SSL offloading is enabled on our load balancer , all communication from the load balancer to the webservers is done in HTTP. We will not be enabling https on the service and security is set to None in the bindings. When I try testing with my client through the load balancer I run in to the error of "The provided URI scheme 'https' is invalid; expected 'http" . It almost looks like https all the way to the web server/WCF when it should not be the case. I tried custom bindings and everything else that I can find on google with no luck. Any one else run in to a similar issue . I would appreciate your help.
Related
I have a simple worker that just does a fetch against an HTTPS endpoint somewhere else.
The code is literally just:
return await fetch('https://something.com/someResource')
When I test locally (wrangler dev) and even publish to a workers subdomain this works fine. When I curl https://foo.bar.workers.dev/myEndpoint I get the same response as https://something.com/someResource.
However I want to run this from my own domain (managed through cloudflare) so the worker also has a route of foo.mydomain.com/* and a AAAA record to 100:: for foo as per CloudFlare docs. The DNS works fine the URL is reachable, but when I try to hit https://foo.mydomain.com/myEndpoint CloudFlare's worker logs show that the fetch behind the scenes fails with a 525 error (SSL Handshake fail).
Things I've tried based on some CloudFlare forum posts:
Add a page rule foo.mydomain.com/* -> SSL Mode: full since my overall SSL settings are set to flexible.
Set the host header in the fetch to the origin domain ( fetch(url, {headers: {'Host': 'something.com'}})
FYI, I don't control the origin server as it's an external API I work with.
How come the same request works from local and *.workers.dev but not my own domain?
Your page rule is not taking effect. The page rule is for foo.mydomain.com/*, but it has to match the subrequest URL, which in this case is https://something.com/someResource, which doesn't match. It doesn't matter that the original worker request matched -- what matters, in this case, is whether the subrequest URL matched.
Unfortunately, you cannot create a page rule that matches a domain other than your own.
Instead, what you'll need to do is reverse things. Set your SSL mode to "full" by default, but then use page rules to set it to "flexible" for your own domain.
(Note: The "SSL Handshake fail" error itself is actually a known bug in Workers, that happens when you try to talk to a host outside your zone using HTTPS but you have "flexbile" SSL set. We do not use flexible SSL when talking to domains other than your own, but there's a bug that causes the request to fail instead of just using full SSL as it should.)
I setup haproxy as reverse proxy in our organization . we want when the client request for some web site like lenovo or oracle or etc. …the request must be passed through our reverse proxy server .(because our client set our dns server and i defined reverse proxy’s ip as those such domain in our dns server). i using SSL passthrough .but i have some problem in this case.
1- some time haproxy doesnt work fine and have problem to load right certificate.for example when i want to see www.amazon.com haproxy load wrong certificate(SSL_ERROR_BAD_CERT_DOMAIN) so firefox prevent to load website. in this case i have www.intel.com in haproxy config so haproxy getting confused and load www.amazon.com with intel certificate website.
2-I want all sub domain of website like *.oracle.com or *.lenovo.com passed through our reverse proxy so we don’t need to register sub domains of website one by one in haproxy server .
i try with -reg or matching pattern method but all of them need to final destination.
3- some time redirection cant work properly and we facing http to https redirection error .(some time client enter lenovo.com or intel.com (means http requesting).to over come this problem i defined http frontend and redirect all request to https except one hypothetical request by acl . but my issue some time appear.
This is simple done by req_ssl_sni and writing simple acl to forward request but attention to just write single forntend and backend ,because multi frontend and backend cause a confusing in haproxy.
I am having a jersey based REST Application which is running on grizzly and configured it as follows behind an apache reverse proxy
e.g. www.example.com/base/json/helloworld/get should redirect to my REST service. (Multiple Resources). However, when I try to open the url in the browser I always get a Resource not found.
In my apache config:
ProxyPass /base/ http://localhost:8123/
ProxyPassReverse /base/ "http://localhost:8123/
My grizzly server configuration is really simple and works if I do a curl request: curl localhost:8123/base/json/helloworld/get => Response is correct.
However, if I acess the url in my browser, e.g.
example.com/base/json/helloworld I am getting the grizzly error:
Resource identified by path /json/helloworld/get', does not exist.
HttpServer server = GrizzlyHttpServerFactory.createHttpServer(URI.create(http://localhost:8123/base), resourceConfig, false);
Am I missing something? I already tried changing the url to the domain and so on, but I can't get my head around why it doesn't work.
I found my fault. In the grizzly server my url was configured with the path /base/, but the Proxy Pass did not include the /base/ path at the end of the url. Now it works fine.
I've setup the standard GCP load balancer to point to my instance group. It talks over the same port on the instance. I would like to redirect http to https. I would normally do this in nginx or apache on the instance but that won't work since its https already from the load balancer.
Is there a way to rewrite the url similar to if I was using nginx and apache to load balance in GCP's Load Balancer? or should I forward http and https to the instance and have the instance handle the rewrite as I normally would. I'm new to GCP thanks in advance.
You can set it up the same way as Nginx does. When you see traffic on a port which is not https, you redirect it to HTTPs.
To do this, you can use X-Forwarded-Proto header which contains the protocol using which the traffic came in. On your server, you can simply look for traffic that has http header and upgrade that request to HTTPS.
Most commonly used way is to use 301 redirect, but that is not a great practice. One should use HTTP 426 upgrade request header.
Read more: Is HTTP status code 426 Upgrade Required only meant signal an upgrade to a secure channel is required?
RFC doc: https://www.rfc-editor.org/rfc/rfc2616#section-14.42
I have installed apache HTTP server and after when i browse to localhost i am getting this error. Apache server is started. Port is configured to 80 and seems to be no one use it. I can't figure out what is the problem. Can someone?
Thanks.
The problem is that you're routing your localhost traffic through your upstream gateway proxy. The upstream gateway proxy refuses to send the traffic back, either because "localhost" has a different meaning to it, or because it's trying to prevent a security threat called "proxy bounceback." What URL are you using to access your site? Put that URL's hostname in your proxy exemption list.
Open the ISA server2006 and create a role and allow networks internal to allow internal and external .And restart the isa services .It will work fine
I tried this and it is working fine.