For some time I've been using ambassador/emissary as an API gateway, and I really want to use it as a means to talk to cloud run through custom domains.
My pattern is
(client) -> (ambassador/emissary) -> (cloud run) -> (fastapi)
For ambassador/emissary to talk to cloud run altogether (not just throw a 404), I needed to rewrite the host header (as mentioned here) (host_rewrite option in ambassador/emissary). However, websocket connections doesn't work for some reason. I have successfully made this work with
(client) -> (ambassador/emissary) -> (GKE Autopilot) -> (fastapi)
The client throws a 1006 and it feels like if there is some wrong expectations now which header values the cloud run expects.
The ambassador mapping is here
Does anyone have cloud run working with websocket on custom domains?
Update
Using firebase hosting as a router instead, meaning
(client) -> (firebase hosting rewrite) -> (cloud run) -> (fastapi)
doesn't work either with a websocket setup.
Related
Running an ASP.Net Core application based on IdentityServer 4 on an AWS cluster,
after 14-21 days all outgoing HTTPS requests take 5min or more to finish.
After an investigation found that the WinHTTP Web Proxy Auto-Discovery Service dies with the following error: The endpoint mapper database entry could not be created. not sure if this is the issue or a side effect of something else that breaks lower in the OS.
Environment:
ELB with with an autoscaling group with two instances behind it, issue occurs on both
Windows Server 2019
Notes:
It is a custom AMI but the only difference with the instances that do not experience this is the product is running on it.
Happens on both .Net core 2.2 and 3.1 based versions of the application
Happens on both versions based on IdentityServer4 v2 and v3
The app is deployed self contained
The app uses Kestrel without a reverse proxy in front of it
Tried:
Enabled schannel: no errors in the schannel logs set on trace
No other notable errors in any of the EventViewer logs
Restarting the instance fixes the problem
When running curl.exe -v to an HTTPS site on the machine the request gets stuck on schannel: checking server certificate revocation
The clocks on the instances are OK
Restarting the app process does not resolve the issue
Disabling the HTTPClient in the code using the WinHTTP Web Proxy Auto-Discovery Service service still breaks the service.
For those running into this.
The root of this issue is the WinHTTP autoproxy (wpad) service which is used to autoconfigure proxy settings, WinHTTP 5.1 implements the Web Proxy Auto-Discovery (WPAD) protocol also known as autoproxy, and it must support DHCP. Now this is where the problem occurs, the AWS DHCP does not support DHCP option 252 (used by WPAD) which in turn causes the issue.
The resolution is to disable the WinHTTP service as it is turned on by default in Windows.
I am seeing this exact same problem on a bare-bones AWS Lightsail instance of Server 2019. I am simply using IIS as a reverse proxy with the URL Rewrite module.
Here are some details about my environment/scenario in case it helps narrow down some common factors.
I have zero .Net applications running on this box, it is simply a reverse proxy.
I have 2 web applications, and 2 websites setup in IIS, each is a reverse proxy for a different back-end API.
The websites in IIS on the reverse proxy use the same CA issued wildcard certificate as the back-end API's.
The back-end API's are also hosted in IIS (Server 2012 R2).
The back-end API's run in a PCI compliant environment so IIS Crypto has been used to tighten up encryption protocols/algo's. I have not used IIS Crypto on the reverse proxy yet, so as I type this I'm starting to wonder if there's an SSL aspect to this.
Am totally new to Wso2 world.
Currently our system is like below.
F5 load balancer -> Apache webserver -> App Server.
Can we do it in below fashion
F5 -> wso2 -> Domain
All the hits to f5 has to route directly to our Domain instead of going to apache web server.
Is it possible to achieve?
I have some knowledge with wso2 API manager where we can configure API end point which will route to configured domain.. Will that be usable in my case or is it only applicable for APIs.
Or what about Enterprise Integrator?
Appoligies me if am totally came with a wrong concept..let me know where I went wrong
I had a problem that Fiddler wasn't showing my web service calls made from my application (running locally). I found and solved my problem.
So my question is not how, but why does Fiddler not show web service traffic? I have a very limited understanding of how network traffic works so this might be quite simple/obvious. All I'm able to decipher is:
I don't think it has anything to do with HTTPS, as I can see HTTPS requests in Fiddler (decoded if I want through Fiddler's settings).
I copied a piece of code new WebProxy("127.0.0.1", 8888); in order to get it to work so it must have something to do with proxies?
This is an ASP.NET application in case that makes a difference.
Really old question but:
While the answer and comments hint towards the right solution, they are far from answering the question.
Fiddler sees traffic by your user account. Since web services run by the application pool identity, fiddler cannot see their traffic.
The easiest solution (and the only one that worked for me) is to change the website application pool user to run under your account
Simply:
Open IIS
Find your website application pool name (right click website -> Manage Website -> Advanced Settings -> Listed under Application Pool)
Go to application pool advanced settings (Application Pools -> Right click your desired application pool -> Advanced Settings)
Change User Account to your account (Identity -> ... -> Custom Account -> Set)
As noted above:
That first paragraph was just the explanation I needed: When Fiddler launches and attaches, it adjusts the current user’s proxy settings to point at Fiddler, running on 127.0.0.1:8888 by default. That means that traffic from most applications automatically flows through Fiddler without any additional configuration steps. Although I guess I should also thank Eric as he appears to be the one who wrote it!
References
Capturing Traffic for .Net Services with Fiddler
adding the following content inside the config is also a solution.
<system.net>
<defaultProxy enabled = "true">
<proxy bypassonlocal="false" proxyaddress="http://127.0.0.1:8888" />
</defaultProxy>
</system.net>
Also, if the traffic from the web service is pointing to another application in same localhost, try using the machine name instead of localhost in the request url.
I apologize in advance if the question is ridiculous.
I have an asmx service running in Azure (HTTP - no SSL).
I have a WPF app that loads a X509Certificate2 and adds it to the request by doing the following:
X509Certificate2 cert = new X509Certificate2("...");
webRequest.ClientCertificates.Add(cert);
In the web service I get the certificate by
new X509Certificate2(this.Context.Request.ClientCertificate.Certificate)
And then I load a cert (that I have both uploaded to the Azure control panel and added to my service definition file) by using the following sample:
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, certName, true);
And then I validate by doing the following:
clientCert.Thumbprint == certs[0].Thumbprint
Now unfortunately I get an exception (System.Security.Cryptography.CryptographicException: m_safeCertContext is an invalid handle) as soon as I do
Request.ClientCertificate.Certificate
So I have a few questions. How do I avoid the exception. This answer states I need to modify an IIS setting, but how can I do that in Azure?
In any case is this even the proper way to do certificate authentication?
Thanks!
You can use command scripts to modify IIS, in combination with appcmd.exe.
For a quick example (disabling timeout in an application pool), take a look at this sample by Steve Marx.
In this example, you'd call DisableTimeout.cmd as a startup task. For more info on creating startup tasks, you can watch this episode of Cloud Cover Show. There should be a lab on startup tasks in the Platform Training Kit as well.
Just remember that any type of IIS configuration change should be made via an automated task at startup. If you manually change IIS via RDP, those changes won't propagate to all of your instances, and won't remain persistent in the event of hardware failure or OS update.
You can remote into your azure instances to manage IIS. As for a way to do it globally for all instances at once, I'm not sure. That would be an interesting side project though.
http://learn.iis.net/page.aspx/979/managing-iis-on-windows-azure-via-remote-desktop/
I am trying to call a web service from a BizTalk (2006) orchestration.
Having got the hang of the basics, I have been following this tutorial (page 74 onwards) in which i have a web reference to an external web service (I am using this web service instead of the one in the tutorial), I have my web message in a Send component, and have set up the request / response ports for the web service call.
I'm fairly sure that eveything is set up correctly, but my orchestration fails to call the web service with the following error:
The adapter failed to transmit the message going to send port
"My_Order_Processor.Orchestration-CurrencyConvertPort-36c122f41c5596ae"
with URL "http://www.webservicex/net/CurrencyConvertor.asmx.
WebException: Unable to connect to the remote server.
SocketException: An existing connection was forcibly
closed by the remote host 209.162.186.60:80
The IP 209.162.186.60 is the address for the web service I am trying to connect to. I am trying to narrow down the reasons for the error, e.g.:
Firewall issues
Proxy server issues (I don't know how to configure BizTalk to use a proxy server)
Something else
The BizTalk server can ping the web service, I can access the internet (through IE), I can add the WebReference to the project successfully (meaning at least the orchestration designer can access the web service okay). I have also tried a different web service, with the same result.
Any ideas on finding out why this is happening or how to find out more info? (I'm new to BizTalk)
I've seen this veru vague error before for many different reasons. Two suggestions.
Download something like NetMon and watch what is going on on the wire.
Turn off chunked encoding. For some reason, many web services don't handle this well.
Let us know what you find out.
Could this not be an authentication issue? Check that you can connect to the webservice using the Bts credentials.
This turned out to be a proxy issue.
By navigating to Biz Talk Group -> Platform Settings -> Adapters -> SOAP, I was able to configure the BizTalk server host's SOAP adapter (which is what the web service call uses to make the call) to use our company proxy server correctly. Double click the 'send' SOAP adapter, go to Properties under adapter name.