Report-To header and Citrix netscalers - header

I am trying to confgiure a re-write action on our Citrix Netscaler load balancers to add in the Report-To response header as we want to setup Network Error Logging but struggling with the Syntax.
The example I have is below, (I add in our subdomain details) but it's failing to work - Im confident that the process is correct as we have added in a HSTS header, it's just the syntax we think is out:
This is the syntax we are using:
Report-To: {"group":"default","max_age":31536000,"endpoints":
[{"url":"https://{subdomain}.report-uri.com/a/d/g"}],"include_subdomains":true}
This is the error:
Expression syntax error [^{"group":", Offset 0]
Has anyone added this header in before on a netscaler / or have an idea where we may be going wrong ?
Many thanks in advance

I'm pretty sure you are not escaping the " correctly. You can directly run the commands below on the CLI to add the expression to your NetScaler
add rewrite action insert_report_to_header insert_http_header Report-To q<"{\"group\":\"default\",\"max_age\":31536000,\"endpoints\":[{\"url\":\"https:\\/\\/{subdomain}.report-uri.com\\/a\\/d\\/g\"}],\"include_subdomains\":true}">
add rewrite policy report-to-header true insert_report_to_header

Related

Apache - Error with Permissions-Policy header: Parse of permission policy failed because of errors reported by strctured header parser

I recently have tried to update settings on the server of a non-profit website I host and have run into configuration issues in regards to the Permissions Policy. I haven't found many examples of the proper use-case and syntax to use for this setting and thus have run into errors in the Chrome console for cimarronoutdoors.org. Here is the Permissions Policy I am trying.
Header always set Permissions-Policy "geolocation=();midi=();microphone=();camera=();fullscreen=(self);payment=()"
In the console it returns the following.
Error with Permissions-Policy header: Parse of permission policy failed because of errors reported by strctured header parser.
I have tried only listing items from the link below and limiting it to a few to see if that might be the issue but I can't get the error to go away.
https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
Any advice on this issue would be greatly appreciated.
Server OS: Ubuntu 16.04.7 LTS
Permission Policy set in site conf file.
I found out that the scheme changed from microphone 'none'; geolocation *; payment https://*.paypal.com; to microphone=(),geolocation=*,payment=("https://*.paypal.com").
At the moment the below code is valid, so it won't produce nor the "We didn't detect a viable policy." on securityheaders.com neither the "Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser." in Google Chrome console.
Keep in mind to properly escape double quotes in configs, use commas instead of semi-colons (as mentioned also below) and use the "new format".
nginx.conf example:
add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(\"https://*.paypal.com\" \"https://*.barion.com\"),sync-xhr=*,usb=(),xr-spatial-tracking=()" always;
apache.conf example:
Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(\"https://*.paypal.com\" \"https://*.barion.com\"),sync-xhr=*,usb=(),xr-spatial-tracking=()"
Use commas instead of semicolons as delimiters.
See example here:
https://www.w3.org/TR/permissions-policy-1/#policy-directive
The way to creating Permission-Policy has changed.
You have to add parentheses around lists, use commas instead of semi-colons, and add double-quotes around most strings:
fullscreen=(self 'https://example.com'), geolocation=*, camera=()
Here's a link: Appendix: Big changes since this was called Feature Policy

Jmeter Illegal character found in host: '/' ISSUE

I tried to install Jmeter on my colleague computer when I executed http request.He has been showing this error, but I found that there is no such error in my computer. I wonder if anyone has encountered a similar problem?
My
My1
My2
Colleague
colleague1
colleague2
--
error message
java.net.MalformedURLException: Illegal character found in host: '/'
at java.base/java.net.URL.<init>(URL.java:480)
at java.base/java.net.URL.<init>(URL.java:360)
at java.base/java.net.URL.<init>(URL.java:383)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.getUrl(HTTPSamplerBase.java:1053)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1231)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1220)
at org.apache.jmeter.threads.JMeterThread.doSampling(JMeterThread.java:622)
at org.apache.jmeter.threads.JMeterThread.executeSamplePackage(JMeterThread.java:546)
at org.apache.jmeter.threads.JMeterThread.processSampler(JMeterThread.java:486)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:253)
at java.base/java.lang.Thread.run(Thread.java:830)
This problem occurs when using the http request sampler, putting '/' at the end of the Server Name or Ip textbox. It will work if you delete the '/' character at the end of the host information and add it to path.
This www.amazon.com/ref=nav_logo is not a valid hostname
Valid characters for hostnames are ASCII(7) letters
from a to z, the digits from 0 to 9, and the hyphen (-). A hostname
may not start with a hyphen.
In any case your URL query string is not correct, it should look like:
https://www.amazon.com/?ref=nav_logo
^mind this character
So correct HTTP Request sampler configuration would be:
Resulting into the following request observable via View Results Tree listener
Going forward be aware that you can build a JMeter Test Plan using HTTP(S) Test Script Recorder or JMeter Chrome Extension
Even though I cannot tell you why the test behaves differently on your machine vs that of your colleaugue (I would guess that you probably chose different client implementations in the advanced section of the HTTP Request Sampler), you should definitely consider what part of your URL is:
Protocol
Server Name or IP
Path
Parameter
and use the corresponding fields in JMeter accordingly.
Hint: "/ref=nav_logo" is most definitely NOT part of the Server Name.
I faced this issue and it was for simple reason. in the server name/ip address instead giving only the severname/ip address i.e server1 i had accidentally included the https://server1 and spend two hours to resolve it

Proxy settings in RStudio for third party API access

I'm using RStudio on a server that is behind my company's firewall. I referred to the link here and did the same changes in my RProfile script:
RProfile
http_proxy=http://proxy.dom.com:80
http_proxy_user=user:passwd
I'm trying to access an API (Omniture a.k.a. api.omniture.com) using the package RSiteCatalyst and even though I mentioned the proxy, I'm unable to bypass the firewall. Below is what I do:
library(RSiteCatalyst)
SCAuth('username','shared-secret') # Authentication
And the error that I get
Error in function (type, msg, asError = TRUE) :
Could not resolve host: api.omniture.com
Before going to IT I came here for the StackOverflow gods to help out. Would greatly appreciate it. Thanks.
I think that article has a typo. Can you put the http_proxy lines in your .Renviron rather than your .Rprofile, then restart RStudio? (If that does the job, we'll update the article!)

How can you include http://foo.local in CORS Access-Control-Allow-Origin?

I'm using *, but apparently that's not enough. I'm trying to upload a file from a client browser. It works when the client's URL is localhost:3000 or foo.com. It's not working when the URL is http://meteor.local. I've tried changing the third line to <AllowedOrigin>http://meteor.local</AllowedOrigin>, but get the same error.
The browser error:
The error text was misleading – error was not due to the header sent by s3. Adding an access rule to Cordova fixed it. (In meteor, add it with App.accessRule('http://meteor.local'); in mobile-config.js.)

406 Not Acceptable error GET parameter issue?

Can anyone please tell me why the following URL returns a 406 error:
http://kolek.to/functions/remote-upload.php?url=http%3A%2F%2Fben-major.co.uk%2Fhosting%2Fbm-equipment%2Faxe-2.jpg&item_id=2
Removing the ?url= parameter seems to make everything fine:
http://kolek.to/functions/remote-upload.php?item_id=2
For your reference, the content of remote-upload.php is as follows:
<?php
require_once('../models/api.php');
$request_url = urldecode($_REQUEST['url']);
$item_id = $_REQUEST['item_id'];
echo $item_id;
?>
I think that this is due to the security filter from your server (I see in the response header that is Apache).
In your case is Apache mod_security that is turned on by default. While you can use the following to diagnose the problem (turning the filter off should resolve the issue) by running this command on the server:
SecFilterEngine off
BUT do this only for checking if the problem is the security filter, I discourage to leave the filter off (danger of injection and spam attacks).
If you see that is the filter that is the cause of the problem, try to put your request in the whitelist:
HERE you can find the guide and HERE is the main website.