We are using aws api gateway to call our backend api. We used aws generated client cert to call end point (.net web api).
But each time the request comes in, I did not see any cert in the raw data. below is the raw data:
GET /rest/test
x-amzn-apigateway-api-id: xxxxxxxx
x-api-key: xxxxxxx
User-Agent: curl/7.53.1
X-Forwarded-Proto: https
X-Forwarded-For: 24.16.156.224
X-Forwarded-Port: 443
X-Amzn-Trace-Id: Root=1-5a6a4c29-07091e853bae0bbd7f7db3b3
accept: */*
Host: 185b5418.ngrok.io
X-Forwarded-Proto: https
X-Forwarded-For: 52.42.18.220
Related
I'm trying to fix this issue for the past 2 days but I don't know how to resolve it. I wanted to capture the client IP on the application with traefik proxy.
Setup:
R53 --> ALB --> (Traefik proxy --> applocation) ECS
I'm running my application on ECS and leveraging ECS provider.
What I have tried :
Adding the below labels to the traefik as per the documents:
--entrypoints.http.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.https.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.http.forwardedheaders.insecure=true
--entrypoints.https.forwardedheaders.insecure=true
Tried all of them together and individually also but every time I add these configurations traefik stopped working without any useful logs.
What I observed:
Without adding any of these configurations if I hit the trafik IP directly by skipping the Loadbalancer I can see My IP (client-IP). does it mean i need to make changes in the AWS-ALB ?
Through LB:
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-620e68b5-121181407c9ceadf6c8f0a25
X-Forwarded-For: 172.31.22.81
X-Forwarded-Host: infra.**********.nl
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 172.31.22.81
Directly IP HIT:
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 80.***.***.61
X-Forwarded-Host: 3.71.93.123
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 80.***.***.61
Finally, I have found a way to do achieve this after reading tons of documents and testing.
This is for ECS provider:
Task definitions :
Traefik
"traefik",
"--providers.ecs.clusters=application",
"--log.level=DEBUG",
"--providers.ecs.region=us-west-2",
"--api.insecure",
"--entryPoints.web.address=:80",
"--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,<VPC-CIDR>",
"--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,<VPC-CIDR>",
application:
"traefik.http.routers.app.rule": "pathprefix(`/`)",
"traefik.enable": "true",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.timeout": "10",
"traefik.http.services.service-app-app.loadbalancer.sticky.cookie": "true",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.port": "8080",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.interval": "30",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.path": "/ping",
"traefik.http.services.service-app-app.loadbalancer.sticky.cookie.name": "app-cookie"
With Who-ami container:
Hostname: ip-172-31-29-79.us-east-2.compute.internal
IP: 127.0.0.1
GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-623af218-525fa18d4d17e1ef431bb2b9
X-Forwarded-For: 8*******5, 172.31.12.125
X-Forwarded-Host: ecs-*****.us-east-2.elb.amazonaws.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-15-101.us-east-2.compute.internal
X-Real-Ip: <loadbalancer-IP>
This PR gives a good overview of how the forward header works
https://github.com/traefik/traefik/pull/7875/files
How it works:
X-Forwarded-For: <client_ip>, <alb_ip>
X-Real-Ip: <alb_ip>
As discussed in my other question there is no support for websockets authentication in Knox, but as a temporary solution we could handle authentication in our backend service. Our test has shown however that Knox does not pass Authorization header to the backend.
[client]$ curl -i -u '<user>:<password>' https://knox-server/gateway/default/myservice/ping
# 8090 is our backend port
[knox-server]$ ngrep -W byline port 8090
interface: eth0
filter: ( port 8090 ) and ((ip || ip6) || (vlan && (ip || ip6)))
#
T <knox-server>:59118 -> <myservice>:8090 [AP]
GET /ping?doAs=<user> HTTP/1.1.
X-Forwarded-For: <client>.
X-Forwarded-Proto: https.
X-Forwarded-Port: 443.
X-Forwarded-Host: <knox-server>.
X-Forwarded-Server: <knox-server>.
X-Forwarded-Context: /gateway/default.
User-Agent: curl/7.54.0.
Accept: */*.
Host: <myservice>:8090.
Connection: Keep-Alive.
Accept-Encoding: gzip,deflate.
.
#
T <myservice>:8090 -> <knox-server>:59118 [AP]
HTTP/1.1 200 OK.
Date: Sat, 14 Oct 2017 14:27:58 GMT.
X-Application-Context: myservice:prod:8090.
Content-Type: text/plain;charset=utf-8.
Content-Length: 4.
.
PONG
How should I configure Knox (0.12.0 from HDP 2.6.2) to make it pass Authorization header to the backend for websocket connection?
While writing this question I realised that there is a ticket KNOX-895 resolving the issue of passing cookies and headers to a backend service in Knox 0.14.0.
[EDIT]
I cloned knox git repo (commit 92b1505a), which includes KNOX-895 (2d236e78), run it locally with added websocket service to sandbox topology.
[tulinski]$ wscat -n --auth 'user:password' -c wss://localhost:8443/gateway/sandbox/echows
[tulinski]$ sudo ngrep -W byline host echo.websocket.org
#
T 192.168.0.16:59952 -> 174.129.224.73:80 [AP]
GET / HTTP/1.1.
Host: echo.websocket.org.
Upgrade: websocket.
Connection: Upgrade.
Sec-WebSocket-Key: Z4Qa9Dxwr6Qvq2QAicsT5Q==.
Sec-WebSocket-Version: 13.
Pragma: no-cache.
Cache-Control: no-cache.
Authorization: Basic dXNlcjpwYXNzd29yZA==.
.
##
T 174.129.224.73:80 -> 192.168.0.16:59952 [AP]
HTTP/1.1 101 Web Socket Protocol Handshake.
Connection: Upgrade.
Date: Mon, 16 Oct 2017 14:23:49 GMT.
Sec-WebSocket-Accept: meply+6cIyjbH+Vk2OsAqKJDWic=.
Server: Kaazing Gateway.
Upgrade: websocket.
.
Authorization header is passed to the backend service.
I need to configure Burp Suite to intercept data between web browser and proxy server. The proxy server requires a basic authentication (Username & Password) while connecting for the first time in each session. I have tried the 'Redirect to host' option in Burp Suite(Entered the proxy server address and port in the fields):
Proxy >> Options >> Proxy Listeners >> Request Handling
But I can't see an option to use the authentication that is required while connecting to this proxy server.
While accessing google.com, the request headers are:
GET / HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (X11; Linux i686) KHTML/4.13.3 (like Gecko) Konqueror/4.13
Accept: text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8
Accept-Encoding: gzip, deflate, x-gzip, x-deflate
Accept-Charset: utf-8,*;q=0.5
Accept-Language: en-US,en;q=0.9
Connection: close
And the response is:
HTTP/1.1 400 Bad Request
Server: squid/3.3.8
Mime-Version: 1.0
Date: Thu, 10 Mar 2016 15:14:12 GMT
Content-Type: text/html
Content-Length: 3163
X-Squid-Error: ERR_INVALID_URL 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from proxy.abc.in
X-Cache-Lookup: NONE from proxy.abc.in:3343
Via: 1.1 proxy.abc.in (squid/3.3.8)
Connection: close
you were on the right track, just at the wrong place. You need to setup an upstream proxy at:
Options>>Connections>>Upstream proxy
There you can also setup the authentication
Options>>Connections>>Platform authentication
Here you can create different auth configurations, which will be done if the server requests it.
What is a common approach in authenticating of user session for websocket connection?
As I understand websocket message contains data only with no headers. Thus authorization cookie is not available to server backend. How should application distinguish messages from different clients?
Which websocket server are you using?
if your webserver and websocketserver are the same, you could send the sessionid via websocket and force-disconnect any client that does not send a valid sessionid in his first message.
if your websocketserver parses the HTTP headers sent in the HTTP upgrade request properly, it may also save any cookie. this is what a request of my firefox (version 35) looks like:
GET /whiteboard HTTP/1.1
Host: *:*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Sec-WebSocket-Version: 13
Origin: *
Sec-WebSocket-Protocol: whiteboard
Sec-WebSocket-Key: iGPS0jjbNiGAYrIyC/YCzw==
Cookie: PHPSESSID=9fli75enklqmv1a30hbdmg1461
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
as you see, the phpsessionid is transmitted fine. check the documentation of your websocketserver if it parses the HTTP headers. remember that cookies will not be sent if the websocket's domain differs from the webserver's domain.
I'm currently trying to connect to a webservice placed on https://xxx.xxx.xx/myapp
It has anonymous access and SSL enabled for testing purposes atm.
While trying to connect from the 3G network, i get Status 403: Access denied. You do not have permission to view this directory or page using the credentials that you supplied.
I get these headers while trying to connect to the webservice locally:
Headers
Request URL:https://xxx.xxx.xx/myapp
Request Method:GET
Status Code:200 OK
Request Headers
GET /myapp/ HTTP/1.1
Host: xxx.xxx.xxx
Connection: keep-alive
Authorization: Basic amViZTAyOlE3ZSVNNHNB
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response Headers
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 16 Feb 2012 12:26:13 GMT
Content-Length: 622
But when accessing outside the local area, we get the big ol 403. Which in turn wants credentials to grant the user access to the webservice.
However, i've tried using the ASIHTTPRequest library without success, and that project has been abandoned. And they suggest going back to NSURLConnection.
And i have no clue where to start, not even which direction to take.
-connection:(connection *)connection didRecieveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
The above delegate method of NSURLConnection doesnt even trigger. So i have no idea what so ever how to authenticate myself.
All i get is the parsed results of the xml elements of the 403-page.
I needs dem seriouz helps! plx.
This was all just a major f-up.
The site had ssl required and enabled, and setting ssl required for the virtual directories does some kind of superduper meta-blocking.
So, by disabling ssl required for the virtual directories, it runs over ssl and is not blocking 3G access..