Issue with Cloud App Engine, Jersey REST framework and Cloud SQL - sql

I have a App engine Project in Google App Engine named : cwdataproject
I also have a REST service Application deployed in Google App engine under same Project. I have Implemented REST service using Jersey with CORS implementation.REST service Application Project retrieving data from Google Cloud SQL and returning back to client.
Now, the behavior of REST service seems very unstable. Some time it is giving back result. and sometime it is not returning any data . But no error is there.
This is from App Engine log :
A 2014-05-14 11:41:27.581 200 298B 12ms
/rest/messageservices/manufecturerlist?callback=createmanufactureroption
[13/May/2014:23:11:27 -0700] "GET /rest/messageservices/manufecturerlist?callback=createmanufactureroption HTTP/1.1" 200 298 - "Mozilla/5.0 (Linux; U; Android 4.2.1; en-us; Lenovo P780_ROW Build/JOP40D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "cwdataproject.appspot.com" ms=12 cpu_ms=520 cpm_usd=0.000033 instance=00c61b117ce022f9f9bf9df99be6e4b0b6e58e app_engine_release=1.9.4
But same code was working hours back ;-) Here is a log which was returning data previously. No change has been done ..
[13/May/2014:11:23:18 -0700] "GET /rest/messageservices/manufecturerlist?callback=createmanufactureroption HTTP/1.1" 200 560 - "Mozilla/5.0 (Linux; U; Android 4.2.1; en-us; Lenovo P780_ROW Build/JOP40D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "cwdataproject.appspot.com" ms=11543 cpu_ms=7280 cpm_usd=0.000063 loading_request=1 instance=00c61b117ce022f9f9bf9df99be6e4b0b6e58e app_engine_release=1.9.4
I only can see a difference loading_request=1
Really no idea. !!!
Can anybody help please ..
My appengine-web.xml file looks as below ...
<?xml version="1.0" encoding="utf-8"?>
<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
<application>messageframework</application>
<version>1</version>
<!--
Allows App Engine to send multiple requests to one instance in parallel:
-->
<threadsafe>true</threadsafe>
<!-- Configure java.util.logging -->
<system-properties>
<property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
</system-properties>
<!--
HTTP Sessions are disabled by default. To enable HTTP sessions specify:
<sessions-enabled>true</sessions-enabled>
It's possible to reduce request latency by configuring your application to
asynchronously write HTTP session data to the datastore:
<async-session-persistence enabled="true" />
With this feature enabled, there is a very small chance your app will see
stale session data. For details, see
http://code.google.com/appengine/docs/java/config/appconfig.html#Enabling_Sessions
-->
</appengine-web-app>

Related

Apache cgi script invoked from browser but not embedded device

I am working on a project that involves two embedded devices, let's call them A and B. Device A is the controller and B is being controlled. My goal is to make an emulator for device B, i.e., something that acts like B so A thinks it's controlling B but in reality, it is controlling my own emulator. I don't control or can change A.
Control occurs via the controller posting GET commands invoking various cgi scripts so the plan is to install apache on "my" device, setup CGI and replicate the various scripts. I am running apache version 2.4.18 on Ubuntu 16.04.5 and have configured Apache2 so it successfully runs the various scripts depending on the URL. As an example, one of the scripts is called 'man_session' and a typical URL issued by device A looks like this: http://192.168.0.14/cgi-bin/man_session?command=get&page=122
I have build a C/C++ program named 'man_session' and have successfully configured Apache to invoke my script when this URL is submitted. I can see this based on the apache log:
192.168.0.2 - - [24/Jan/2019:14:38:38 +0000] "GET /cgi-bin/man_session?command=get&page=122 HTTP/1.1" 200 206 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
Also, my script writes to stderr and I can see the output in the log file:
[Thu Jan 24 14:46:10.850123 2019] [cgi:error] [pid 23346:tid 4071617584] [client 192.168.0.2:62339] AH01215: Received man_session command 'command=get&page=122': /home/pi/cgi-bin/man_session
So far so good. The problem I am having is that the script does not get invoked when device A makes the request, only when I make the request via a browser (both Chrome and Internet Explorer work) or curl. The browsers run on my Windows PC and curl runs on the embedded device "B" itself.
When I turn on device A, I can see the URL activity on the log but the script does not get invoked. Below is a log entry showing the URL but which that does not invoke the 'man_session' script. It shows a code of 400 which according to the HTTP specification is an error "due to malformed syntax". Other differences are the missing referrer and user-agent information and http 1.0 vs http 1.1, but I don't see why these would matter.
192.168.0.9 - - [24/Jan/2019:14:38:12 +0000] "GET /cgi-bin/man_session?command=get&page=7 HTTP/1.0" 400 0 "-" "-"
Note that device A is 192.168.0.9 and my PC is 192.168.0.2. What am I missing here, why doesn't the above URL invoke the script as when issued by the browser? Is there any place where I can get more information about why the code 400 occurs in this case?
After a lot of back and forth, I finally figured out the issue. Steps taken:
Increased log level to debug (instead of the default 'warn' in apache2.conf
This caused the following error message to show up in the log
[Sat Jan 26 02:47:56.974353 2019] [core:debug] [pid 15603:tid 4109366320] vhost.c(794): [client 192.168.0.9:61001] AH02415: [strict] Invalid host name '192.168.000.014'
After a bit of research, added the following line to the apache2.conf file
HttpProtocolOptions Unsafe
This fixed it and the scripts are now called as expected.

NGINX: different logs for two different websocket connections

We have two clients, one javascript and one C++. The C++ is using libwebsockets. Both of them try to connect via secure websockets (wss) to our websocket server via port 7000, that is sitting behind an NGINX server. When the javascript client connects, the connection is successful and in the NGINX 7000 port logs, this shows:
[04/May/2018:12:25:30 +0000] "GET / HTTP/1.1" 101 0 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36"
However, when trying to connect with the C++ client, the connection fails and the logs show
[04/May/2018:10:59:40 +0000] "GET / HTTP/1.1" 400 5 "-" "-"
Why is it throwing a 400 instead of a 101 in the second case? We are not sure how to debug this. This is what we use in the websocket client
ws->init("wss://echo.websocket.org:7000", nullptr, "your CA root file path");
The client just says Connection Failed. We tried inspecting data with wireshark and enabling more logs in the NGINX server but we can't figure it out. What can it be about? Could it be because of miss-matched SSL/TLS versions?
Turns out the the client's library was not actually including the port number in the request, even when it's included in the connection URL. So either configuring NGINX to handle this specific case or making the library include the port in the request, solves the probem.

CORS Fails with Safari 10.1.2 and Google Storage

Platforms:
Tested on iPhone iOS 10, macOS Sierra v10.12.6
Safari v10.1.2 (Safari v10.1.1 and below don't seem to have this problem, and neither do Chrome nor Firefox)
Description:
We're having a problem saving a photo through Google Cloud Storage. From the web inspector, we see that we're making a OPTIONS request to http://storage.googleapis.com/..., but we receive an empty response. Whereas, in other browsers or in other versions of Safari, we don't see a OPTIONS request, only the POST request. We've verified that our CORS configuration on the Google Cloud Storage bucket allows our origin.
Our request headers for the OPTIONS request look like this:
Access-Control-Request-Headers:
Referer: <referrer>
Origin: <origin>
Accept: */
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8
Access-Control-Request-Method: POST
From what we can see in the Safari devtools, there are no response headers, and the response is empty. As for the status code, there's no status code from what we can see in Safari devtools, but when we were using Charles, we saw that we received a 200 status code, but the response and response headers were empty as well.
These are the errors in the console:
http://storage.googleapis.com/... Failed to load resource: Origin
<origin> is not allowed by Access-Control-Allow-Origin
XMLHttpRequest cannot load http://storage.googleapis.com/... Origin
<origin> is not allowed by Access-Control-Allow-Origin.
Is there a issue with the latest version of Safari and CORS?

Apache logs showing strange ^# characters ? What does this mean ?

My apache logs are always interrupted by strange characters :
84.196.205.238, 172.23.20.177, 172.23.20.177 - - [05/May/2015:11:48:15 +0200] 0 www.sudinfo.be "GET /sites/default/files/imagecache/pagallery_450x300/552495393_google_street_view HTTP/1.1" 200 32620 "http://www.sudinfo.be/247263/article/culture/medias/2011-11-23/google-street-view-en%C2%A0belgique-comment-trouver-votre-maison" "Mozilla/5.0 (Linux; U; Android 4.2.2; nl-be; GT-P3110 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30"
^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#efault/files/imagecache/pagallery_450x300/2015/01/13/1554554859_B974505865Z.1_20150113094316_000_GVR3PDRHQ.1-0.jpg HTTP/1.1" 200 26033 "http://www.bing.com/images/search?q=leonardo+dicaprio+Met+gala&id=06B1C7410D6458C6A698AC09F3F8C6B7915BFFDE&FORM=IQFRBA" "Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53"
Do you have any idea what can be the cause of this ?
If your web server is externally accessible then this is probably an artifact from an attempt to hack your server
ISTR ^# is how apache logs a "NULL" zero byte. These are used to pad attacks such as buffer overflow
You may like to look at counter measures such as mod_security
https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-Frequently-Asked-Questions-%28FAQ%29
I hope it is obvious that a full patched server and application stack is more likely to be able to withstand random attack attempts like this
Ok finally found out what the problem was. My log files are written on a Network filesystem and my bash client just had problems to read it because of the network.
False alarm, everything still safe. Thanks for the help.

HTTP GET Status Code "-1" on Safari - Any other browser reports status code 302 - Moved

We have a page where the user enters his credentials. The user is then redirected to the landing page but we just discovered recently that on Safari 5.1 the redirection doesn't occur and is reported as an HTTP GET with status code -1:
Request URL:https://whatever.com/home.asp
Request Method:GET
Status Code:-1
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US
Origin:https://whatever.com
Referer:https://whatever.com/logon.asp?CTAuthMode=BASIC&language=en&CT_ORIG_URL=https%3A%2F%2Fsubdomain.whatever.com%3A443%2Fyadda%2FDefault.aspx&ct_orig_uri=https%3A%2F%2Fsubdomain.whatever.com%3A443%2Fyadda%2FDefault.aspx
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
And the actual response content in Safari is this:
<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found here.</body>
HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 167
Content-Type: text/html
Location: https://subdomain.whatever.com/yadda/Default.aspx
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found here.</body>
Firefox reports something different:
Status: 302 Object moved
Domain: whatever.com
Size: 167 B
BUT when you look at the actual response's HTML in Firebug, it shows the actual landing page which is about 13.6 Kb in size.
Has any body seen this behavior in Safari? It happens on Windows (XP & 7) and Mac so the issue seems to be related to Safari itself. I don't know if this is a specific bug with my version of Safari or if older versions of Safari have the same issue.
Any suggestions to work around this issue are greatly appreciated.
This turned out to be a bug on Safari 5.1. Upgrading to version 5.1.1 fixed the issue