssl handshake: 0x16
2016/12/19 23:27:59 [debug] 181#181: accept on 0.0.0.0:443, ready: 0
2016/12/19 23:27:59 [debug] 181#181: accept() not ready (11: Resource temporarily unavailable)
2016/12/19 23:27:59 [debug] 179#179: *4539 ssl get session: DB2C8809:32
2016/12/19 23:27:59 [debug] 179#179: shmtx lock
2016/12/19 23:27:59 [debug] 179#179: shmtx unlock
2016/12/19 23:27:59 [debug] 181#181: timer delta: 873
2016/12/19 23:27:59 [debug] 181#181: worker cycle
2016/12/19 23:27:59 [debug] 181#181: epoll timer: -1
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_do_handshake: -1
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_get_error: 2
2016/12/19 23:27:59 [debug] 179#179: *4539 reusable connection: 0
2016/12/19 23:27:59 [debug] 179#179: timer delta: 0
2016/12/19 23:27:59 [debug] 179#179: worker cycle
2016/12/19 23:27:59 [debug] 179#179: epoll timer: 60000
2016/12/19 23:27:59 [debug] 179#179: epoll: fd:3 ev:0001 d:0000000000C7B360
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL handshake handler: 0
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_do_handshake: -1
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_get_error: 2
2016/12/19 23:27:59 [debug] 179#179: timer delta: 29
2016/12/19 23:27:59 [debug] 179#179: worker cycle
2016/12/19 23:27:59 [debug] 179#179: epoll timer: 59971
2016/12/19 23:27:59 [debug] 179#179: epoll: fd:3 ev:0001 d:0000000000C7B360
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL handshake handler: 0
2016/12/19 23:27:59 [debug] 179#179: shmtx lock
2016/12/19 23:27:59 [debug] 179#179: slab alloc: 136 slot: 5
2016/12/19 23:27:59 [debug] 179#179: slab alloc: 00007FF33D86B000
2016/12/19 23:27:59 [debug] 179#179: slab alloc: 128 slot: 4
2016/12/19 23:27:59 [debug] 179#179: slab alloc: 00007FF33D869080
2016/12/19 23:27:59 [debug] 179#179: *4539 ssl new session: B0945ECD:32:136
2016/12/19 23:27:59 [debug] 179#179: shmtx unlock
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_do_handshake: 1
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL: TLSv1.1, cipher: "ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1"
2016/12/19 23:27:59 [debug] 179#179: *4539 reusable connection: 1
2016/12/19 23:27:59 [debug] 179#179: *4539 http wait request handler
2016/12/19 23:27:59 [debug] 179#179: *4539 malloc: 0000000000B89230:1024
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_read: -1
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_get_error: 2
2016/12/19 23:27:59 [debug] 179#179: *4539 free: 0000000000B89230
2016/12/19 23:27:59 [debug] 179#179: timer delta: 3
2016/12/19 23:27:59 [debug] 179#179: worker cycle
2016/12/19 23:27:59 [debug] 179#179: epoll timer: 59968
2016/12/19 23:27:59 [debug] 179#179: epoll: fd:3 ev:0001 d:0000000000C7B360
2016/12/19 23:27:59 [debug] 179#179: *4539 http wait request handler
2016/12/19 23:27:59 [debug] 179#179: *4539 malloc: 0000000000B89230:1024
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_read: 172
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_read: -1
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_get_error: 2
2016/12/19 23:27:59 [debug] 179#179: *4539 reusable connection: 0
2016/12/19 23:27:59 [debug] 179#179: *4539 posix_memalign: 0000000000C71800:4096 #16
2016/12/19 23:27:59 [debug] 179#179: *4539 http process request line
2016/12/19 23:27:59 [debug] 179#179: *4539 http request line: "GET /myapp-myapi/v2/id12345/endpoint HTTP/1.1"
2016/12/19 23:27:59 [debug] 179#179: *4539 http uri: "/myapp-myapi/v2/id12345/endpoint"
2016/12/19 23:27:59 [debug] 179#179: *4539 http args: ""
2016/12/19 23:27:59 [debug] 179#179: *4539 http exten: ""
2016/12/19 23:27:59 [debug] 179#179: *4539 http process request header line
2016/12/19 23:27:59 [debug] 179#179: *4539 http header: "a-request-header: client-qa"
2016/12/19 23:27:59 [debug] 179#179: *4539 posix_memalign: 0000000000B9C640:4096 #16
2016/12/19 23:27:59 [debug] 179#179: *4539 http header: "User-Agent: Jakarta Commons-HttpClient/3.1"
2016/12/19 23:27:59 [debug] 179#179: *4539 http header: "Host: pre.myapp.com"
2016/12/19 23:27:59 [debug] 179#179: *4539 http header done
2016/12/19 23:27:59 [info] 179#179: *4539 client sent no required SSL certificate while reading client request headers, client: 172.20.72.125, server: pre.myapp.com, request: "GET /myapp-myapi/v2/id12345/endpoint HTTP/1.1", host: "pre.myapp.com"
2016/12/19 23:27:59 [debug] 179#179: ssl remove session: B0945ECD:32
2016/12/19 23:27:59 [debug] 179#179: shmtx lock
2016/12/19 23:27:59 [debug] 179#179: slab free: 00007FF33D86B000
2016/12/19 23:27:59 [debug] 179#179: slab free: 00007FF33D869080
2016/12/19 23:27:59 [debug] 179#179: shmtx unlock
2016/12/19 23:27:59 [debug] 179#179: *4539 http finalize request: 496, "/myapp-myapi/v2/id12345/endpoint?" a:1, c:1
2016/12/19 23:27:59 [debug] 179#179: *4539 event timer del: 3: 1482190139859
2016/12/19 23:27:59 [debug] 179#179: *4539 http special response: 496, "/myapp-myapi/v2/id12345/endpoint?"
2016/12/19 23:27:59 [debug] 179#179: *4539 http set discard body
2016/12/19 23:27:59 [debug] 179#179: *4539 HTTP/1.1 400 Bad Request
Server: nginx/1.11.4
Date: Mon, 19 Dec 2016 23:27:59 GMT
Content-Type: text/html
Content-Length: 253
Connection: close
2016/12/19 23:27:59 [debug] 179#179: *4539 write new buf t:1 f:0 0000000000B9C6C0, pos 0000000000B9C6C0, size: 152 file: 0, size: 0
2016/12/19 23:27:59 [debug] 179#179: *4539 http write filter: l:0 f:0 s:152
2016/12/19 23:27:59 [debug] 179#179: *4539 http output filter "/myapp-myapi/v2/id12345/endpoint?"
2016/12/19 23:27:59 [debug] 179#179: *4539 http copy filter: "/myapp-myapi/v2/id12345/endpoint?"
2016/12/19 23:27:59 [debug] 179#179: *4539 http postpone filter "/myapp-myapi/v2/id12345/endpoint?" 0000000000B9C8A0
2016/12/19 23:27:59 [debug] 179#179: *4539 write old buf t:1 f:0 0000000000B9C6C0, pos 0000000000B9C6C0, size: 152 file: 0, size: 0
2016/12/19 23:27:59 [debug] 179#179: *4539 write new buf t:0 f:0 0000000000000000, pos 0000000000711B80, size: 200 file: 0, size: 0
2016/12/19 23:27:59 [debug] 179#179: *4539 write new buf t:0 f:0 0000000000000000, pos 0000000000712DE0, size: 53 file: 0, size: 0
2016/12/19 23:27:59 [debug] 179#179: *4539 http write filter: l:1 f:0 s:405
2016/12/19 23:27:59 [debug] 179#179: *4539 http write filter limit 0
2016/12/19 23:27:59 [debug] 179#179: *4539 posix_memalign: 0000000000BF6100:512 #16
2016/12/19 23:27:59 [debug] 179#179: *4539 malloc: 0000000000C01FE0:16384
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL buf copy: 152
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL buf copy: 200
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL buf copy: 53
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL to write: 405
2016/12/19 23:27:59 [debug] 179#179: *4539 SSL_write: 405
2016/12/19 23:27:59 [debug] 179#179: *4539 http write filter 0000000000000000
2016/12/19 23:27:59 [debug] 179#179: *4539 http copy filter: 0 "/myapp-myapi/v2/id12345/endpoint?"
2016/12/19 23:27:59 [debug] 179#179: *4539 http finalize request: 0, "/myapp-myapi/v2/id12345/endpoint?" a:1, c:1
2016/12/19 23:27:59 [debug] 179#179: *4539 http request count:1 blk:0
2016/12/19 23:27:59 [debug] 179#179: *4539 http close request
2016/12/19 23:27:59 [debug] 179#179: *4539 http log handler
172.20.72.125 - - [19/Dec/2016:23:27:59 +0000] https "GET /myapp-myapi/v2/id12345/endpoint HTTP/1.1" 400 253 "-" "Jakarta Commons-HttpClient/3.1" "-" "-" "NONE" "" "client-qa"
This is our nginx.conf file:
#daemon off;
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
index index.php index.htm index.html;
include /etc/nginx/mime.types;
upstream backend-myapi {
server myapp-myapi:8087 max_fails=0 fail_timeout=0s;
server myapp-myapi:8087 max_fails=0 fail_timeout=0s;
}
map $a_request_header|$ssl_client_verify $ssl_common_name {
default $ssl_client_s_dn;
40011|NONE CN=mycn;
}
ssl_protocols TLSv1 TLSv1.1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_certificate /etc/secrets/servercert-legacy;
ssl_certificate_key /etc/secrets/serverkey-legacy;
ssl_client_certificate /etc/nginx/ca.crt;
proxy_set_header Host $host;
proxy_set_header SSL-COMMON-NAME $ssl_common_name; # TODO change this header to just DN
proxy_set_header VERIFIED $ssl_client_verify;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_connect_timeout 30;
proxy_send_timeout 30;
proxy_read_timeout 300;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_next_upstream error http_502;
proxy_temp_file_write_size 64k;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] $scheme "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$ssl_client_s_dn" "$ssl_client_verify" '
'"$ssl_common_name" "$a_request_header"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
client_max_body_size 10m;
client_body_buffer_size 128k;
large_client_header_buffers 4 16k;
# gzip on;
# gzip_buffers 16 8k;
# gzip_comp_level 3;
# gzip_disable "msie6";
# gzip_http_version 1.0;
# gzip_min_length 1024;
# gzip_proxied any;
# gzip_types text/plain text/css text/xml text/javascript application/xml application/xml+rss application/javascript application/json;
# gzip_vary on;
include /etc/nginx/conf.d/*.conf;
}
We are using nginx/1.11.4.
I don't see a configuration there that requires ssl client auth. Try adding
ssl_verify_client on
ssl_verify_depth 3;
ssl_client_certificate /path/to/accepted/CAs.pem;
(from http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client)