I developed an application that uses Azure AD Authentication for a single tenant.
I would like to host it inside AKS, but it seems not to be possible, as described below:
The problem is that the application must be running as https if it is not in localhost, but my pod is running on http protocol (as usual). Even if my aks cluster service is running as Https, the callback uri seems like to be looking for the protocol on the pod where it's running, so it redirects the request to http://mydomain and not https://mydomain, returning the "Correlation Error" or "app id doesnt exists" (because the mapped uri was https://)
The redirect URI can not be mapped to http on Azure App as described here.
I've made it work using a certificate inside my pod on the application build using Kestrel Certificate. But it seems not to be a good solution.
Does anyone knows a more suitable workaround?
As of now there is no other solution available as we have restrictions in redirect URL as per the document you are following.
Related
Where I work theres an web app that is hosted on windows servers, all users access the application using HTTP, not HTTPS. This is due to some restrictions that the dev team could not solve.
So I thought that i could solve this issue using HAProxy and SSL Termination, so the users would communicate with the proxy first using HTTPs and then the proxy would communicate with the app servers using HTTP. This would be inside a private VLAN so the HTTP traffic cannot be sniffed.
The users access the app using this schema --> http://servername:port/path/to/app
So instead of this, the users should type https://haproxy.domainname:port/path/to/app
and the haproxy should handle the communication against the app servers.
Is this possible? or should i think of another solution to this?
I came up with this:
frontend haproxy.domain.name
bind ipaddress:port ssl crt /home/cert.pem
acl is_bdc path -i -m beg /path/to/app
use_backend web_servers if is_bdc
default_backend web_servers
backend web_servers
balance roundrobin
server server1 ipaddress:port
I can access the app server using this configuration, but the app fills some variables using the URL of the web browser, and as im accessing the app using another URL (haproxy.domain.name instead of the app server hostname) its causing some errors. Is possible to maintain the app server hostname on the url but also keep the SSL termination? The used certificate its a wildcard so adding the domain name would be enought (i think)
Thanks you in advance!
Well there are several options to solve your issue.
1.) Tell the app server that it runs behind a reverse proxy and configure the app engine to use haproxy.domain.name as Domain/Host part, something similar to tomcats Proxy Support How-To
2.) you can use the http-response replace-header or replace value to rewrite the URL. This will not work with links in the body of the response.
As you haven't mention the HAProxy version I link to the latest one.
Maybe you will need also to configure the IIS to know that it works behind a reverse proxy, in case you use IIS.
I have a blazor server-side application (netcore 3) which uses authentication through OpenID / Okta.
I started testing it through IIS, and running it as a regular website worked just fine.
But, I need to run it through a reverse proxy due to the rest of our setup, and after I set that up the blazor site no longer functions.
Our reverse proxy is simple, just takes a url (https: //subdomain.domain.com), and routes it internally (http: //localhost:8093). There are other sites connected here, this was just an example.
I managed to get all the resources (css, js, images) working correctly by adding the "app.UseForwardedHeaders", but I am still having an issue with Authentication.
For Authentication, it's setup with services.AddAuthentcation, and AddOpenIdConnect, which is triggered by an MVC call to Account/Login, that issues the HttpContext.ChallengeAsync.
Running the application standalone, or in it's website, the Login works, and redirects to Okta (https: //oktadevurl.com/oauth2/default/v1/authorize?parameters).
Through the reverse proxy, this url becomes relative to the Proxy address (https: //subdomain.domain.com/oauth2/default/v1/authorize?parameters) which is incorrect.
I've double checked the forward headers, and OpenId / Okta settings. I'm looking for anyone who has had this issue before and could point me in the right direction on how to get the absolute urls working from blazor through the reverse proxy.
Thanks.
I was able to solve this with one little checkbox is ARR:
In IIS Manager, Select the current server (not the website), open Application Request Routing, and on the right hand column there will be an option Server Proxy Settings. There you will see "Reverse rewrite host in response headers" option. If that is checked - uncheck it and your problem should be solved.
Ant-Media-Server is running on an IPAdress without any domains. We just set up this server to be used for streaming in order to use it from different domains pointing to different servers.
Since all of our domains use ssl, we face the typical connection problem:
mixed Content: The page at 'https://SOMEDOMAIN.com/QUERY' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://1.2.3.4:56'. This request has been blocked; this endpoint must be available over WSS.
Ant-Media already offers tutorials on how to install a Let's Encrypt SSL Certificate but sadly it is not available for pure IP-Addresses.
Apart from the Ant-Media Service, the server doesn't has any NGINX, NodeJS, Apache or other http Servers installed - the plan was just to use it for streaming by calling the IP-Address.
Do you have any ideas on how to solve that problem?
Unfortunately, this is not possible.
The goal of having a SSL is ensure you are requesting the right domain name besides encrypting the content between your users and your server.
Here are some alternatives:
create an endpoint in your own app that proxies data to your server.
Instead of playing the IP address, you can play:
/your-proxy-url?stream=http://yourIp.com:port/....
Note that using a proxy will make all the traffic pass through your web app.
As a reference, if you are using PHP on your website, you can have some ideas from here: https://gist.github.com/iovar/9091078
Create a reverse-proxy in front of your web app that redirects the traffic to your IP address.
Both solutions does not change your Ant Media Server, just adds a new resource between your users and your streaming server - adding the SSL on it.
I have a Heroku app and am using a custom subdomain to point to it. Let's say my subdomain is blog.mysite.com.
When I navigate to the site, chrome throws the error: ERR_SSL_PROTOCOL_ERROR. In the address bar, it automatically reroutes to https://blog.mysite.com. Is this the issue? Why is it not just http://blog.mysite.com?
My domain is through bluehost if that matters.
If you are running a free dyno, you will not get TLS support on your custom subdomain. Upgrade it to at least the "Hobby" tier and it will provision a free certificate to match your custom subdomain.
As for why it automatically reroutes, that's something happening within your application or custom process configuration. Heroku doesn't automatically re-route from http to https.
For me, I'd neglected to set up Automated Certificate Management in Heroku. Enabling this fixed the problem.
I have created two codeigniter project subdomains.
In domain A I have kept only the controller and view part.
In domain B I have kept only the controller and model part.
I am using controller of domain A to send api calls to controller of domain B using cURL, then using the data sent from domain B to load in the view of domain A.
I have used codeigniter-restserver library by phil sturgeon and used basic authentication for the api authentication.
I am using IIS to host the services.
All the Get and Post request are working proper in this architecture.
But when I enabled ssl in both the domains the api stopped working.
I tried changing the authentication type but it doesn't work with https.
I am not able to find the problem.
After 12 hours of searching for the problem, I found the answer in this post >>
Make https request with curl
Previously I was creating a curl http request which worked without ssl.