Header Enrichment not working on HTTPs - nginx - ssl

I have multiple questions regarding Header Enrichment with SSL + nginx
Why Header Enrichment dose not work with Https ?
One of my project have HE(Header Enrichment) enabled on simple HTTP but when we look for specific headers like msisdn in HTTPs they are missing.
I am using nginx hence i tried to add headers and return the request from http to https but no result? How can i achieve this ? Following is the sample of nginx code block.
server {
listen 80; ## listen for ipv4; this line is default and implied
listen [::]:80; ## listen for ipv6
location / {
add_header X-my-header my-header-content;
return 301 https://$host$request_uri?msisdn=$http_MSISDN;
}
}
I have tried adding Query parameter and it works fine but i am more concerned about headers way.
Thank you.

(1),(2)
ISPs impalement HE by injecting some headers in the request. This can be done in Http as they can easily inspect the request but this is not possible in case of Https as the request is encrypted.
There are some trials to provide alternative solutions but there is neither solid nor standardized one till now.
See more: https://blog.apnic.net/2016/10/13/challenges-of-https/
(3)
I suggest to ask this in separate question. However, I noticed that you didnt configured https endpoint in nginx. Please refer to:
http://nginx.org/en/docs/http/configuring_https_servers.html
(4)
Query paramters are part of URL which can be HTTP or HTTPs or any other protocol. These differ from headers which are part of message itself.

Related

How can I restrict access to an RESTful API with a nginx reverse proxy server?

I have a webpage that would be served to a client, after which when they press on the page, it will send the request to an nginx reverse proxy, which would send it along to the correct RESTful API. The nginx and RESTful APIs are on another server.
How can I use ngnix to restrict only to the webpage, so that users cannot go directly to the API.
I've already set CORS but I was told that CORS can be bypassed (an example is Postman).
I have tried using (all on nginx config):
if ($host != domain.of.webpage) {
return 444;
}
Another method:
server {
listen 443 default_server;
listen [::]:443 default_server;
server_name _;
return 444;
}
And another:
satisfy any;
allow xx.xx.xx.xx/xx;
allow xxxx:xxxx:xxxx:xxxx:xxxx/xx;
deny all;
All restricted access but also to the webpage itself. I know the last method wouldn't work as the client that accesses it will not be on the host so the IP addresses are moot.
Anything else I can try?
Answer was given by parzival in the comments of the question. I've reproduced it below.
It sounds like you are saying you have an API exposed on the public Internet, used by a web page on the public Internet, and you want to restrict access such that the API can only be used by scripts on that web page. Is that accurate? If so, there is nothing you can truly do to restrict access in this way. At most, you could rely on obfuscation techniques to make it more difficult.
— parzival Mar 29 '19 at 22:17

Caddy as reverse proxy to rewrite a http redirect url from an upstream response

I am having a backend that is not able when running behind a reverse proxy since I cannot configure a custom base URL.
For the login process the backend makes heavy use of HTTP redirects but due to the fact that is behind a reverse proxy it sends redirection URL that are not reachable by the client.
So I was wondering if there is a way to rewrite the upstream HTTP HEADER Location
If the backend responses
HTTP/1.1 301
Location: http://backend-hostname/auth/login
Caddy should rewrite the Location header to
HTTP/1.1 301
Location: http://www.my-super-site.com/service/a/auth/login
Is something like this possible?
I've that we can remove headers by declaring
header / {
- Location
}
but it possible to replace the header and rewrite the URL?
I was also looking for answer for this question and unfortunately I've found this responses:
https://caddy.community/t/v2-reverse-proxy-but-upstream-server-redirects-to-nonexistent-path/8566
https://caddy.community/t/proxy-url-not-loading-site/5393/7
TLDR:
You need to use sub-domains rather than sub-paths for services that are not design for being after proxy (or at least configure base URL). :(

Strict-Transport-Security influence on http reverse proxy that redirects to https

The server response comes with HSTS header, and since I'm using reverse proxy HSTS header is also being sent through proxy response.
Since there are different domains (proxy and server) does HSTS make the browser automatically change the schema from http://proxyhost.com to https://proxyhost.com? or the preload list will call automatically https://serverhost.com when the user will request http://proxyhost.com?
does HSTS make the browser automatically change the schema from http to https
Indeed! and since:
a reverse proxy HSTS header is also being sent through proxy response.
... the configuration of a reverse proxy can involuntarily make your domain set theHSTS header.
Took some while to see why my apache server sets the HSTS header - for I hadn't configured that in the apache web server. It was due to a ReverseProxy: as the foreign domain sets theHSTS header this header comes then (reverse proxy!) with my domain's name. This was then propagated to the client's browser which stores it. Thus, all my domain's sites (and in this case also all my subdomains!) where forced to use https (not when using e.g. curl of course, but firefox, chromium etc.).
Thanks for your question - it was already the perfect direction!
In my case I simply could use aRewriteRule instead of a reverse proxy :) but this of course depends on your scenario.
You also gave the proper answer in your comment:
in this case I should unset HSTS header in the reverse proxy
Right! Just add Header unset Strict-Transport-Security directly after the ProxyPassReverse directive, and you can use a reverse proxy without inherit the HSTS header.

Removing duplicate headers from HTTP requests

I am using an Apache 2.4 server with mod_proxy as an HTTP reverse proxy for Tomcat server. The reverse proxy works on a Split-DNS configuration where "server.com" might point either to the actual HTTP server or to my reverse proxy depending on where the client is.
The problem that I'm having is that our client application had a problem where sometimes it would include an header more than once. For example, an HTTP request could end up looking like this:
POST server.com HTTP/1.1
Some-Header: foo
Authorization: BASIC abc123
Authorization: BASIC abc123
Other-Headers: ...
This works fine if the client is talking directly to Tomcat but if it goes through the reverse proxy then the duplicated headers seem to get mangled and Tomcat ends up receiving a request that looks like this:
POST server.com HTTP/1.1
Some-Header: foo
Authorization: BASIC abc123, BASIC abc123
Other-Headers: ...
I used Wireshark to inspect the HTTP requests as they are sent/received in the Client->Proxy->Tomcat chain and Apache is definitely the component that is "collapsing" the two headers into one.
Is there a way to configure this behavior in a way where it either sends both headers or just one? What I don't want is this "collapsing" taking place...
You can use mod_headers to remove the duplicate header. See their official docs for information on how to enable it.
Then you can add a line like this to your configuration file so that the first part of header disappears:
RequestHeader edit Authorization "^BASIC\ abc123\\,\ " ""
Let me know if that works for you.

NGINX - Add http headers and forward messages to Apache server?

I am trying to build a fleet management software at the likes of google maps or bing maps and I need the GPS devices to send messages to the server and have the server store them (mySQL).
I have a Apache server (let's say "myserver.com") which only processes/accepts http requests for security reasons. The problem with this configuration is that it does not processes the gps messages because the device does not include http headers on its messages by default.
So, I was thinking on putting a nginx server in between them and make the gps send its messages to the nginx server, which then adds http headers to the original message and forwards it to the Apache server.
I tried finding any good tutorials online but so far haven't been able to find a good one.
Anyone can help me? Thank you.
I'm a bit confused on what you mean by 'gps messages'. Is it just http traffic without the appropriate header? If so, you want to use the proxy module. You can find current documentation for it at here.
Here is an example:
http {
upstream backend_apache {
server apache_server1_ip:80;
server apache_server2_ip:80;
}
server {
listen 80;
server_name myserver.com;
location / {
proxy_set_header Host $host;
proxy_pass http://backend_apache;
}
}
}