I have the origin http://app.mydomain.com/v2/check (no https)
I have configured my cloudfront with ssl cert *.mydomain.com
In Route53 I have created A record with alias app2.mydomain.com pointing to Cloudfront xyz.cloudfront.net
Now how to I set behavior such that I call (POST) https://app2.mydomain.com/v2/check it call http://app.mydomain.com:8081/v2/check.
curl command
Working
curl --location --request POST 'http://app.mydomain.com/v2/check' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'disabledRules=WHITESPACE_RULE' \
--data-urlencode 'text="The quick read focks jumped over the lazy broon dogg."' \
--data-urlencode 'language=en-US'
not working getting http 403 error
curl --location --request POST 'https://app2.mydomain.com/v2/check' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'disabledRules=WHITESPACE_RULE' \
--data-urlencode 'text="The quick read focks jumped over the lazy broon dogg."' \
--data-urlencode 'language=en-US'
This can be done by by modifying the origin.
In the console:
Select the Origin and Origin Groups tab.
Select the Origin and click Edit
Once you click edit there is an option for Origin Protocol Policy. Select the value of HTTP Only as shown below in the screenshot.
Click Yes/Edit
This can be performed in the CLI by performing the update-distribution function, or in CloudFormation by updating the OriginProtocolPolicy value to http-only.
As you're using POST requests ensure that it is enabled in the Allowed HTTP Methods within the Behaviour for the origin. This returns a 403 if the method is not enabled.
.
Other than this ensure the host that you're trying to connect to through either the browser or programmatically as an API call, is added as an alternative domain name in the CloudFront Distribution configuration.
In the Alternate Domain Names CNAME section I had to put app2.domain.com in the list. I had only domain.com do to which it was not working.
Related
As part of WSO2 identity server 6.0.0, SOAP APIs are deprecated and recommended to use REST-based APIs. We are using RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs in our project, want to replace the SOAP APIs with recommended REST APIs. Can you help us to find the list of REST APIs to replace RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs. The APIs document is not clear.
Under Challenge Questions API https://is.docs.wso2.com/en/6.0.0/apis/restapis/challenge.yaml we are calling /me/challenges and /me/challenge-answers GET APIs and we are getting response as No message body writer has been found for class java.util.ArrayList, ContentType: / , 500 Internal error. Can you please suggest what is going wrong here what is causing this error.
You have to pass 'Accept: application/json' header in the REST API request.
Try the following sample curl commands by changing the Authorization header value
/me/challenges:
curl --location --request GET 'https://localhost:9443/api/users/v1/me/challenges' \
--header 'Accept: application/json' \
--header 'Authorization: Basic <base64 encoded username:password>'
me/challenge-answers:
curl --location --request GET 'https://localhost:9443/api/users/v1/me/challenge-answers' \
--header 'Accept: application/json' \
--header 'Authorization: Basic <base64 encoded username:password>'
After a series of longs hours working with AWS transcription, I now have a new error using Postman:
<AccessDeniedException>
<Message>Unable to determine service/operation name to be authorized</Message>
</AccessDeniedException>
However, I don't know what the issue is. I tried to Google it but the error seems to happen also in AWS Lambda. But I'm working with AWS Transcription. Can anyone check what seems to be the problem?
My sample sample GET request is:
https://transcribestreaming.us-east-1.amazonaws.com/medical-stream-transcription-websocket?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=MYACCESSKEYID%2F20200404%2Fus-east-1%2Ftranscribe%2Faws4_request&X-Amz-Date=20200404T171802Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&language-code=en-US&media-encoding=pcm&sample-rate=16000&specialty=PRIMARYCARE&type=DICTATION&X-Amz-Signature=5f5f0a5d336e524b335245b6e83945d3057ec3905a9ae2d2ca709b77cce5478f
I intentionally replace the X-Amz-Credential with MYACCESSKEYID for security purpose.
There maybe two errors:
1) "https://" request connects to default port of 443. This cause error of "Unable to determine service/operation name to be authorized". Please explicitly use port :8443.
2) Your client does not handle websocket upgrade correctly. In the first request to open connection, your client need initiate websocket upgrade by including several headers, as specified in "Including WebSocket Request Headers" section of https://docs.aws.amazon.com/transcribe/latest/dg/websocket-med.html#websocket-response-med
Example in curl:
curl --include --no-buffer \
--header "Connection: Upgrade" \
--header "Upgrade: websocket" \
--header "Host: transcribestreaming.us-east-1.amazonaws.com:8443" \
--header "Origin: http://localhost:3000" \
--header "Sec-WebSocket-Key: tEfHvBSx8jqQyZgCNrhI3w" \
--header "Sec-WebSocket-Version: 13" \
"https://transcribestreaming.us-east-1.amazonaws.com:8443/medical-stream-transcription-websocket?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=MYCREDENTIAL&X-Amz-Date=20200406T211542Z&X-Amz-Expires=60&X-Amz-Signature=MYSIGNATURE&X-Amz-SignedHeaders=host&language-code=en-US&media-encoding=pcm&sample-rate=16000&specialty=PRIMARYCARE&type=DICTATION"
On a successful request, client receive "101 Switching Protocols". The connection is established, and then you can continue send audio frames as documented in https://docs.aws.amazon.com/transcribe/latest/dg/websocket-med.html#websocket-streaming-request-med
It seems you are trying to connect to Amazon Transcribe Medical’s websocket endpoint. Upon reviewing your GET request, it appears you are missing port number 8443, due to which your request is not being routed to websocket endpoint.
https://docs.aws.amazon.com/transcribe/latest/dg/websocket-med.html#websocket-streaming-request-med describes an example of creating a bi-directional request to transcribe medical’s streaming endpoint.
I'm trying to post a request using curl to my es cluster in AWS using my accessKey and secretKey. I have successfully done this through postman (details here) where you can specify AWS credentials but I would like to make this work with curl. Postman can auto-generate your curl request for you but all I get are errors.
This is the generated curl request along with the response
curl -X GET \
https://search-00000000000001.eu-west-1.es.amazonaws.com/_cat/indices \
-H 'Authorization: AWS4-HMAC-SHA256 Credential=11111111111111111111/20181119/eu-west-1/es/aws4_request, SignedHeaders=cache-control;content-type;host;postman-token;x-amz-date, Signature=11111111116401882398f46011f14fdb9d55e012a4fb912706d67c1111111111' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Host: search-00000000000001.eu-west-1.es.amazonaws.com' \
-H 'Postman-Token: 00000000-0000-4001-8006-9291e208a000' \
-H 'X-Amz-Date: 20181119T220000Z' \
-H 'cache-control: no-cache'
{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}%
IDs have been changed to protect the innocent.
I have checked all my keys and region, and like i said this works through postman. Is it possible to access this AWS service using my keys through curl?
This is quite a long rabbit hole. Thanks to Adam for the comment that sent me in the correct direction. The link https://docs.aws.amazon.com/apigateway/api-reference/signing-requests/ really helps you understand what you need to do.
I've since found a script that follows the signing requests method outlined above. It runs in bash and whilst it is not written for use with elasticsearch requests it can be used for them.
https://github.com/riboseinc/aws-authenticating-secgroup-scripts many thanks to https://www.ribose.com for putting this on github.
If your host contains ':443' remove it and try again.
This worked for me.
"My initial problem: If I access it with Postman using the same url, I get the same error, but removing the ‘:443/’, it works fine, so it’s nothing wrong with the key and secret I’m using."
Need help in below scenario on aws
i have 2 stacks with different names with different priority EX (1 and 100), but same context path.
by default the traffic routes to stack which has priority 1 , but i want to test the stack which is of high priority.
EX : i use the alb url to test the stack
curl --request GET -v --header "Content-type: application/json" https://alb/<context path> --insecure
can anyone help how can i get a traffic redirected to the second stack, tried adding host header in the listerner rule but not sure how to frame the curl command
curl --request GET -v --header "Content-type: application/json" --header "Host: api.sample.com" "https://alb/<context path>" --insecure
Rules :
stack 1 : path pattern /test/test1 forwarded to stack1
stack 2 : path pattern /test/test1 & Host header api.sample.com forwarded to stack2.
regards,
vishal
New host based routing feature in AWS ALB fits properly for your use-case. Using this approach, you can configure routing rules to different Target Groups based on the host from which you receive the request.
Hope this helps.
just started with wso2-am. I published the example PizzaShackAPI: /pizzashack/1.0.0 API and registered a default application against it. I can (re)generate keys for the default application and with this, I can call e.g. the GET/menu item in the API console. This gives me the expected list as long as the access token is valid.
However in the API console the equivalent curl command is also given as :
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 00cb3832-f73f-3536-b287-4330a47ef4bd' 'https://192.168.1.9:8243/pizzashack/1.0.0/menu'
I run this under windows (curl-7.54.0-win64-mingw) but this doesn't work. Tried replacing some quotes with double quotes etc. but all to no avail. Furthermore, I assume that I am using one-way SSL to the service running in wso2-am itself (on port 8243) and I don't need to supply any certificate myself. I also realize that the server side uses a self signed certificate and not sure whether this has any implications in this situation.
Hope someone can help me out on this.
As an addition - just noticed that in the sys$output of the wso2-am server the following is listed:
[2017-05-13 00:38:38,858] ERROR - SourceHandler I/O error: Received fatal alert:
unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.ja
va:245)
I think that this is caused by the curl command hitting the API service .
Thanks Peter
You are accessing HTTPS url of the API, You have to either use a keystore or suppress the SSL in cURL with -k option
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 00cb3832-f73f-3536-b287-4330a47ef4bd' 'https://192.168.1.9:8243/pizzashack/1.0.0/menu' -k
You also can use below HTTP URL of the API, note the port difference.
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 00cb3832-f73f-3536-b287-4330a47ef4bd' 'http://192.168.1.9:8280/pizzashack/1.0.0/menu'