Vertx reverse proxy redirect handling - redirect

I'm pretty new to Vertx, I'm building a reverse proxy on Quarkus.
I need to handle a redirect response from my Apache to my Quarkus reverse proxy, so that my Client doesn't get redirected directly to the Apache server (bypassing the proxy).
Resource is located in custom.url/myResource/index.php
My reverse proxy is running on localhost:8080
Basically what happens is:
Browser sends a GET request on localhost:8080/myResource, Quarkus is listening on 8080 so he receives the request, remaps the url tocustom.url/myResource and forwards to Apache.
Apache creates a redirect response, because a slash was missing at the end of the url, so he sends a 301 response with the Location header set to custom.url/myResource/ (with slash at the end) to the Quarkus reverse proxy.
Quarkus will forward the redirect response (301 custom.url/myResource/) to the Client, so he will make a GET call straight to custom.url/myResource/ bypassing the Reverse Proxy.
This behavior is not acceptable, since I can't allow the client to know the resource address of my backend service.
Code snippet
Route route = this.proxyRouter.route(method, path)
.handler(CorsHandler.create("*"))
.handler(LoggerHandler.create())
.handler(ctx ->{ //need to create an handler to handle this behaviour })
.handler(ProxyHandler.create(myProxy);
What i have to do is basically setting the Location header of the response to the correct path, including the slash.
I tried to get the request.absoluteURI() hostname, the response subdomain (with the slash) and merge them together.
request URI: localhost:8080/myResource -> localhost:8080 (1)
response Location: custom.url/myResource/ -> /myResource/ (2)
So i get the wanted Location header merging (1) and (2): localhost:8080/myResource/
Logically this works, but I don't know where and if I'm able to do this inside the handler, or if I need to do it some other way. I tried to implement this logic inside the handler, but I'm only able to get the request URI, there was no way to find the 301 response.
Need help plz.

Related

How to get the full URL from an Http4s Request

I'm trying to obtain the beginning of the URL that a client used to access a webserver in Http4s. I.e. given a Request[F] I want to obtain the string "http://localhost:8080" or "https://my-app.company.com" depending on where the server is deployed.
In a server implementation with Http4s, when receiving a Request via something like
HttpRoutes.of[IO] {
case req =>
println(req.uri)
???
}
I only ever seem to get a relative URI, e.g. / or /foo/bar - the scheme and authority fields on the Uri are both None.
It looks like I can pull the localhost:8080 part from the Host header on the request, but I have no solution for the scheme (http:// or https://).
How can I fill in the correct value for request.uri.scheme? And is there a more appropriate way to obtain the host?
FWIW I'm using http4s 0.22
You can't get it while using Blaze as an HTTP server. There are workarounds. You can catch bound of a server:
By port:
[io-compute-4] INFO org.http4s.blaze.channel.nio1.NIO1SocketServerGroup - Service bound to address /[0:0:0:0:0:0:0:0]:8080
By schema:
[io-compute-4] INFO org.http4s.blaze.server.BlazeServerBuilder - http4s v1.0.0-M33 on blaze v1.0.0-M33 started at http://[::]:8080/
Or you can map 8080 to HTTP and 8081 to HTTPS and make pattern matching on it.
A bad workaround would be to add it as an HTTP header and read it via Headers
It legacy practice but many legacy software companies are still using this approach.

Change location header in redirect responses from HTTP to HTTPS in Kong API Gateway

I have the following setup
User Request --> AWS ELB Application load balancer --> Kong Gateway --> Integration
The SSL termination happens at application load balancer.
One of my endpoint makes the Integration respond a redirect URL with a code 302. Ex. when I make a request to https://api.domain.my/a/b/c should make the integration return a redirect path /x/y/z
This redirect request with a status of 302 reaches the API gateway which should add a location header to the response with the complete URL i.e. https://api.domain.my/x/y/z
But the response I get in the header on my browser is http://api.domain.my/x/y/z in the location header. I am guessing this is happening because my SSL termination happens at the ELB and hence Kong is just returning http:// in the location header.
Is there a workaround for this? How can I use the response transformer maybe to achieve this?
Is there any better way to achieve this?

Custom endpoint path for AWS API Gateway WebSocket

I have created an API Gateway with Websocket protocol.
After I deploy the API, I get a WebSocket URL and a connection URL.
e.g.
WebSocket URL: wss://xxxx.execute-api.us-west-2.amazonaws.com/test
Connection URL: https://xxxx.execute-api.us-west-2.amazonaws.com/test/#connections
Now everything is fine, I am able to connect to the API, and send and receive messages.
But when I try to access a different path, I get an HTTP 403 error.
e.g. If I try to connect to wss://xxxx.execute-api.us-west-2.amazonaws.com/test/some/path
, I get 403 error.
Is it possible to configure API gateway in such a way that it accepts connections to all paths and passes on the path, i.e. /some/path in my case, to the $connect route handler?
This is not yet supported by AWS. See the article and comments here https://medium.com/#lancers/using-parameter-mapping-in-websocket-api-67b414376d5e
There is a workaround with using an additional server, author of the article proposes the following:
you may put your own server that accepts an URI with path parameters, then return 302 to redirect the client to the WebSocket API endpoint with query string instead.

Spinnaker Gate is redirecting to the incorrect authentication URL

So I have spinnaker running behind an https load balancer and my external ports use the standard 443 which get port mapped to the spinnaker instance still on port 9000. I've gotten pretty much everything to work except a redirect from gate is still appending the :9000 port to my URL.
requests sent to https://my.url.com/gate/auth/redirect?to=https://my.url.com/#/infrastructure send back a redirect response with the location header in the 301 location:https://my.url.com:9000/gate/login which fails because the load balancer is only listening for 443. If I manually delete the port and go right to https://my.url.com/gate/login the oauth flow works as expected and once authed all deck functionality and subsequent gate queries work as expected.
In my /etc/default/spinnaker file I have
SPINNAKER_DECK_BASEURL=https://my.url.com
SPINNAKER_GATE_BASEURL=https://my.url.com/gate
in /opt/spinnaker/config/gate-googleOAuth.yml I have
spring:
oauth2:
client:
preEstablishedRedirectUri: ${SPINNAKER_GATE_BASEURL}/login
useCurrentUri: false
and I've ran /opt/spinnaker/bin/reconfigure_spinnaker.sh plus restarts to make sure deck and gate get updated. Does anyone have any ideas what I might be missing?
I figured out my problem. With the help of this issue pointing me in the right direction (https://github.com/spinnaker/spinnaker/issues/1112) and some digging I found that the issue was with apache2 and the reverse proxy back to gate.
ProxyPassReverse
This directive lets Apache httpd adjust the URL in the Location, Content-Location
and URI headers on HTTP redirect responses. This is essential when Apache httpd
is used as a reverse proxy (or gateway) to avoid bypassing the reverse proxy because
of HTTP redirects on the backend servers which stay behind the reverse proxy.
from apache2 documentation https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse

Best way redirect REST service request on glassfish + JAX-RS to https URL?

I have implemented a REST service on glassfish4 + JAX-RS. Now I want use a https connection for authentication.
The URI for http is http://myhost/myapp/services/rest/myservice and for https is https://myhost_2/myapp/services/rest/myservice. I want prevent the usage of http://myhost/myapp/services/rest/myservice.
I think one way is redirect a request over http://myhost in the REST JAX-RS class to https://myhost_2. Is this a good way? How can I implement this?
you could answer requests to http with 301 (Moved permanently, telling the client to use the new location in future requests) pointing to the https equivalent in the location header of the response.