Configuration issues for oauth2 client Google on AWS ELB - amazon-web-services

Currently I'm running into some problems with a Google login on my Symfony 5.4 application.
I installed the bundle knpuniversity/oauth2-client-bundle on my symfony application and got everything working on my local development environment, which is based on docker.
When I deploy everything to the test environment so the stakeholders can test the functionality is does not work and I can't figure out what's wrong.
My guess is that the remote environment is behind a proxy, but I can't wrap my head around it how to configure this.
I configured the following:
knpu_oauth2_client:
http_client_options:
timeout: 0
proxy: 172.16.x.x
verify: false
clients:
google:
type: google
client_id: '%env(GOOGLE_CLIENT_ID)%'
client_secret: '%env(GOOGLE_CLIENT_SECRET)%'
redirect_route: google_login_check
redirect_params: {}
use_state: false
For the proxy ip-address I looked into AWS and I found 2 for the network addresses used by the load balancers, so I didn't knew which one to use. Then I dumped $_ENV on both ec2 instances (we have 2 instances per env), and saw that the REMOTE_ADDR was the same on both env's, so i assumed that that must be the correct ipaddress (172.16.x.x).
Now when I login to google I can login in, but when it tries to redirect after logging in, the server responds with an 504 gateway timeout error. Before I added the timeout:0 config the server responded with a 415 Unsupported Media Type error.
Can somebody point me in the right direction? Any help is much appreciated.

Related

Flutter Web on Firebase hosting refused to make API Calls

I have a Flutter Web application that I have deployed on Firebase Hosting.
I have a Django backend that I have deployed on an EC2 instance and is running on http.
I have CORS enabled in the backend, tried accessing endpoints via browsers and it works just fine.
But, when I try to make the same call using FlutterWeb, it fails.
And error type of blocked:mixed content appears. (See image below)
I want to call those HTTP endpoints and I don't want an SSL certificate mess because this is just a college project. How do I fix this?
I am using Dio on Flutter Web to make requests. What would be causing this problem?
EDIT:
I am using Firebase's spark plan, obviously since it's a college project. Do I need to upgrade to the blaze plan to enable Egress traffic? If so, how do I make sure that I won't be heavily charged? Any suggestions? UPDATE: I tried the blaze plan and got the same issue.
The console says
Mixed Content: The page at
'https://xxx.web.app/' was loaded over HTTPS, but
requested an insecure XMLHttpRequest endpoint
'http://xxxx.compute-1.amazonaws.com:8000/menu'. This
request has been blocked; the content must be served over HTTPS.
Any way to bypass this?

HTTPS outbound requests time increases to 5 min after 14-21 days on an instance running a product based on IdentityServer 4

Running an ASP.Net Core application based on IdentityServer 4 on an AWS cluster,
after 14-21 days all outgoing HTTPS requests take 5min or more to finish.
After an investigation found that the WinHTTP Web Proxy Auto-Discovery Service dies with the following error: The endpoint mapper database entry could not be created. not sure if this is the issue or a side effect of something else that breaks lower in the OS.
Environment:
ELB with with an autoscaling group with two instances behind it, issue occurs on both
Windows Server 2019
Notes:
It is a custom AMI but the only difference with the instances that do not experience this is the product is running on it.
Happens on both .Net core 2.2 and 3.1 based versions of the application
Happens on both versions based on IdentityServer4 v2 and v3
The app is deployed self contained
The app uses Kestrel without a reverse proxy in front of it
Tried:
Enabled schannel: no errors in the schannel logs set on trace
No other notable errors in any of the EventViewer logs
Restarting the instance fixes the problem
When running curl.exe -v to an HTTPS site on the machine the request gets stuck on schannel: checking server certificate revocation
The clocks on the instances are OK
Restarting the app process does not resolve the issue
Disabling the HTTPClient in the code using the WinHTTP Web Proxy Auto-Discovery Service service still breaks the service.
For those running into this.
The root of this issue is the WinHTTP autoproxy (wpad) service which is used to autoconfigure proxy settings, WinHTTP 5.1 implements the Web Proxy Auto-Discovery (WPAD) protocol also known as autoproxy, and it must support DHCP. Now this is where the problem occurs, the AWS DHCP does not support DHCP option 252 (used by WPAD) which in turn causes the issue.
The resolution is to disable the WinHTTP service as it is turned on by default in Windows.
I am seeing this exact same problem on a bare-bones AWS Lightsail instance of Server 2019. I am simply using IIS as a reverse proxy with the URL Rewrite module.
Here are some details about my environment/scenario in case it helps narrow down some common factors.
I have zero .Net applications running on this box, it is simply a reverse proxy.
I have 2 web applications, and 2 websites setup in IIS, each is a reverse proxy for a different back-end API.
The websites in IIS on the reverse proxy use the same CA issued wildcard certificate as the back-end API's.
The back-end API's are also hosted in IIS (Server 2012 R2).
The back-end API's run in a PCI compliant environment so IIS Crypto has been used to tighten up encryption protocols/algo's. I have not used IIS Crypto on the reverse proxy yet, so as I type this I'm starting to wonder if there's an SSL aspect to this.

Getting Started with Endpoints for Cloud Run - Request Timeout or Request Too Large Errors

Preface
I've just finished the Getting Started with Endpoints for Cloud Run tutorial for the second time. When I first tried running this tutorial with my own Cloud Run app, I got either a 413 Request too large or 504 Upstream request timeout error. Thinking that I may have taken too large a leap trying to deploy Endpoints on my Cloud Run service, I started the tutorial over using only the tutorial code, i.e., creating a Cloud Run service with the Cloud Run quickstart and using the given YAML in the Endpoints tutorial. Unfortunately, again, after running through all the commands, enabling services, and deploying Endpoints, I get either 413 Request too large or 504 Upstream request timeout.
Issue
Following the Getting Started with Endpoints for Cloud Run, I get either a 413 Request too large or 504 Upstream request timeout error. I feel like I must be missing something major, as I can't find any other comments or documentation on this issue. Has anyone run into this issue before or does anyone have advice as to how I can debug the issue?
What I've Tried So Far
Beyond restarting the tutorial with the Cloud Run tutorial image, I've looked at the logs and seen that one request creates many error logs within milliseconds of each other. To be clear, the Cloud Run service is functioning, as I've tested both my own and Google's service without the Endpoints layer. I didn't have any issues accessing the services then.
Let me know what else I can provide, and thanks in advance for any help.
I was able to reproduce your issue.
In order to work with Cloud Endpoints with Cloud Run you need at least two services deployed:
Your destination service (hello), a dummy service can be created from the Quickstart.
The endpoint service (gateway), which will be the one redirecting the requests.
In this case you probably had HOST to wrongly be gateway-HASH-uc.a.run.app:
...
host: HOST
...
x-google-backend:
address: https://gateway-HASH-uc.a.run.app
The Host is the 2nd service, and the x-google-backend is the 1st service.
To fix the issue you have to deploy another service and redo the tutorial.

Hosting Back end Application with API on EC2 instance

I'm quite new to AWS and I have been starting to work with EC2 instances. I have a web application that has a frontend and backend separately. So first I hosted the backend application on EC2 instance and it is a Symfony framework based REST API Application. So I have installed all dependencies and now the application is running. But to check the application I ran some API calls to the application using postman and seems application is not working as intended. I get following response from Postman. I have also provided security group configurations properly.
When I start sysmfony app it says [OK] Server listening on http://127.0.0.1:8000.
Can't figure out why this is happening. Can someone help me here?
You are running your application trough CLI (Symfony web server bundle) , by default this will bind to 127.0.0.1 which can't be accessed from outside. To fix this, you must bind to your server's public IP/hostname and port:
php bin/console server:start 192.168.1.1:8000 # replace with your ip
You can also bind to all your IP addresses using 0.0.0.0
But keep in mind, you should not use built in server for production, it's slow and less secure. Use a real web server instead, like Apache or Nginx.

REST API not working and redirecting with https/ssl

I have build and application with angular 5 and REST API with golang and hosted them on aws ec2 instance, I have installed ssl certificate to run the app and api on https. following is my url structure to run app and api ( api is running on 8080 port
app : https://mysite.maindomain.com
api : https://mysite.maindomain.com:8080
When I hit api after setting up the ip in host file on system it works fine but its not working with aws and redirects to https://mysite.maindomain.com:8080 when I hit any api like https://mysite.maindomain.com:8080/signup or https://mysite.maindomain.com:8080/get-user/10
Nor sure what is the issue here but everything else is working fine
I am using gin gonic as go framework and also have used RunTLS as recommended.
Not sure I fully appreciate the issue, but just in case, have you setup CORS on the API server (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS).
If you run a browser application served from ORIGIN1, and the browser tries to access an API on DESTINATION2, the API server must state to the browser that it is indeed authorized to reply to a browser originating from ORIGIN1.
You can for example use https://github.com/gin-contrib/cors to add CORS support to your API server.
Good luck.