I have an apache web server (frontend).
If someone enters https://myurl/ticket/123 for instance, I want apache to serve a html page and the value "123". If someone enters the url https://myurl/ticket/789 I want apache to serve the same html page and the value "789".
This value is then used by the browser to make a request to a backend server (node.js) along with a token. The backend server then serves the ticket data from ticket #123 or ticket #789 respectively.
Diagram:
My questions: How to I configure apache to accept the dynamic ticket id in the url? And how do I pass the value from the url to the browser?
I know it's possible to use apache as a reverse proxy, that's not what I want (because of the token).
Related
I have a program that asks the user to type in a URL, and click download. Then the program downloads the webpage.
However, some websites use SSL, and in that case the user has to prefix his URL with https:// for this to work.
The problem is that the user may not know whether the website uses SSL, and may type http://... instead of https://....
Is there some way to send a preliminary message to the website (from vb.net) asking whether the URL should start with https or just http? If there is, I can correct the user URL before attempting to retrieve the web page.
(I should say there it is not enough to use something like this:
request.RequestUri.Scheme - this looks at the URL the user submitted, not the URL coming back from the server, as far as I know)
For websites that uses SSL, usually they will force the request to use HTTPS. That is when you send a request in HTTP, for example, http://www.example.com, the website will send a redirect response with HTTP status code 302 as well as the URL the client side that initiate the request should redirect user to.
So, you can try HTTP first and check the response to see if there is a redirect. So, you will need to handle that in your code.
I am using cloudflare's "flexible ssl" as an intermediary between client and my site.
After setting this up, I went to the browser and tried accessing my site via https:
https://example.com/login
and everything works. I fill in my login info and log in successfully and am not on http://example.com . I manually enter https://example.com/* where * is many other pages and it all works fine.
Now I want to redirect all requests to use the seemingly working https. So i go to my cloudflare account on their website and create a page rule : http://example.com/* to always use https.
Now I go to example.com/login and successfully redirected to https://example.com/login, I fill in my log in information and submit the login form , the page refreshes and I am back to https://example.com/login with an empty login form.
Anyone know what the problem is or how to help troubleshoot?
I am using laravel as a framework for the site and apache as the webserver.
create a page rule : http://example.com/* to always use https
Noted. Be aware that CloudFlare does this by accepting every HTTP request on http://example.com/* and returning a 301 redirect to the equivalent HTTPS request. The browser completes the redirect by sending a GET request to the HTTPS URL.
I fill in my log in information and submit the login form
Check the login form source carefully and check what URL the login form is submitted to. My guess is that the form is submitted to http://example.com/login or something similar. CloudFlare will accept the POST request to http://example.com/login and return a 301 redirect to https://example.com/login -- which your browser will complete as a GET request and hence not sending the login data.
So your best solution is to make sure that your login form POSTs to the correct HTTPS URL not to the HTTP URL.
That's my best guess anyway.
how to help troubleshoot?
Ensure that you are using different log files to distinguish between HTTP and HTTPS requests on your server.
Some other suggestions:
Get a Let's Encrypt SSL certificate and put that on your site so that the communication between CloudFlare and your site is all SSL. https://letsencrypt.org/
Ensure that HSTS is turned on for all of your HTTPS requests so that the browser will know not to send any requests to any HTTP URLs.
Create a development server where you can test all of this working with HTTPS between the browser and the web server without CloudFlare. Once you've got it all working in HTTPS mode without CloudFlare then you can try it with CloudFlare and you should get essentially the same results. Your problem is with the HTTP -> HTTPS switch, not specifically with CloudFlare.
I want to use an Apache proxy server (mod_proxy) to intercept all requests and responses to a web server. However I want to change requests and responses before redirecting them. Simply rewriting URLs is easy and documented, but the changes I want to make are more sophisticated, namely they need to inspect the request for user credentials as well as conditionally make redirects.
Is this possible in Apache's mod_rewrite, possibly in combination with other modules?
While the main goal is to implement this in Apache, I would also be happy with an alternative solution which doesn't necessarily use Apache.
Here is a more precise explanation of what I want to achieve, to give a little more context:
Check each incoming request for user credentials. If credentials are present, they are replaced by the user information which the web server can use to identify the user (Ideally in the Authorization header)
For example, let's assume a request contains a cookie which authenticates the request as beeing sent from the user "John", this cookie is removed, and the Authorization header is changed to Authorization Authenticated_by_proxy {"id":12345,"name":"John"}
Check each answer to see if it's an Error 403. If this is the case and the user is not logged in, redirect the user to a login page instead of forwarding the error
I have 2 domains. http://sender.com/someServlet/ and http://receiver.com/someReceiver.
someServlet will POST some data to someReceiver. Flow is like below,
sender.com -> Apache web server of receiver.com -> Application server of receiver.com
I want to get the domain who is posting the data to receiver.com's someReceiver servlet.
Since, there is a Apache web server through which the request has to go through,
when I execute below code in someReceiver servlet, I am getting the domain of
receiver.com instead of sender.com.
request.getServerName();
This post tells to do configurations to support getServerName(); to return the actual
sender's domain. Am not sure what configurations has to be done.
How can I get the actual domain who is posting the data?
I'm developing an automation tool using javascript/jQuery.
To manipulate the DOM I've tunneled all iframe/browser access through an proxy server to have all them on same domain.
All this is working fine! But my end point app is a transactional jsp/servlet database and I wanna have multiple access to it.
I guess, because the proxy 'tunneling' all access through proxy has the same session, wich is not desirable since I need multiple access to the app, and to do this I must create different sessions.
I'm trying to figure out how to achieve a unique sessionID for each Iframe/browser pointing to the same web app passing through the same (?) proxy server, roughly:
iframe ---\
iframe -----> browser ---> apache proxy ---> jsp transactional app
iframe ---/
I was sniffing the traffic on FireFox (FireBug) and all iframes has the same session ID. That's not exclusively on iframe, even if I start another browser and use the link passing trhough the proxy I keep the same session ID.
Using Apache http Server 2.2.20 (win32).
Proxy config (if useful):
ProxyPass /bbb http://xxx/bbb/
ProxyPassReverse /bbb/ http://xxx/bbb/
Do the iframes src attributes point to the same domain or subdomain?
Remember that Session is implemented through cookies and that cookies are shared through the domain and subdomains they belong to, eg:
If Cookie belongs to yourdomain.com then subdomain.yourdomain.com has access to it
but
If Cookie belongs to subdomain.yourdomain.com then yourdomain.com or subdomain1.subdomain.yourdomain.com DOES NOT have access to it
And it doesn´t matter if it's an iframe or another browser window or tab...