Cloudflare suddenly returns a 302 redirect to the origin domain, which breaks our AJAX calls, although the CORS headers are still in place.
curl -I https://cloudflare-domain.com/channel/4d90dd64aa4a4fd8a3cad8862fd88c67/?limit=12
HTTP/1.1 302 Found
Date: Fri, 29 Sep 2017 15:38:22 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Set-Cookie: __cfduid=dc5840cbd96478011d1bb040fcb6fc7e81506699502; expires=Sat, 29-Sep-18 15:38:22 GMT; path=/; domain=.cloudflare-domain.com; HttpOnly
Location: https://origin-domain.com/channel/4d90dd64aa4a4fd8a3cad8862fd88c67/?limit=12
CF-Cache-Status: HIT
Expires: Fri, 29 Sep 2017 17:38:22 GMT
Cache-Control: public, max-age=7200
Server: cloudflare-nginx
CF-RAY: 3a600770fec427aa-FRA
We haven't changed any settings, either in Cloudflare or on the origin server.
Any ideas why this could suddenly happen?
Found the problem: a change was made on the origin server.
We put in a redirect to enforce HTTPS, but Cloudflare was connecting over HTTP. The redirect was being returned by the origin server.
Solution: In the Cloudflare settings, under Crypto, select Full SSL (strict).
Update: Go to search and type "SSL/TLS"
and change to Full strict
Screenshot SSL/TLS Settings 302 Found cloudflare
Related
I installed odoo on centos 8 and use httpd as a reverse proxy. Like other Apache hardening, I use ServerTokens Proddan ServerSignature Off to hide server information.
but when I try wget the results still show server information
Spider mode enabled. Check if remote file exists.
--2020-03-12 11:57:14-- http://my.domain/
Resolving my.domain (my.domain)... 169.0.0.1
Connecting to my.domain (my.domain)|169.0.0.1|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://my.domain/
Location: https://my.domain/ [following]
Spider mode enabled. Check if remote file exists.
--2020-03-12 11:57:14-- https://my.domain/
Connecting to my.domain (my.domain)|169.0.0.1|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Thu, 12 Mar 2020 04:56:55 GMT
Server: Werkzeug/0.14.1 Python/3.7.5
Content-Type: text/html; charset=utf-8
Content-Length: 10589
Set-Cookie: frontend_lang=en_US; Path=/
Set-Cookie: session_id=s8487a5ec76bd455f42680c38195b5f7f0285d563; Expires=Wed, 10-Jun-2020 04:56:55 GMT; Max-Age=7776000; HttpOnly; Path=/
Vary: User-Agent
Length: 10589 (10K) [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.
well it can use mod_header and mod_rewrite, then add
add Header set Server "value that you want" to your apache virtual host
I added some custom fonts to my website and uploaded them to AWS S3 + CloudFront.
A lot of topics here describe this problem but non of them are solving my issue.
Using curl I get this output:
curl --head https://cdn.mzguru.de/fonts/sourcesanspro/source-sans-pro-v12-latin-ext_latin-700.woff2
HTTP/1.1 200 OK
Content-Type: binary/octet-stream
Content-Length: 25348
Connection: keep-alive
Date: Tue, 22 Oct 2019 11:54:18 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Last-Modified: Fri, 12 Apr 2019 10:54:26 GMT
ETag: "639c2738552a0376c91e7d485e476fda"
Cache-Control: max-age=62208000
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Hit from cloudfront
Via: 1.1 bae3e24625567f5728a5caa96d6b7669.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: FRA53
X-Amz-Cf-Id: iAy-QTfuV9ZqwmaRjXE0ramVSgsZkA6MtRmQOKDSonf6I8OabrpLZA==
Age: 12818
Within Chrome I get this error:
Access to font at 'https://cdn.mzguru.de/fonts/sourcesanspro/source-sans-pro-v12-latin-ext_latin-700.woff2' from origin 'https://www.monteurzimmerguru.de' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This is the point where I do not understand the problem. The error message says: "No 'Access-Control-Allow-Origin' header is present"
But in the curl request I see this header. What is wrong?
Thank you
EDIT
I have attached a screenshot with the error messages.
EDIT 2: AWS Interface changed (2022)
Please take a look at #James Dean post.
1.) Do I need to tick the options box?
2.) I can not find the settings you describe. I guess the UI changed in the meanwhile.
Your S3 CORS configuration is correct based on below output:
>curl -vk "https://cdn.mzguru.de/fonts/sourcesanspro/source-sans-pro-v12-latin-ext_latin-700.woff2" -H "Origin: https://www.monteurzimmerguru.de"
< HTTP/2 200
< content-type: binary/octet-stream
< content-length: 25348
< date: Thu, 24 Oct 2019 12:19:41 GMT
< access-control-allow-origin: *
< access-control-allow-methods: HEAD, GET
< access-control-max-age: 3000
< last-modified: Fri, 12 Apr 2019 10:54:26 GMT
< etag: "639c2738552a0376c91e7d485e476fda"
< cache-control: max-age=62208000
< accept-ranges: bytes
< server: AmazonS3
< x-cache: Hit from cloudfront
However, Chrome/Browser is making OPTIONS/Preflight request on CloudFront and options request is not allowed on cloudfront currently. Only Head and GET are allowed.
curl -X OPTIONS "https://cdn.mzguru.de/fonts/sourcesanspro/source-sans-pro-v12-latin-ext_latin-700.woff2" -H "Origin: https://www.monteurzimmerguru.de"
>This distribution is not configured to allow the HTTP request method that was used for this request
To fix this , you need to do it:
In the CloudFront cache behaviour, you need to allow GET,HEAD and OPTIONS
In Cache behaviour, cache based on selected header, you should select Origin
Invalidate cache once and test it again.
You have to update,
Query String Forwarding and Caching to Forward all, cache based on all
in cloudfront Cache Behavior Settings ( cloudfont -> select one -> edit )
My app is required to support users logged in via SSO on a 3rd party server.
I configured settings.py based on the docs, i.e.
MIDDLEWARE_CLASSES = [
'...',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.PersistentRemoteUserMiddleware',
'...',
]
AUTHENTICATION_BACKENDS = [
'django.contrib.auth.backends.RemoteUserBackend',
]
I tried to test this using Postman on a couple of the app's URLs with no auth and with basic auth (user is defined) and, of course, with REMOTE_USER (and/or HTTP_REMOTE_USER header set).
In all cases I get a 401 - unauthorized code. Moreover, the breakpoint in authenticate is never called. The process_request in the middleware is called, but the REMOTE_USER header is not in request.META.
What else do I need to configure (in Django, Postman - or better still Apache) so that the REMOTE_USER will be set?
My knowledge of Apache is minimal, so a link to an example will help a lot.
The closest "solution" I saw is this, but it seems that the person circumvented the proper way to do this.
UPDATE
The Postman request is simply to one of the basic services which requires users to be logged in (#login_required decorator in Django)
I've tried with both basic auth and no auth.
The reply is a 401 without additional information.
>curl -i -H 'REMOTE_USER: user' localhost:9000/project/files/
HTTP/1.0 401 Unauthorized
Date: Sun, 17 Dec 2017 13:38:38 GMT
Server: WSGIServer/0.1 Python/2.7.10
Expires: Sun, 17 Dec 2017 13:38:38 GMT
Vary: Cookie
Last-Modified: Sun, 17 Dec 2017 13:38:38 GMT
Location: /accounts/login/?next=/project/files/
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=utf-8
Same command with cURL. The Location seems to suggest it tried to redirect to the login page (which should not happen)
I am getting 301 from my application to the browser :
HTTP/1.1 301 Moved Permanently
Date: Tue, 25 Jun 2013 04:27:20 GMT
Location: http://abc.com/ajax/ss
Content-Type: text/html; charset=UTF-8
..............
Ez2sIJr91YfiK2eKftdb1ngLMQPr
Ez2sIJr91YfiK2eKftdb1ngLMQPr1 is a encrypted body coming in 301.
After receiving browser is sending GET to http://abc.com/ajax/ss. My requirement is that browser should send POST instead of GET with Ez2sIJr91YfiK2eKftdb1ngLMQPr body.
Is there any way ?
This should work if you use status code 307.
I'm working on the Telit GL-865 GSM/GPRS Modem kit for research purposes. I have connected it to my pc using a serial port and got the terminal access using Putty.
I can successfully execute all AT commands to send/receive sms, make voice calls, etc.
I can also set a GPRS context using AT+CGDCONT and open a connection to server using AT#SKTD and can send GET and POST requests. I also get the HTTP response with all headers properly.
However for some websites, I do not get proper response. For eg. - www.google.com
If I send :
AT#SKTD=0,80,"www.google.com"
CONNECT
GET /<cr><lf>
<cr><lf>
I get the following response :
HTTP/1.0 302 Found
Location: http://www.google.co.in/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=80125e212d950ff8:FF=0:TM=1310555250:LM=1310555250:S=lwD7-OUKPeiBwCri; expires=Fri, 12-Jul-2013 11:07:30 GMT; path=/; domain=.google.com
Date: Wed, 13 Jul 2011 11:07:30 GMT
Server: gws
Content-Length: 221
X-XSS-Protection: 1; mode=block
<HTML>
<HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE>
</HEAD>
<BODY>
<H1>302 Moved</H1>
The document has moved
here.
</BODY>
</HTML>
Also I cannot access www.wiley.com to test CGI scripts. I get CONNECT as a response to AT#STKD but before I can complete typing the request header I get a NO CARRIER message.
Have you established the PDP context correctly?
Below are the commands and responses I used working with Telit GM862 and it worked well:
AT#USERID="username" //set username provided by mobile operator
AT#PASSW="password" //set password provided by mobile operator
AT+CGDCONT=1, "IP", "internet","0.0.0.0",0,0
AT#SKTSAV //save settings
AT#GPRS=1 //check if PDP context is established - if it is it should return the IP
+IP: 188.196.98.28
OK
AT#SKTD=0,80,"google.si",0,0
CONNECT
GET / HTTP/1.1<cr><lf>
Host: www.google.si<cr><lf>
Connection: keep-alive<cr><lf>
<cr><lf>
HTTP/1.1 200 OK
Date: Fri, 27 May 2011 09:39:49 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-2
Set-Cookie: PREF=ID=2420df534f6e850f:FF=0:TM=1306489189:LM=1306489189:S=i3qJtsLHuyMMmV9q; expires=Sun, 26-May-2013 09:39:49 GMT; path=/; domain=.google.si
Set-Cookie: NID=47=VGbr367EMHD9yp5XA61kWaWL37G_zBAIhy1CbRlEr3br0rcdM-H93M3Imfhm1ccDZiKjV2GhK3gZrg_LIbuz2ycgAZsGOGU1a29VXt7UahnmEqxcXMsG2JJc8GfaNsoM; expires=Sat, 26-Nov-2011 09:39:49 GMT; path=/; domain=.google.si; HttpOnly
Server: gws
X-XSS-Protection: 1; mode=block
Transfer-Encoding: chunked
1000
<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-2"><title>Google</title><script>...</script>
0
NO CARRIER
I have almost solved the problem.
The first problem of HTTP 302 is just a HTTP Redirection Request so I have to write my code in a while loop to again send a new GET request to the 'location' specified in the Response.
And the second problem regarding access of www.wiley.com is solved by immediately pasting the request header and hitting enter after I get CONNECT, instead of typing manually. So I guess the problem is due to timeout which occurs because of typing delay. When I'm doing this in a program it would be instantaneous, so I don't have to worry about it.