Windows Identity Foundation and Port Forwarding - wif

There is net cofiguration:
Client - FW - IIS
IIS is listening port 8080, there is a web application on IIS, for example MyApp.
FW implements simple port forwarding (it replaces port 80 to port 8080).
Assume the following case:
Client asks http://MyWebSite/MyApp/Index.aspx, FW changes standart port 80 to 8080 and request is
http://MyWebSite:8080/MyApp/Index.aspx. IIS returns to client requested page Index.aspx
One importatn thing: if user types in browser http://MyWebSite/myapp/index.aspx IIS returns http://MyWebSite/MyApp/Index.aspx (so it changes url address according the real application name).
Everything works well.
But the problem appears if I insert in standart pipeline WIF. For example I want MyApp to accept only authenticated users. I want to redirect users to some Identity Provider.
If user trying to get a page http://MyWebSite/MyApp/Index.aspx, everything works fine, user is redirected to IP. But if user is trying to get http://MyWevSite/myapp/index.aspx (applicaion name in lower case), IIS returns to client redirect to http://MyWebSite:8080/MyApp/Index.aspx. Because port 8080 is closed on FW user gets an error.
If I remove WIF from my application everything works fine again.
Did anybody encountered sich a problem?

The problem was discovered by Reflector, it is in WIF's CookieHandler.
Browsers send cookies only if the requested path matches (case-sensetive) the path was set by CookieHandler (by default the application's virtual directory on IIS). When WIF processes the request it compares the requested path to the CokkieHandler's path. If they don't match (case-sensetive) WIF thinks that user just typed wrong cased URL but he or she still wants to access the application, but user's browser will not send session cookie because the cases don't match, so WIF's CookieHandler makes redirect to correct URL, but it doesn't know anything about real port number, so it just added the requested port number to redirect answer. Browser tries to make redirect, the requested port is closed on FW, we get an error.
In .NET FW 4.5 you can override the default behavior of CookieHandler using your own Custom CookieHandler and implementing its MatchCookiePath method (for example you can add special port number from your application configuration file).
You can also use only lowered case urls and application names, and make lowered each request before WIF had begun to process it, then there will be no redirects.

Related

Specifying an IP Address in FireMonkey TWebBrowser

The FireMonkey TWebBrowser component allows the developer to specify a local file (file://...) or a URL (https://www...). However, there seems to be no way to get the browser to work by specifying an IP address (192.168.1... or http://192.168.1... etc.) The browser just appears to hang.
Is it possible to specify an IP address with this component?
I'm currently using Delphi 10.4.2 developing for iPhone. Safari on the same phone has no problem accessing 192.168.1... addresses.
Navigating to Websites using HTTPS protocol and IP address will be blocked in most browsers. Why? Website certificates that are used to confirm validity of specific website are domain based and not IP based.
This means that the Website will be treated as safe only when you navigate to it by using valid domain for which the website digital certificate was issued.
But when you try to navigate to such site using IP address of a server on which it is hosted most browsers will mark the site certificate as invalid and thus stop the navigation to such site. This is to prevent you from being redirected to another server that does not belong to specific domain for which web certificate has been issued.
PS: You can test this even with your default browser. Try navigating to a HTTPS site using URL using format https://x.x.x.x:443.
Note how I added 443 to the end of the specified URL. 443 is a default HTTPS port. Not specifying this port number as part of URL most browsers will always try to navigate using port 80 that is used for HTTP despite the fact that you specified HTTPS protocol in your URL.
Now if the website supports both HTTP and HTTPS protocols you may end up on HTTP site despite the fact that you specified HTTPS protocol in your URL.
And if that HTTP website offers automatic redirect to HTTPS site you may in the end actually end up on HTTPS version of that site. But it won't be HTTPS site containing the IP address you specified but instead the proper domain name of that site.
You can see this by trying to navigate using the above mentioned approach to https://142.250.180.174/ which is actually server for google.com.
NOTE: Not all Websites support this. For instance you can't reach HTTPS site of embarcadero.com using such approach.

Invalid hostname on mvc site - IIS 8

I have an mvc app that has been deployed to our production server. It works well under IIS 8.5 using an IP and an asigned port. But the moment I try to bind it to a subdomain the app starts showing the invalid hostname error.
Tried to see if there was something off in the applicationhost.config but the binding is in the correct format. IP:Port:Binding.
The redirection also works fine, it lands on the page, but it shows the error instead of the login page.
I have deployed sites before, but not MVC apps, and bind them to subdomains and its usually a 2 step process. I dont know what im missing here.
Edit. Here is the screen of the error. Does not say a lot.
I'm not familiar with MVC or IIS, but base on my experience with other products, you very likely need to tell IIS to preserve the Host header.
Eg. https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/modifying-http-response-headers
In order to be able to modify the HTTP Location header it is necessary to preserve the original value of the HTTP host header. The outbound rewrite rule will use the preserved value when modifying the response. To preserve the original value you will store it in a temporary server variable ORIGINAL_HOST.
You should also make yourself aware about the security vulnerabilities that can result with regard to Host headers. https://techcommunity.microsoft.com/t5/iis-support-blog/host-header-vulnerability/ba-p/1031958

URL redirect to port

I have set up SAB, Sickbeard, CouchPotato & Plex on my home media server. All mapped to respective ports.
The ports have been forwarded correctly and I have DDNS enabled, if I browse to my DDNS address proceeded by the port number - I can access my services absolutely fine.
What I am wanting to do is use sub-domains on a domain that I already own to make the URLs a bit more friendly. However I have tried setting up simple web redirects & these don't work for some reason.
For example;
sab.domain.com = DDNS_address:9090
plex.domain.com = DDNS_address:32400/web/index.html
When trying to access I get 404 Not Found errors.
I don't host my own IIS or Apache server, the domain is hosted by an online provider.
Is this possible or worth too much hassle?
Thanks.

Google OAuth 2 error redirect_uri_mismatch when using local DNS remapping

When I test my ASP.Net app locally, I use a DNS tool called DNSSpeeder which takes over the DNS process for my machine. In effect, I can setup www.mysite.com locally and enter an IP address like 192.168.178.200 and in my browser just enter www.mysite.com and it launches from my local IIS web server. When I'm ready for production, I just disable DNSSpeeder so that an Internet's DNS is used to lookup my site.
The problem I am facing is when I use Google OAuth to exchange my code for a token. It returns with an error of redirect_uri_mismatch. It isn't clear to me what is actually going out on the wire to Google's server and what URI Google is seeing. The URI redirect does match what is in the API console, although that doesn't say anything about what is actually sent to Google's server after it leaves DNSSpeeder. I tried Wireshark but it shows nothing. Probably encrypted with https. Instead of using http://localhost:8080, I tried http://localhost:80 as well as http://192.168.178.200 for the Javascript origins but that didn't help.
Is it possible to use an IP address other than localhost when testing locally to get a successful token?
"Is it possible to use an IP address other than localhost when testing locally to get a successful token?"
Yes it is possible. My setup is that I have configured two redirect URLs in the Cloud Console, (http://www.mydomain.com/redirect and http://dev.mydomain.com/redirect).
I then edit /etc/hosts (on linux, the Windose equivalent is under system32\drivers somewhere) to map dev.mydomain.com to 127.0.0.1.
And it works just fine. You may need to tweak your app so the redirect URL is not hardcoded, but is in fact varied based on whether your app senses it's in dev or production.
One thing to be aware of is that the confiured redirect URL must be a character for character match to the actual URL. So be careful that you have both http and https variants, and also watch for a trailing slash. If necessary configure both with and without the trailing slash.

Omniauth redirection working only in certain cases (with ports)

I'm setting up omniauth (just trying to get the facebook provider working for now).
I'm on my local computer running nginx on port 80. I route all requests to port 8080 and run the default webrick server on 8080.
I've set up omniauth pretty far, but now things only go smoothly in certain instances.
If my browser hits http://localhost/auth/facebook I get an error saying:
URI::InvalidURIError, the scheme http does not accept registry part: app_server (or bad hostname?)
If I hit however http://localhost:8080/auth/facebook, then facebook gives me an error message like Invalid redirect_uri: Given URL is not allowed by the Application configuration.". This makes sense since my site url is set to http://localhost not http://localhost:8080.
If I change the site url to http://localhost:8080, then things start to work (at least this far into the authorization process)
By the way, it's not just localhost by itself that is causing the problem. If I edit /etc/hosts and try something like dev.example.com it acts the same way, with dev.example.com not working and dev.example.com:8080 working.
Why can't I get it to work with just localhost? Is it something wrong with the way nginx and webrick talk to each other? I can't imagine that'd be the problem, but it's the only difference I see in what works and what doesn't. Any ideas why the URI error is occuring?
You need to edit the domain names for your facebook application. Go into https://developers.facebook.com/apps and edit the settings for that application. Set the site domain and app domains to whatever domain you want to allow redirection to (eg. example.dev)

Resources