TL:DR - How can I get the Azure Application Gateway to pass 5.xx errors from the App Service to my browser? Currently the Application Gateway swallows any 5.xx error generated by the App Service and delivers a "502 - Web server received an invalid response while acting as a gateway or proxy server" error. I want to see the underlying error. And, I guess have the Application Gateway ignore the error and just pass everything directly through from the App Service to my browser.
I've turned on Application Logging for the App Service. I can see some 5.xx errors in the LogFiles/DetailedErrors folder. But I think I'm missing some understanding of what Kentico does when it throws a 5.xx error. Normally if you're on a normal server or locally, you don't see the generic 503 page as your browser is redirected to the 'Invalid license key' page.
I don't know what sort of internal (black) magic Kentico does to deliver this page, rather than the normal asp.net 503 Service Unavailable page. But this page is very useful to see, as it gives an idea of what's really wrong with the Kentico configuration.
Background:
Kentico seems to use some 5.xx errors for information. eg, the licence check throws a 503 error, instead of a useful 200 status with a message that you need to check your license.
We have a MVC Kentico 11 MVC site. It hosts multiple websites. We are trying to set up an Azure Application Gateway that points to two App Services, one MVC, one for Kentico admin.
So far I have the Kentico admin working properly - multiple domains can all access the CMSDesk via the Application Gateway. However, the MVC site is problematic. I can only get the default domain for the App Service to work. All other domains show a 502 error.
I'm thinking that the 'default' domain of the App Service works properly because the Application Gateway isn't forwarding the domain properly to the App Service, but I don't know how to verify this. And it's just my latest theory, and it's pretty shaky - if I remove the app, and just put static .htm files there, I can browse to them without error.
It seems that the "502 - Web server received an invalid response while acting as a gateway or proxy server" message is served up by the Application Gateway for any 5.xx error generated by the App Service, essentially hiding details of any Server Errors issues that may arise. eg: The Kentico license error generates a 503 that is preseneted as a problem with this module: "PageHandlerFactory-Integrated-4.0", rather than the obvious 'invalid license' screen that you normally see when Kentico is hosted on a normal server.
The Invalid license error will only show for the Admin site, not the MVC site. Never looked into what happens when that error is displayed, just always go in and add my missing license. If you want to get the full error, I would make sure you are logging all errors in your MVC into the Event log in Kentico.
In your Global.asax.cs file, you can probably do something like this:
public void Application_Error(Object sender, EventArgs e)
{
Exception exception = Server.GetLastError();
EventLogProvider.LogException("MVC", "EXCEPTION", exception);
}
Then you should be able to see the error in the Admin Event log.
This post may help with capturing errors in MVC better. I did something like this answer for displaying errors on the MVC site.
As soon as the Application Gateway detects a backend as unhealthy, you'll see the 502 error.
You can adjust the Health probe in your Application Gateway, so that the probe matching conditions include code 503. For example, set the condition to 200-503.
After you've done that, you should see the 503 page from Kentico.
Related
I am getting a 401 and some cross domain issues when trying to access IBM Weather REST API from either client (browser) or server.
If I generate a URL and try and access it directly from a browser (eg paste it in it works fine and the JSON weather report is returned).
When I try and run the Javascript HTTP request from either the browser or server it seems like it's only allowed to run from an ibm.com domain.
Failed to load https://twcservice.au-syd.mybluemix.net/api/weather/v1/geocode/-33.00/151.00/forecast/daily/7day.json?units=m&language=en-US: The 'Access-Control-Allow-Origin' header contains multiple values 'https://*.ibm.com, https://*.ibmcloud.com', but only one is allowed. Origin 'http://localhost:3000' is therefore not allowed access.
I am using the free service on Bluemix. Is this restricted to only run via a Bluemix server? or are there some options I can pass when I create the service on Bluemix
Note, when I make the request I am using the credentials supplied via the Bluemix console. Again, this works via the browser URL bar, but not via code.
Update/More info: if I hit past the URL above into the browser (with creds) it works as above, then if hit it via the web app in the same session it works.
Hmmm. So the IBM server is sending the following response header:
Access-Control-Allow-Origin: https://*.ibm.com, https://*.ibmcloud.com
That's an invalid response from IBM. Unfortunately, I think your only option is to complain to IBM, and convince them to
Return a valid Access-Control-Allow-Origin response header (with only one value)
Allow people outside of IBM to access it
Without that, I fear you're out of luck.
Each time we look to create a collection on the discovery GUI using the API we are getting API timeout issues. This happens very erratically.
IBM provides one Website to see if the Services and Systems work fine. The site shows if have Maintenance and the Problems with the services.
I had the same problem with another service. My service works fine now. Verify if you service are ok and check if the service was with status no known issues too.
Check the error:
See the Website.
After going through walkthroughs I had a test mvc app, test web api, and identityserver3 all working perfectly on my machine. I deployed IdentityServer3 to our servers in AWS behind a load balancer. I followed all the instructions in the Deployment wiki. I am able to hit the .wellknown configuration fine after deployment from a browser on my machine.
I changed the authority url for the mvc and api test apps to point to the aws deployment. Clients, Scopes, users, etc are all configured identically as they are hitting the same database as it was when running on local machine.
I can get an access token using RequestResourceOwnerPasswordAsync just fine so I think ids is installed fine.
However, both the API and the MVC app just trying to use implicit flow are now failing. FOr instance, when I try to hit a mvc controller action marked with [Authorize] I get an error stating "An invalid request URI was provided. The request URI must either be an absolute URI or BaseAddress must be set".
If I try to hit the webapi from the mvc app (both running locally on my machine) after a successful RequestResourceOwnerPasswordAsync call, I get the error "Response status code does not indicate success: 401 (Unauthorized)." after what seems like a timeout.
Any help would be greatly appreciated.
Figured out the problem. When specifying PublicOrigin, it has to be a full URL and not just the domain. I had left off https:// prefix.
The web api issue was related to connectivity to the identity server. There was some incorrect proxy settings for the app.
I'm getting the this error when I try to use an ASP.NET WebService through an MSSOAP Client:
"WSDL Reader: Loading of the WSDL file failed HRESULT=0X80040154 Class not registered - Client: An
unanticipated error occured during the processing of this request.HRESULT=0x1812040:Class not registered."
At first I thought the SOAP library was not properly registered. But when I debugged the code I realized the error was being raised at the time of reading the web service definition (The Soap client does get created).
SOAPClient.mssoapinit "wsdl_URL"
Now, the issue only occurs when I execute the code as certain account (as for the rest of the accounts the code works pretty well). The original client is a Classic ASP page but I've reproduced the problem using a vbs script.
I run the script under several accounts, but just one presents the wsdl-reading failure.
I've granted reading permissions to the directory that contains the
asmx file to the failing account.
I've changed the physical path of the virtual directory where the
webservice is hosted to a general non-particular-profile location
like C:.
Ironically the application pool identity of the web application is
the account that presents the failure.
All the accounts can read the wsdl file through a browser just typing
the url (but still one of them can't from client code)
Do I need to grant additional permissions for the account in order to read the web service definition and initialize the soap client?
I'm building a CloudFoundry application in Bluemix using the API Management service. For this I'm following this tutorial http://www.ibm.com/developerworks/cloud/library/cl-bluemix-api-mgmt-app/index.html.
I can successfully create an API Plan for a custom REST API application (running on a Liberty server on Bluemix as well) and it is published.
I can also create a service in my Bluemix dashboard using the new Custom API, which I take as the API plan was successfully deployed on Bluemix.
Whenever I try to bind this new service I get the following message:
BXNUI2055E: Unable to connect to Cloud Foundry because of the
following exception: "Read timed out." If the problem persists, see
the Troubleshooting topics in the IBM Bluemix Documentation to check
service status, review troubleshooting information, or for information
about getting help.
From time to time I also get this message
The service broker returned an invalid response for the request to
https://apimasv1-stage.stage1.mybluemix.net/d118dceb-edbf-4a7f-9bab-d44371b0c9f9/privateservices/v2/service_instances/1a60830c-0796-4105-afb4-e3477424acf9/service_bindings/ebb853dc-ec88-4987-b8f2-e9acd38d1741.
Status Code: 502 Bad Gateway, Body: 502 Bad Gateway: Registered
endpoint failed to handle the request.
Also, I can open the API portal and see the services listed in there. However, whenever I try to test the service, I get the following error
A security error has occurred. If using a self-signed certificate on
your gateway, you will need to accept it in your browser, which you
can do by clicking the following link.
https://api.wawona.apim.ibmcloud.com/victorshmx1ibmcom-dev/sb/LibraryREST/rs/authors/1
Also, below in the response I get this message:
NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to
load
'https://api.wawona.apim.ibmcloud.com/victorshmx1ibmcom-dev/sb/LibraryREST/rs/authors/1'.
I must clarify this service (the liberty app) doesn't have any security constraint to access the REST service nor I added some kind of security in the API Management portal.
Another thing to clarify is that I can bind other services, but not this one.
Does anyone know how I can fix those problems? Is there a known issue with IBM API Management service?
this seems to be an error with the service API Management instance you are trying to bind to.
You could open a ticket to support team following the link you can find here:
https://developer.ibm.com/bluemix/support/
Click on 'Contact IBM' and open a 'Support ticket'