I have webpack-dev-server serving static files. (localhost:4000)
I have backend server serving api request. (localhost)
Before that, there is a authentication with idp provider.
when I visit localhost:4000, it gets proxied into localhost for authentication.
localhost server redirects to idp for authentication, once authenticated idP redirects back to 'localhost'. Now this is the problem. I want it to be redirected to localhost:4000 not localhost.
Is there anyway to achieve this?
Related
We want to ensure all sites hosted on apache web server all protected using htpasswd (Apache Basic Authentication)
There are a few sites which are redirected from http to https, and the above authentication goes into a redirect loop on HTTPS (on further,related reading it seems that HTTP basic authentication compares the password (encrypted) format in plain text)
We have tried several samples/snippets to make basic authentication prompt work on HTTPS, but every code snippet results into multiple redirect loop and back to Auth prompt even when I key the correct password.
The links that I have already referred are : Apache .htaccess redirect to HTTPS before asking for user authentication
https://webmasters.stackexchange.com/questions/8853/properly-force-ssl-with-htaccess-no-double-authentication
Do HTTP authentication over HTTPS with URL rewriting
We have tried all the combinations SSLRequireSSL, writing it in other VirtualHost, but nothing seems to work as site redirects from HTTP to HTTPS during the Authentication, Furthermore, there are no error logs of any kind, so it implies the .htaccess and apache config is fine.
SSL,rewrite,auth etc modules are already enabled on the server
My requirement is to hit external HTTPS REST API from application server.i don`t have internet access in application server(JBOSS). so,i forwarded my request to web server(Apache24) and from web server i am calling HTTPS REST API services.
Public Rest URL-: https://publicdomain.com/tracking_number
I made below configuration on Apache server.
ProxyPass /tracking_number https://publicdomain.com/tracking_number
ProxyPassReverse /tracking_number https://publicdomain.com/tracking_number
With above configuration,following URL from application server https://WEBSERVER_IP:PORT/tracking_number, responding 503 proxy error.
Because in web server, internet can be access only through proxy server.
(For example, In IE browsers,if i configure proxy ip and host in LAN settings mean, URL is accessible from browser).
So, i need to configure similar configuration in Apache also. I tried with some configurations with help of http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyremote. But nothing worked out.
How to configure proxy server(host and ip) for external HTTPS request in Apache.
Apache Version -: 2.4.29
Operating System -: Windows
My Apache Tomcat is running behind an Apache httpd web server connected via mod_jk.
When a browser requests https page (rather than http) as its first session request, Tomcat sends a session cookie with secure flag which makes user's logged in session unavailable for http pages later.
How can I remove session cookies' secure flag using mod_header?
I already tried to add an option into web.xml like below.
<session-config>
<cookie-config>
<secure>false</secure>
</cookie-config>
</session-config>
However, it doesn't work. I guess this option doesn't make servlet request not secure, and Tomcat will put the secure flag on session cookies unless both context's session config and servlet request are not secure.
Here is my own solution added to httpd-vhost.conf for now:
Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"
I enabled Use HTTPS for logins in HTTP Security. It works fine when I enter root address (mymoodlewebsite.com). Unfortunately it is possible to login through unsecured connection in two cases:
When session expires - Moodle asks for credentials via http login page (http:// (...) /login/index.php)
It is possible to change protocol in address bar from https to http.
After login communication is not encrypted (It should be this way).
I use Debian/Apache server.
What should I do to eliminate possibility of insecure login?
Maybe you could resolve this problem by using an Apache redirect. Create a file in login folder and name it .htaccess, then insert these lines:
# HTTP 301 redirect
RewriteEngine On
RedirectMatch 301 ^/login/login\.php$ https://%{HTTP_HOST}/login/login.php
You must have the rewrite module enabled, otherwise this solution won't work.
add this code in your moodle/config.php file
$CFG->loginhttps=false;
I'm using .htaccess to protect a website at http://www.domain.com. Secure pages redirect to https://www.domain.com, and get the apache login prompt again.
How can we have only 1 apache login prompt for both http and https?
Thank you very much.
You can't. As far as the browser is concerned, http: and https: are two different websites, and you won't get it to tell the https: site which password the user entered for the http: site. Doing so would be a serious security bug in general, and the HTTP authentication protocol is not advanced enough to allow the http: server to tell the browser, "it is OK to repeat this password for such-and-such site". (And why would you trust a security exception given to you by a mere http: site anyway?)
Why don't you just do everything over https?
Or, put differently, why do you do anything that requires authentication over plain HTTP? That's not very secure. And if you have something on the https site that deserves https security, an attacker could just sniff the passwords from the insecure http connections.