i'm having a problem using Load-Balancing on my server (using IIS 6). I have a Manager Website that works correctly most part of the time, but sometimes when i go to another page inside this manager, instead of redirecting to the correct page, it redirects to the login page of it.
I don't think this is a timeout problem, because if i press F5 it redirects to the correct page. I suppose it's a problem with the Load-Balancing, because I tried to run the Manager in another machine without Load-Balancing (still using IIS 6) and it worked fine.
I'm using ASP.NET 3.5.
Could someone figure out why this is happening?
If session information is stored locally on a web server then when a load balancer sends your request to another server (say server2) in this farm - server2 doesn't have session information about your request and it correctly sends you to the login page. When you hit F5 load balancer sends you to the original server1 which has authentication information and successfully displays the page.
You need to store session information in a central location so that all servers in the farm could see it.
One way is to store sessions in a centralized place, as already pointed by DmitryK, other way is to forward the request of one session to only one server. So that ASP.NET can found sessions for that. You can use Cookie based request forwarding or IP based request forwarding. IP based forwarding may not work in some cases, if the ip's are masked by some NAT(Network Address Translation). Please check what all options are provided by your load balancer.
Related
I am unable to connect to my Apollo (graphql) server through Apollo Studio (https://studio.apollographql.com/sandbox/explorer) OR Apollo Client library on frontend. But the server is working fine when a request is sent through Postman, graphql-request library OR a CURL request.
Details of Deployment:
The server is deployed on GCP instance groups which include 4 instances in two different regions. I have used Nginx as reverse proxy to redirect traffic to localhost:4000 of each instance (the app is running on port 4000 of each machine).
The instance groups are attached to the GCP HTTPS load balancer. The backends are in the healthy state in the load balancer.
Apollo studio - not working
Postman - working
If it's working in postman but not in studio, it's generally either an issue with CORS, some other header issue, or something similar to that.
Studio is running in a browser, so things will be a big more finicky. It will send headers that browsers always send, like the origin it's running on, and those that Apollo decides are best, like certain accept / content-type headers that your load balancer might not be allowing through.
Things like Postman and cURL generally come with less "baggage". They only send the headers and content you ask them to.
The best thing to check next is what your browser thinks is going wrong, since servers won't "lie" about the problem unless you specifically tell it to (e.g. for security reasons, some information is sometimes best left out). Open up your browser debugger on the Studio website when you try to make a request and check your Network panel. The HTTP call will fail in a certain way if it's one of these issues, and it should be pretty straight-forward with you that it was rejected because of X.
I'm using oauth2-proxy with Keycloak to authenticate to applications.
Oauth2-proxy sits in the front, and when a request comes to port 4180 it redirects to Keycloak, once you authenticate it redirects to the upstream address (where the application lives)
This works well as long as the application is on the same server as oauth2-proxy.
When the application is on a different server, all the same process goes well with no errors, (exact same configuration except for the upstream which now points to another server:port), but instead of redirecting to the upstream app on the other server, it redirects to the same server:4180 and shows me an Nginx welcome page.
Could this be a configuration issue, or is it mandatory that the application is in the same server as oauth2-proxy?
I have two keycloak servers running on Docker containers locally on my machine. One on port 8080 and the other one on 8888. What I am trying to do is to connect the one with port 8080 to the one with 8888. I want to do that because I want to federate users. This scenario should be a test for a much larger scenario where I want to connect multiple Keycloak servers to one main keycloak servers.
This main keycloak server should be the entry point for all authentication requests. I am currently trying to solve this problem by setting up User Federation on the main keycloak server (Port 8888) using ldap. The following picture shows my configuration:
As you can see, when testing the connection url, it succeeds. However when trying to import users or even when clicking on "Test authentication", it just goes into an endless process which fails with "LDAP Query Failed". I suspect that something is wrong with the credentials (Users DN, Bind DN and Bind Credentials).
I did not found out how keycloak's ldap structure looks like, maybe some of you can help me configure this correctly. The Bind DN I tried is called "remote" (Bind Credentials is same as username), because I thought this must be the default admin account that is created when setting up Keycloak. Because the authentication fails, I suspect that this is not the right way to configure this whole scenario.
I hope I described the problem well and someone of you can help me out on this. Maybe you also have the correct page in the documentation for me to read about that?
Have a great day & Thank you kindly in advance!
I am trying to implement third party authentication with openAM, and have a doubt regarding openAm implementation, i.e if my application is distributed under different servers which are geographically separated and controlled under the same DNS name. How can I differentiate the sessions of different server. Say for example if I type www.google.com it can forward to any of the nearest server available, now if I have to authenticate google.com how will my openAm know that the request is for that particular server. If I ask it in other way, so whenever we are changing a policy in openam or invalidating a session it callbacks to all the registered server, now in distributed environment how it can differentiate the server IP's
I assume you have some sort of LB in front of you servers. I would suggest creating a sticky session at the LB, like a cookie saying what server the user is on before starting the authentication. Then when authentication i done, openam redirects back to your LB and the LB directs to the correct server.
I have a web application with servlets and jsps running on tomcat. I have enabled the tomcat to use https for all the users/visitors. I want to know if there is a way I can disable the https for users who are not logged in and are just browsing through the application.
Thank you
If you are searching by a Tomcat setting to do that, the answer is no. If you open a port https/ssl security, you opened it for everyone (the only exception is if you intent to use client authentication using ssl client certificates, that a guess is not the case here).
However, you can check if the user is accessing using https (using HttpSerlvetRequest.isSecure()) and send him back to http with a redirect, or change all page links to starts with 'http', if he is not logged in. That will make sure that any link the user clicks will send him back to http.