I can call the HTTP web service but when the same service is HTTPS it throws error that it cannot be called. I am invoking it from iOS application. Do I need to pass some additional header fields related to HTTPS.
UPDATE (SOLUTION):
Seems like it just needed the HOST header parameter.
if you are not passing any authorization parameters in any way to the service and it is just a url: "https://www.xxxxxx.com/dev/tools/search=?" the issue is from server side authentication certificate. they need to allow the request to be taken in from server's end by configuring server authentication certificate.
Related
Requesting for some help here. Kind of stuck with a use case. We are trying to integrate OneLogin with our app via Spring security.
The entry point to our application is Azure App Gateway that routes the requests to load balancer further routing to the VMs where the service is deployed. Everything works fine if we DONOT override the hostname in Backend settings for any incoming request, leading to the App Gateway host only getting passed for every request. Here the App Gateway URL being set as the redirect URI in Spring security auth endpoint call.
The problem appears when the Apigee is used as the entry point to our application. Apigee routes the request to App Gateway routing it further to load balancer and VMs. Here, we DO have to override the host as Apigee host name in order to authenticate the client to the OneLogin server. The Apigee endpoint is set as the redirect URI in the Spring security auth endpoint call.
However, the server responds back with "possible CSRF detected - state parameter was required but no state could be found" error. Tried different possible solutions from other SO links to resolve this error like providing a session cookie name, but did not help. Our OneLogin server and client application are also in different domains.
The only thing that works here is when we DONOT override the hostname in Azure App Gateway Backend settings and pass the App Gateway URL as the redirect URI in auth endpoint call. But the problem is it shows the App Gateway URL in the user browser, which we do not want because in an ideal scenario, the user should see only the Apigee host in the browser url and not the App Gateway host. So, is there any way to re-route/redirect/override the URL to Apigee URL in Azure App Gateway settings without the call being made to Apigee endpoint. Just the user sees the Apigee url in the browser, but internally all calls are made to App Gateway endpoint only.
Or the other solution could be to prevent the CSRF issue when Apigee hostname is used as the redirect URL in the auth endpoint instead of App Gateway host. But not sure how to resolve that.
• In your scenario, when you are not overriding the hostname in the Azure application gateway backend settings and pass the ‘Application Gateway’ URL as redirect URL in the ‘Authorization endpoint call’, the application gateway URL is shown in the user’s browser which is not desired since the Apigee host redirects the authentication requests to the ‘App gateway’ endpoint.
Therefore, without the call to be made to the ‘Apigee’ endpoint, you can surely redirect it to the Apigee redirect URL in the Azure application gateway settings by configuring the ‘Rewrite URI rules’ in the gateway. These rewrite rules will check for any presence of configured URLs or specific paths and will therefore, change the original URI path to the new path configured. As a result, please follow the below given snapshots as steps for configuring the same as stated above: -
Thus, as shown above, you can configure the ‘Rewrite rules’ in a ‘Standard V2’ SKU application gateway for redirecting response requests of ‘authorization endpoint call’ from application gateway URL to the Apigee endpoint hostname configured. In this way, when the application gateway URL is shown in the browser, it will be rewrited to the apigee endpoint hostname’s URL in the browser and accordingly the user at the receiving end will be able to see the Apigee endpoint hostname as a result fulfilling your requirement.
For more details regarding the above, kindly refer the below link: -
https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#modify-a-redirection-url
Background
We used to access Jenkins via Hostname and port format and never had issues. eg : http://Jenkinsci.company.com:8080.
We had an internal requirement to enable Jenkins access via company Netscaler (https://apps.company.com/).
So new Netscaler context was created and new url :https://apps.company.com/jenkins now points to -> http://Jenkinsci.company.com:8080. I also added JENKINS_ARGS="--prefix=/jenkins" in etc/sysconfig/jenkins.
Issue
Initially we couldnt login. As soon as we clicked on login, we used to get redirected to http page. i.e
https://apps.company.com/jenkins -> http://apps.company.com/jenkins.
. So since login was not working, http to https redirection was setup at Netscaler level. Then login worked.
Now we observed we couldn't add credentials in Jenkins.
Now after adding the credentials, the drop down doesn't show the newly added credentials.
I debugged in Browser and could see the below error message.
Mixed Content: The page at 'https://prod.company.com/jenkins/job/test1/job/test/configure' was loaded over HTTPS, but requested an insecure form action 'http://prod.company.com/jenkins/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/test1/addCredentials'. This request has been blocked; the content must be served over HTTPS.
I also compared the network messages of adding credentials via Netscaler and directly via host and they look same except in success scenario there are couple of more steps executed.
Success
Request URL: http://Jenkinsci.company.com:8080/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test
Request URL: http://Jenkinsci.company.com:8080/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=asdad&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test
Request URL: http://Jenkinsci.company.com:8080/jenkins/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/test/addCredentials
Request Method: POST
Request URL: http://Jenkinsci.company.com:8080/jenkins/job/test/job/tess/descriptorByName/hudson.plugins.git.UserRemoteConfig/fillCredentialsIdItems
Failure
Request URL: https://prod.company.com/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test1
Request URL: https://prod.company.com/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=sdfsr&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test1
Any idea what may be the issue and way to resolve without putting a SSL certificate to jenkins instance?
Thanks in advance.
I spoke with Netscaler team and initially we added http to https redirection, but it didn't work.
Then I shared below link with them.
Jenkins Reverse Proxy setup
In our setup, Netscaler was accessed via https ,but Jenkins was accessed via HTTP. So we needed to set "X-Forwarded-Proto" header in Netscaler for the request rewrites.
Initially we set X-Forwarded-Proto" header in Netscaler for the response rewrites and it was not working. Be aware that there are very minimal logs and debugging will be difficult.
Hopefully this helps someone.
If you are using Azure Web Apps to host your web application (let it be an ASP.NET MVC web app) you do not have the possibility to set up the IIS behind the Azure Web App to accept client certificates through an HTTPS connection. My application has some Web API endpoints that would be only accessible if the user has the correct certificate with the allowed thumbprint. However, I have other endpoints as well (and of course the website) that would be accessible without a client certificate. So in my case the only way is to accept client certificates.
I am not sure about that, but if I know well I can still get the client certificate by using OWIN while the SSL Settings in IIS is set to Ignore. If I use OWIN and go through the OWIN environment I can see a key called ssl.LoadClientCertAsync.
I am implementing endpoints that a third-party service will call, so I have no control over the content of the request. I know that there is a ssl.ClientCertificate key, with type X509Certificate, but in my case this key doesn't exist.
I have found some C# solution about using this ssl.LoadClientCertAsync key to get the certificate like in the CheckClientCertificate method of Katana or the solution in this C# Corner article. In every solution that I can find in the net, the author gets this type as a Func<Task> and then calls this task, by for example using the await operator.
var certLoader = context.Get<Func<Task>>("ssl.LoadClientCertAsync");
if (certLoader != null)
{
await certLoader();
...
After that they retrieves the certificate by using the ssl.ClientCertificate key.
var asyncCert = context.Get<X509Certificate>("ssl.ClientCertificate");
In this example, my asyncCert variable is always null. There weren't any ssl.ClientCertificate key in the OWIN context. I have tried to use the X509Certificate2 instead of X509Certificate, but I still got null.
My question is is it possible to get the client certificate in an Azure Web Site while the default SSL setting is Ignore by using OWIN? If yes, why can't I get the certificate using the ssl.LoadClientCertAsync key?
According to your description, I have created my ASP.NET MVC web application for working with client certificate in OWIN to check this issue. The following code could work on my local side:
if (Request.GetOwinContext().Environment.Keys.Contains(_owinClientCertKey))
{
X509Certificate2 clientCert = Request.GetOwinContext().Get<X509Certificate2>(_owinClientCertKey);
return Json(new { Thumbprint = clientCert.Thumbprint, Issuer = clientCert.Issuer }, JsonRequestBehavior.AllowGet);
}
else
return Content("There's no client certificate attached to the request.");
For SSL Settings set to Accept, I could select a certificate or cancel the popup window for selecting a certificate.
AFAIK, we could enable the client certificate authentication by setting clientCertEnabled to true and this setting is equivalent to SSL Settings Require option in IIS.
As How To Configure TLS Mutual Authentication for Web App states about accessing the Client Certificate From Your Web App:
If you are using ASP.NET and configure your app to use client certificate authentication, the certificate will be available through the HttpRequest.ClientCertificate property. For other application stacks, the client cert will be available in your app through a base64 encoded value in the X-ARR-ClientCert request header.
My question is is it possible to get the client certificate in an Azure Web Site while the default SSL setting is Ignore by using OWIN?
AFAIK, the current SSL Settings for client certificates only supports Ignore and Require for now. When hosting your web application on azure web app, for the client users who access your azure web app with client certificate authentication, they could specify the certificate to a base64 encoded value as your custom request header when sending request to your azure web app, then your could try to retrieve the header and verify the cert if the cert custom request header exists. Details, you could follow this sample.
Additionally, you could use Azure VM or Azure Cloud Service instead of azure web app, at this point you could fully control the SSL Settings in IIS.
I am working on some app which as API call. while i add proxy in mobile and see response in web debugging tools. I can see my api call parameters and response too.
while in others app I cant see this things and it is secured.
how can i acheive this?
Pictures said your API is using non-secure HTTP protocol while others app using HTTPS. The Web API should be performed via HTTPS protocol. HTTPS using SSL/TLS as secure transport layer, it means all data are encrypted before they're online. So, we don't care about any kinds of proxy
Say I have a Web service, called JokeService, which is a Rack/Rails3 app deployed on Heroku. And lets say I have an application, called ComedyApp. Now, I want JokeService to only entertain requests from ComedyApp. To do so, I would like ComedyApp to use a client certificate, which it uses to authenticate itself with JokeService.
My question is, how the heck can I configure the JokeService (again, a Rack/Rails3 app on Heroku) to check the validity of the client certificate?
This is related, but unanswered: How to access SSL client certificate from rack app
In short, you can't, since we don't have control of the http layer (thin or the routing mesh) in the stack.
An alternative is to authenticate one's requests simply using a custom request header.