How to ignore invalid requests - Apache - apache

Is there any way to configure Apache to programatically examine a request and cancel the response if the request is invalid. I mean, my intention is to skip responding and just disconnect the client. I'm currently developing a fault-tolerance server fronted by Apache which needs to (stakeholder requirement) ignore answering requests which aren't authorize (I can't even send 401). If I can't use Apache, is there any other way to do it?

Continuation of above comments ...
I dont know how much control you have in JBoss over headers and output sent to the browser, but you can mimic an closed/aborted request like this. From within an application.
Send these Headers, flush and stop all output:
HTTP/1.0 204 No Content
Content-Length: 0
Content-Type: text/html
For example, this is the recommended method the Amazon API suggests as a response to any call that does not want a response.

Related

Not allowed by CORS

I'm trying to automate a process so I want to connect to an external API, first just to log in (can't use the API Key since I'm not an admin user).
I basically copied the request the browser does when it logs in, but when doing this from Postman I get a 400 responde, with the body "Not allowed by CORS".
Is there any way through code, that I can bypass that and work with such API?
Cors means Cross-Origin Resource Sharing. Basically browsers help web servers a way to protect themselves for data change requests.
Remove Origin Header (or) replace Origin value to server hostname (in this case api.kenjo.io)
Add referer header.
With dothttp it would look like below.
POST 'https://api.kenjo.io/auth/token'
origin: 'https://www.kenjo.io'
referer: 'https://www.kenjo.io/'

To detect page request and API/XHR call from backend

Have a single entry service which is acting like a facade/proxy service for downstream services. The service will need able to detect if the request is a "page request" or "api/xhr" request to perform error handling (302 redirection or 401).
So far have considered:
To use Accept header and detect text/html follow the following reference, can't tell if this is a good indicator to detect a page request
To introduce a custom header for all "api/xhr" request
To enforce all the "api/xhr" requests to follow a "/api" pattern (troublesome as for certain application the xhr is not a restful api)
Any good suggestions are welcome
Ended up using Option 1
Detect page request using Accept header with value "text/html"
As we do not use ajax for partial view
Usually the non-standard HTTP header X-Requested-With is used. Just the presence of the header should be enough. It has at least one advantage over Accept: It cannot be set on a cross-site request, which helps preventing CSRF.

Unable to load the webpage because the server sent no data for all JSON requests

Some of my site users are unable to call any api endpoints successfully whether through AJAX or a direct GET request in the browser. All HTML pages work fine. They get the following error when hitting an API endpoint.
--
--
What can be the issue here? I am suspecting some kind of firewall/ISP/Network restriction may be causing this, but I am not sure. What can I do to debug the issue? I checked my server logs and the request is hitting my server and the right response is being sent back. I am using rails 3.
UPDATE
Figured out the issue. The client's firewall is blocking application/json content.
The client's firewall is blocking all content of mime type application/json

305 Use Proxy - Implementation by Modern Browsers

I'm curious how the 305 Use Proxy HTTP Response Header is implemented by the latest web browsers.
What I'm hoping to accomplish is effectively as follows:
Accept a request using Apache
Provide a response to the browser which will indicate it should make
the request again, on another port and/or hostname for the server
Fork and detach the original request
Listen on the port indicated to the browser, and handle the HTTP
request in full by the child process
It would only be effective for my purposes if the browser does not indicate to the user the request is now being server by the child process, for this reason, 301/302 won't be effective.
http://trac.tools.ietf.org/wg/httpbis/trac/ticket/76

BlazeDS data push over SSL

I have an application that uses the data push technology of blazeDS to send data to a Flex Client event 5 seconds. The application works fine when I run it via HTTP with or without a proxy. When I run it via https the data push doesn't work anymore. I get the following error
rootCause [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2
text="Error #2032: Stream Error.
URL: https://localhost/admin/messagebroker/streamingamfsecure?command=open&version=1
Has anyone successfully got streaming to work over SSL?
Thanks,
Pratima
Questions to ask yourself (and post here)
Is the request showing up in your access logs?
Does Tomcat/whatever server up normal HTML pages via HTTPS?
What do the response headers look like? Does clearing your cache change anything?
What browser are you using?
Can you set explicate caching headers?
Try one of these:
Cache-Control: no-store
Cache-Control: no-store, must-revalidate
Cache-Control: no-store,max-age=0,must-revalidate
Cache-Control: max-age=0,must-revalidate
Cache-Control: must-revalidate
2032 is a bit of a vague error from the framework.
However, things to check (in addition to Stu's list)
Can you hit the https:// page in a browser directly?
I notice in your example that you haven't specified the port number for SSL. Unless you've gone to the trouble of setting up some Apache SSL redirects, chances are this is a mistake.
If you paste the URL into a browser, you should be able to hit it, and get an empty response. Anything else, and you've got a problem (often one that doesn't relate to BlazeDS.)
Is your certificate valid?
If you're using a Self signed cert (as is common in development), does your browser have a security exception defined? Various browsers will block attempts to hit invalid certs in different ways, but no self-resepcting browser would allow this call through until an exception has been set up.
Is your channel defined correctly?
When switching from http:// to https://, you need to update your Channel class on the flex client to SecureAMFChannel and the endpoint class in your services-config.xml to SecureAMFEndpoint.
Broadly speaking, https with BlazeDS (either push, or RPC) works just fine, assuming you configure it properly.