I have the following setup
User Request --> AWS ELB Application load balancer --> Kong Gateway --> Integration
The SSL termination happens at application load balancer.
One of my endpoint makes the Integration respond a redirect URL with a code 302. Ex. when I make a request to https://api.domain.my/a/b/c should make the integration return a redirect path /x/y/z
This redirect request with a status of 302 reaches the API gateway which should add a location header to the response with the complete URL i.e. https://api.domain.my/x/y/z
But the response I get in the header on my browser is http://api.domain.my/x/y/z in the location header. I am guessing this is happening because my SSL termination happens at the ELB and hence Kong is just returning http:// in the location header.
Is there a workaround for this? How can I use the response transformer maybe to achieve this?
Is there any better way to achieve this?
Related
I'm pretty new to Vertx, I'm building a reverse proxy on Quarkus.
I need to handle a redirect response from my Apache to my Quarkus reverse proxy, so that my Client doesn't get redirected directly to the Apache server (bypassing the proxy).
Resource is located in custom.url/myResource/index.php
My reverse proxy is running on localhost:8080
Basically what happens is:
Browser sends a GET request on localhost:8080/myResource, Quarkus is listening on 8080 so he receives the request, remaps the url tocustom.url/myResource and forwards to Apache.
Apache creates a redirect response, because a slash was missing at the end of the url, so he sends a 301 response with the Location header set to custom.url/myResource/ (with slash at the end) to the Quarkus reverse proxy.
Quarkus will forward the redirect response (301 custom.url/myResource/) to the Client, so he will make a GET call straight to custom.url/myResource/ bypassing the Reverse Proxy.
This behavior is not acceptable, since I can't allow the client to know the resource address of my backend service.
Code snippet
Route route = this.proxyRouter.route(method, path)
.handler(CorsHandler.create("*"))
.handler(LoggerHandler.create())
.handler(ctx ->{ //need to create an handler to handle this behaviour })
.handler(ProxyHandler.create(myProxy);
What i have to do is basically setting the Location header of the response to the correct path, including the slash.
I tried to get the request.absoluteURI() hostname, the response subdomain (with the slash) and merge them together.
request URI: localhost:8080/myResource -> localhost:8080 (1)
response Location: custom.url/myResource/ -> /myResource/ (2)
So i get the wanted Location header merging (1) and (2): localhost:8080/myResource/
Logically this works, but I don't know where and if I'm able to do this inside the handler, or if I need to do it some other way. I tried to implement this logic inside the handler, but I'm only able to get the request URI, there was no way to find the 301 response.
Need help plz.
I have a ALB set up behind a cloudfront distro. I have a rule to redirect an HTTP request to URL A to URL B which is not on AWS infrastructure.
When I query the ALB directly for URL A, the load balancer properly redirects to URL B. When I query a cloudfront endpoint for URL A, I get a 403 error back. Per the troubleshoot 403s aws doc, it seems the issue is that I don't have an alternate CNAME configured for URL B. However, since it's not on my SAN certificate that's associated with my CloudFront distro, I can't add it to the list of alternate CNAMES. is there a workaround to allow requests to URL A to properly travel through my cloudfront distro and get redirected? It doesn't make sense to me that I can't do this for an HTTP request.
verified that the ALB can be queried directly and redirect works
tried to add an alternate cname for http domain
removed wacl on alb to make sure that wasn't blocking it
I'm using istio as proxy in front of keycloak. I'm offloading TLS at NLB, and am serving Keycloak using http port.
I can correctly reach the first keycloak page, but when I click Administration Console, I get the result below.
I'm blocked at keycloak.js?version=4hm2q, and I see that Request URL is http://mykeycloak-address/auth/js/keycloak.js?version=4hm2q, and Referrer Policy is no-referrer. Request Headers show that Referer header is empty.
I have PROXY_ADDRESS_FORWARDING set as "true". I tried both http to https redirect and none redirection. When I set https redirect false, I get https required error.
Any help? Thanks.
I am trying to use API Gateway to route traffic to an internal network load balancer.
All routes to the base path (/) are working, so I know the VPC Link is up and reachable.
I added a proxy resource (/{proxy+}), with ANY http method. In the ANY "Integration Request" I selected:
Integration Type: VPC Link
Use Proxy Integration
Method: ANY
VPC Link: My-VPC-link (abcdefg)
Endpoint URL: (i.e. http://abcd1234.cloudfront.net/{proxy})
I can see that the my web server responds with a redirect:
(b9d0c629-31ec-11e8-b452-0f13c3c62b81) Endpoint response body before
transformations: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: http://abcd1234.cloudfront.net/api/. If not click the link.
(b9d0c629-31ec-11e8-b452-0f13c3c62b81) Method completed with status: 301
The web page shows:
{"message":"Forbidden"}
Also, if I try to directly link to the CloudFront URL I get the same error.
In addition to the CloudFront URL, I've also tried the following:
Custom Domain Name
403 Forbidden
The URL of my deployed stage
{"message": "Internal server error"}
What URL should be in the 'Endpoint URL' field in the integration request?
It turns out that the API-Gateway must call the VPC Link with 'http' not 'https' for the VPC Link URL.
Everything seems to be in order in your configuration of API Gateway, including the endpoint URL.
My guess is that you are messing something with the redirections. Is it possible that your server is redirecting to the same place again and again, or that the redirection rules always apply?
To be sure that the problem is at your server's side, try a simpler set up. Try making an API call to somewhere that doesn't redirect, just return a simple response.
I have an AWS EC2 Jira instance running behind an AWS Classic load balancer. The site loads in the browser fine, but all API requests are returning 404 for some reason. It is not a Jira 404, but a generic 404 response with no body and minimal headers. Only response useful header seems to be Server: nginx.
Tried white-listing my client IP, opening up all ports, sending request to the LB and directly to the instance with proper security group settings, etc., but same 404 response is returned. I'm using Postman to test the API. I noticed when I load the EC2 instance directly in the browser, it redirects to the load balancer.
Returns 200 with HTML. Basic auth works, too.
GET http://jira (home page)
Returns 404:
GET http://jira/rest/api/2/issue/ticket-num (or any other /rest/ endpoints)
Where should I start looking to debug this 404 issue? I feel like I'm missing something basic. I'm not seeing any Jira configuration for setting up its rest API. I feel like perhaps it's a server configuration issue, although I've never come across manual web server configuration while installing Jira, so maybe on the AWS's side?
EDIT: still waiting to get ssh access to the instance, so I'll update as I get more info and access.
This HTTP 404 responses with very limited set of headers could be from the default (the bottom one) rule in ELB. I experienced similar issue getting HTTP 404 because instead of host header I set path and provided the host domain name in one of ELB rules. So the rule did not work and default rule returned 404 because there is no such path exists on the instance.
I would recommend to try to use Redirect to or Return fixed response options for default rule to check out if it goes to the default rule.