I want to send request like this:
GET https://220.181.57.217/v1/groups
Host: test.restapi.foobar.com
But got this error:
error: SSLError: hostname '220.181.57.217' doesn't match 'test.restapi.foobar.com' while doing GET request to URL: https://220.181.57.217/v1/groups
According to rfc2616: Hypertext Transfer Protocol -- HTTP/1.1, it is due to how host is determined:
If Request-URI is an absoluteURI, the host is part of the
Request-URI. Any Host header field value in the request MUST be
ignored.
If the Request-URI is not an absoluteURI, and the request includes
a Host header field, the host is determined by the Host header
field value.
The reason for using IP in request URI is: in China, mobile dns resolution is not so good. Connect API server with IP is much better.
Is there a way to accomplish it?
Thanks!
check your GET URL,whether it has any ports number after IP,whther it is http or https protocol and your REST API path.
Related
Is there a way to configure a postman request(Http Get, Http Post) to use the system's IP address when calling an API? say If I want to call an api
"http://localhost:8080/foo/bar", will I able to configure my computer's IP address for the request?
I have an api which works with IP whitelisting and I am not able to request a resource from the api from postman. And I am getting 403 forbidden as response from the API
The simple answer here is: no.
You can only modify your IP address to a certain extend:
Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
Source: https://www.ibm.com/docs/en/networkmanager/4.2.0?topic=translation-private-address-ranges
If your sever however is listening on localhost and not an external target, I doubt that your IP address is causing the issue here. If so, simply add localhost to the filter or whatever part of your application is denying your request because of your IP address.
I have a REST API on a Hetzner server which uses Varnish. I am trying to set up Cloudfront to use as the CDN for it. After reading around, I currently have the following setup:
Hetzner / Varnish
A main API route api.mydomain.com.
Config in Varnish for cdn-api.mydomain.com to also act as a route to the same API.
In the DNS for the domain in Hetzner, for cdn-api.mydomain.com I have
added the name servers for Route 53.
Route 53
Hosted zone called cdn-api.mydomain.com.
An A record with name prod.cdn-api.mydomain.com which points to my Cloudfront distribution.
An A record with name cdn-api.mydomain.com which points to the IP address of the server.
Cloudfront Distribution
Has the alternate domain name prod.cdn-api.mydomain.com.
Has the origin domain of cdn-api.mydomain.com
Protocol for origin is HTTP only
What I think should happen
Make a request to prod.cdn-api.mydomain.com.
Route 53 forwards to the Cloudfront distribution.
CloudFront looks to origin cdn-api.mydomain.com.
Origin cdn-api.mydomain.com looks to IP address of Hetzner.
Hetzner receives request, Varnish allows the domain through, sends back data to Cloudfront.
What actually happens
If I make a request straight to cdn-api.mydomain.com from Postman, it works if I turn off SSL.
If I turn on SSL, I get the error SSL Error: Hostname/IP does not match certificate's altnames, saying that cdn-api.mydomain.com is not on the certificates of the server.
If I make a request to prod.cdn-api.mydomain.com, I get the error Error: Exceeded maxRedirects. Probably stuck in a redirect loop. Which may be due to the same certs error.
Cloudflare
As a comparison, we have Cloudflare set up as the CDN for a different domain on the same Hetzner server. It has:
A main API route api.myotherdomain.com
In Hetzner a CNAME for cdn-api.myotherdomain.com with value cdn-api.myotherdomain.com.cdn.cloudflare.net.
In Cloudflare, an A record for cdn-api.myotherdomain.com which points to the IP address of the server.
cdn-api.myotherdomain.com is set up in Varnish as an entry point, but is not on the list of certificates of the server.
This all works fine including with SSL enabled.
It would be good to understand what I'm doing wrong here.
In my Play 2.5.x (Scala) web application I am using following technique to get absolute URL of the route (server name + uri):
controllers.routes.MyController.MyRoute.absoluteURL()
I recently found out that it uses Host header in the incoming http request to return absolute url. Use of Host header is not recommended as it's quite easy to do Host header injection attack.
Is there a secure way of getting the server name ?
Have a look at Play! implementation of CSRF attack protection and the Allowed Hosts configuration.
You can specify known hosts with the latter and it will reject requests from unknown hosts.
I'm trying to setup AWS Api Gateway as a reverse proxy for my actual deployed API.
My understanding is that I do this by creating a "Proxy" Resource and then specifying my http endpoint URL - as described here
Create and Test an API with HTTP Proxy Integration through a Proxy Resource
This works fine when I try to use the API through the "Test" function within the Resource Editor. I can make calls to any exposed resources using GET methods and see the successful responses.
However, when I deploy the API Gateway API I can no longer access anything using the "Invoke URL" it gives me - I simply get:
{
"Message": "No HTTP resource was found that matches the request URI 'http://<myuniqueid>.execute-api.eu-west-1.amazonaws.com/api/Sector/100'.",
"MessageDetail": "No type was found that matches the controller named 'Sector'."
}
If I remove the "Use HTTP Proxy integration" checkbox from the "Integration Request" I can get it working, but why doesn't it work as a proxy?
I suspect that this is caused by a known issue with the HTTP proxy integration. When you use an HTTP proxy integration, API Gateway passes all headers through to the integration endpoint, including the HOST header. Many existing http endpoint require the use of a HOST header which matches their DNS name and in such cases, passing through the HOST header of the API Gateway can confuse the endpoint.
UPDATE: We identified a work-around for this issue.
In your integration request, explicitly add a header named "Host" and give it the value of the integration endpoint DNS name. This will replace the Host header forwarded from the incoming client request with the Host header you specify. This should allow your backend endpoint to function correctly.
I have this problem: In kamailio I serve multiple domains that are not actually true Internet domains. A specific pbx, when registering, has a configuration that asks for the host and domain of the registering user, and puts that in the From header along with the username:
From: <sip:username#host.domain>
But the problem is that it first tries to resolve the hostname.domain, and if it is not resolvable it does not even try to register. Is this behaviour conforming to the SIP standard?
No it's not conforming if it is doing a lookup on the From header hostname. From the RFC (section 8.1.1.3):
...it is very important that the From URI not contain IP addresses or the FQDN
of the host on which the UA is running, since these are not logical
names.
Furthermore the SIP RFC gives an example of a valid From header as sip:thisis#anonymous.invalid where the hostname is not even a valid DNS hostname.
In most cases the From header URI is to identify the person making the request as part of the SIP challenge response authentication. In some cases SIP servers will disregard the hostname part of the From URI assuming that the authentication realm is some default value.
It will be depending on SIP server's implementation.
Add "host.domain" in /etc/hosts