404 status code after updated ssl in gateway api.
.Even I changed as "DangerousAcceptAnyServerCertificateValidator": false or true and "DownStreamScheme": "https" or :http
enter image description here
Related
I have a problem using keycloak gatekeeper for authorizing requests in a kubernetes cluster. A resource request is forwarded to login via keycloak, after login it is shown that access is forbidden using the gatekeepers forbidden page. The gatekeeper log looks like this:
{"level":"info","ts":1608128659.3984604,"msg":"keycloak proxy service starting","interface":":3000"}
{"level":"error","ts":1608128667.3914142,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1608128667.3915262,"msg":"client request","latency":0.002089839,"status":307,"bytes":95,"client_ip":"192.168.42.129:48724","method":"GET","path":"/auth/"}
{"level":"info","ts":1608128667.4082289,"msg":"client request","latency":0.000065187,"status":307,"bytes":317,"client_ip":"192.168.42.129:48724","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1608128671.970435,"msg":"unable to exchange code for access token","error":"unknown_error"}
{"level":"info","ts":1608128671.9705727,"msg":"client request","latency":0.203322612,"status":403,"bytes":2174,"client_ip":"192.168.42.129:48724","method":"GET","path":"/oauth/callback"}
I used a configuration similar to https://gist.github.com/carlosedp/80ea54104cc6303f04b3755033f9c4fe.
Is my redirect address maybe wrong, or is about the resource part in the configuration file?
The config file looks like this:
discovery-url: http://keycloak.192.168.42.129.nip.io/auth/realms/local/.well-known/openid-configuration
skip-openid-provider-tls-verify: true
client-id: gatekeeper
client-secret: XXX
listen: :3000
enable-refresh-tokens: true
tls-cert:
tls-private-key:
redirection-url: http://sb.192.168.42.129.nip.io
secure-cookie: false
encryption-key: XXX
upstream-url: http://127.0.0.1:5000/
forbidden-page: /html/access-forbidden.html
upstream-keepalives: true
skip-upstream-tls-verify: true
enable-logging: true
enable-json-logging: true
enable-encrypted-token: false
resources:
- uri: /*
I'm reverse proxying a websocket backend API with spring-cloud-gateway 2.2.3. When this backend API rejects some websocket handshake request with a 401 Unauthorized status response, then spring-cloud-gateway still returns a 101 handshake status to the client (which gets confused and then misbehaves)
I need spring-cloud-gateway to return the original 401 websocket handshake error to the client so the SCG reverse proxy is transparent to the client (which is conforming to the WebSocket specs handshake)
Here are the full wiretap traces and exception (I have redacted hostnames).
The client-side response in this WSS request is available as a HAR file captured from chrome and which displays in chrome
as this screenpshot.
Here is my spring cloud gateway configuration
spring:
cloud:
gateway:
routes:
- id: route_shield
uri: https://shield-webui-cf-mysql.nd-int-cfapi.was.redacted
predicates:
- Host=**
filters:
- SetRequestHostHeader=shield-webui-cf-mysql.nd-int-cfapi.was.redacted
ssl:
useInsecureTrustManager: true
I'm wondering whether this is a spring-cloud-gateway bug, or a desired behavior which I can override.
To override it, here are alternatives I'm considering:
using circuit breaker filter and fallback to a local handler returning a 401
write a custom post-filter
Override/patch the WebsocketRoutingFilter
However my debugger breakpoint in the handle(WebSocketSession session) method does not trigger, suspecting it is not called
Likely would need to provide a RequestUpgradeStrategy bean as an alternative to the default implementation of org.springframework.web.reactive.socket.server.upgrade.ReactorNettyRequestUpgradeStrategy#getNativeResponse mentionned in the trace
io.netty.handler.codec.http.websocketx.WebSocketHandshakeException: Invalid handshake response getStatus: 401 Unauthorized
at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:274) ~[netty-codec-http-4.1.51.Final.jar:4.1.51.Final]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
|_ checkpoint ⇢ http://localhost:8080/v2/events [ReactorNettyRequestUpgradeStrategy]
I have set up a lambda and attached an API Gateway deployment to it. The tests in the gateway console all work fine. I created an AWS certificate for *.hazeapp.net. I created a custom domain in the API gateway and attached that certificate. In the Route 53 zone, I created the alias record and used the target that came up under API gateway (the only one available). I named the alias rest.hazeapp.net. My client gets the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. Curl indicates that the TLS server handshake failed, which agrees with the SSL error. Curl indicates that the certificate CA checks out.
Am I doing something wrong?
I had this problem when my DNS entry pointed directly to the API gateway deployment rather than that backing the custom domain name.
To find the domain name to point to:
aws apigateway get-domain-name --domain-name "<YOUR DOMAIN>"
The response contains the domain name to use. In my case I had a Regional deployment so the result was:
{
"domainName": "<DOMAIN_NAME>",
"certificateUploadDate": 1553011117,
"regionalDomainName": "<API_GATEWAY_ID>.execute-api.eu-west-1.amazonaws.com",
"regionalHostedZoneId": "...",
"regionalCertificateArn": "arn:aws:acm:eu-west-1:<ACCOUNT>:certificate/<CERT_ID>",
"endpointConfiguration": {
"types": [
"REGIONAL"
]
}
}
I'm using Gmail API Javascript, but this is problem.
Uncaught
{error: "idpiframe_initialization_failed", details: "Not a valid origin for the client: http://localhos…itelist this origin for your project's client ID."}
details
:
"Not a valid origin for the client: http://localhost has not been whitelisted for client ID 731803464357-pdq2kfb0qg5ahca5gvvht343u2qmbgdk.apps.googleusercontent.com . Please go to https://console.developers.google.com/ and whitelist this origin for your project's client ID."
error:
"idpiframe_initialization_failed"
This is my config with file: http://localhost/b.html
Did you add the Origin HTTP header before doing the HTTP request ?
const headers = new HttpHeaders().set('Origin', 'http://localhost')
I have the following infrastructure:
When I access the Application via HTTP everythig works, but via HTTPs I am gettin:
and on the client site:
WebSocket connection to 'wss://www.bla.cz/tb-socket/444/qzdmw5ry/websocket'
failed: Error during WebSocket handshake: Unexpected
response code: 403
Thanks for any help!