In my application I have a setup with NServiceBus Gateway on an endpoint and I was able to access it using the url http://localhost/{Endpoint name} from the same machine.
My question is what I have to do to access that endpoint from external machines using the public ip address or domain name.
For e.g. how can I access the gateway endpoint with url http://{My Public ip address}/{Endpoint name}
I found the answer by myself, what you have to do is simply change the channel address to the domain name you want
<GatewayConfig>
<Channels>
<Channel Address="http://{Your domain name}/{Endpoint name}/" ChannelType="Http" Default="true"/>
</Channels>
</GatewayConfig>
Related
I need to extract the user IP address (v4).
I have the following code to do so:
HttpContext.Connection.RemoteIpAddress.MapToIPv4().ToString();
The problem is that in this case I am getting cloud flare ip address.
How can I get the forwarded v4 IP address?
Thanks
Cloudflare passes all HTTP request headers to your origin web server and adds additional headers.
The header:
CF-Connecting-IP
provides the client IP address connecting to Cloudflare to the origin
web server.
You can also use the header:
X-Forwarded-For
which maintains proxy server and original visitor IP addresses.
For more information about the CloudFlare headers you can refer to the documentation
Actually, you can created a method that tries to check all these headers and return the client IP address value.
private string getRemoteIpAddress(HttpContext accessor) {
// try reading the CloudFlare client IP address header
if (!string.IsNullOrEmpty(accessor.Request.Headers["CF-CONNECTING-IP"]))
return accessor.Request.Headers["CF-CONNECTING-IP"];
// try reading the proxy server and original visitor IP addresses header
var ipAddress = accessor.GetServerVariable("HTTP_X_FORWARDED_FOR");
if (!string.IsNullOrEmpty(ipAddress)) {
var addresses = ipAddress.Split(',');
if (addresses.Length != 0) return addresses.Last();
}
// try reading the remote IpAddress without a proxy
return accessor.Connection.RemoteIpAddress.ToString();
}
How can I specify the service identity principal name in the WCF client config for the issuer STS when binding using WS-Federation?
I have an application pool running under a domain account on a front end server trying to authenticate using federation to backend services on an app server (running under domain accnts) using an STS also running on the app server and under a domain account.
In order to use Kerberos correctly I need to set the userprincipal name of the STS on the frontend client. I can't see how to do that.
I am experiencing a connected problem, which is that fallback to NTLM does not work when the issuer is specified using FQDN, and Kerberos fails (SSPI negotiation failed) I think because I have no issuer principal name in the config. If I set the issuer using IP address instead, then authentication to STS succeeds using NTLM, I think, so I have a workaround.
The STS is issuing tokens on the basis of Windows auth on that endpoint. It has other endpoints for forms-type auth and so on.
Possibly a related problem on our network is that silverlight clients that call back to web services are not working without the servers being manually added to Local Intranet zone in IE. Seems as though for some reason the app servers are not considered as being on same domain. Any clues much appreciated!
I found the solution regarding setting the user principal name of the STS. I just needed to set it in the issuer element of the federation binding:
OK, don't know why I couldn't find this before, but first thing Monday morning the answer pops up immediately:
http://msdn.microsoft.com/en-us/library/aa347735.aspx
The issuer element of the wsfederation is an endpoint config that allows you to set the user principal name within it.
The schema from the link above is here:
<issuer address="Uri" >
<headers>
<add name="String"
namespace="String" />
</headers>
<identity>
<certificate encodedValue="String"/>
<certificateReference findValue="String"
isChainIncluded="Boolean"
storeName="AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher"
storeLocation="LocalMachine/CurrentUser"
x509FindType=System.Security.Cryptography.X509certificates.X509findtype/>
<dns value="String"/>
<rsa value="String"/>
<servicePrincipalName value="String"/>
<usePrincipalName value="String"/>
</identity>
</issuer>
Regarding the network issues, this was a DNS problem. PTR used instead of aliases.
I have implemented a REST Webservice which returns (after an authentication via RFC 2617 HTTP Digest Authentication) an XML document with xlink's to the related resources.
Here's an example of a request:
http://172.32.42.53:8080/Service.svc/user/123
A result could look like this:
<?xml version="1.0" encoding="utf-8"?>
<UserList xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<User>
<ID>2</ID>
<UserName>CHI</UserName>
<OutlineLink xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://demo:8080/Service.svc/Users/2/Outline/" cache="no"/>
<SettingsLink xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://demo:8080/Service.svc/Users/2/Settings/" cache="no"/>
<CatalogsLink xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://demo:8080/Service.svc/Users/2/Catalogs/" cache="no"/>
<LastName>Test</LastName>
</User>
</UserList>
So, the problem now is:
If the user calls the webservice via the IP address, the first handshake will be over the ip address and not the DNS name. So the authentication does only work if the second call (to the specified resource) will be over the IP address again. I tried it with following command:
OperationContext.Current.IncomingMessageProperties.Via.ToString();
But my webservice returns always the dns of the server and not the "called address".
Is there a possibility to get the called address? So I can dynamically return the called address (ip or dns). Would be great to get a solution. Relative URLs aren't allowed for xlinks.
Thanks for help!
Can you try to retrieve the called address from the request's server variables? I guess your web service needs to be in asp.Net compatibility mode to access this. Something like "REMOTE_HOST", "HTTP_HOST", "SERVER_NAME", etc...
Check this link for list of server variables
My WCF Service implementation appears to have all necessary HTTPS configuration settings. The whole client-> service comms work just fine, my issue is that request responses do not appear to be transported over HTTPS.
My configuration:
wsHttpBinding - check
mexHttpsBinding - check
security mode="Message" - check
httpsGetEnabled - check
When I examined the comms in Fiddler then I see the request and response being made over HTTP rather than HTTPS. This ties up with the WSDL action which states:
location="http://ws019.sms.com/Alpha.Services.AMSB2B/DeviceService.svc/Journey"/
wsa10:Address
http://ws019.sms.com/Alpha.Services.AMSB2B/DeviceService.svc/Journey
/wsa10:Address
Also in my endpoint configuration on the client side, the endpoint is pointing at the HTTP address rather than the HTTPS address (presumably this is looking at the WSDL) eg.
endpoint address="http://ws019.sms.com/Alpha.Services.AMSB2B/DeviceService.svc/Device"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IDeviceService"
contract="AMSB2B.IDeviceService" name="WSHttpBinding_IDeviceService"
Why does the WSDL / client endpoint address have HTTP in there, rather than HTTPS? If I change the configuration manually, it complains at runtime about expecting HTTP.
Any ideas?
Thanks.
Your configuration is wrong. WsHttpBinding with Message security uses HTTP. You must use Transport security.
Is there a way I can have multiple ssl certificates point to a single inputendpoint in a service definition? For example, lets say I have two url's.
service.foo.net/Service.svc
service.doo.net/Service.svc
I want both of these addresses to resolve to my windows azure service, but I'm not sure how to configure this in the service definition.
<Certificates>
<Certificate name="service.foo.net" storeLocation="LocalMachine" storeName="My" />
<Certificate name="service.doo.net" storeLocation="LocalMachine" storeName="My" />
</Certificates>
<Endpoints>
<InputEndpoint name="HttpsIn" protocol="https" port="443" certificate="service.foo.net" />
</Endpoints>
According to this MSDN article, each input endpoint must have a unique port. Is there any way to specify more than once certificate for this endpoint?
Unfortunately this is not possible. Azure is re-exposing an SSL limitation. The SSL limitation is interesting, and the reason you can't use v-hosts over SSL. Lets walk through an example:
You connect to https://ig2600.blogspot.com
That resolves to some ip address - say 8.8.8.8
Your browser now connects to 8.8.8.8
8.8.8.8 must preset a certificate before your browser will send any data
the browser verifies the ceritificate presented is for ig2600.blogspot.com
You send the http request, which contains your domain name.
Since the server needs to present a certificate before you tell it the host name you want to talk to, the server can't know which certificate to use if multiple are present, thus you can only have a single cert.
"Oliver Bock"'s answer may work for you and "Igor Dvorkin"'s answer is not valid anymore since IIS 8 with Windows Server 2012 supports SNI, which enables you to add a "hostheader" to HTTPS bindings and having multiple SSL certificates to different domains listening to the same HTTPS port.
You need to automate the process of installing the certificates on the machine and add HTTPS bindings to IIS.
I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/
This post indicates you will need a "multi domain certificate", which seems to be a certificate that can match multiple DNS names in step 5 of Igor's answer. I have not tried it, but presumably this certificate can be uploaded to Azure in the usual way.