I have a client which makes asmx call to a server. I have a question regarding the port that need to be open at the client to communicate with the server.
In our scenario, we intend to keep all ports closed in the client (its inside the firewall). As per my understanding when client makes a asmx call to the server, it opens an ephemeral port at the client and the server will response back at this port.
So, do I need to open these port at the client?
You can customize this by setting the BindIPEndPointDelegate of the ServicePoint which is being used in the HttpWebRequest being used for the connection.
See Ways to Customize your ASMX Client Proxy for details of customizing the HttpWebRequest.
Related
I am developing a web service using REST API. This REST API is running on port 6443 for HTTPS. Client is going to be a Single page application running on port 443 for HTTPS on same machine. The problem I am facing is:
While I hit the url say: https://mymachine.com/new_ui I get certificate exception for an invalid certificate because I use a self signed one, so mymachine.com:443 gets added to server exception. But still requests doen't go to REST API as they are running on https://mymachine.com:6443/restservice. If I manually add mymachine.com:6443 to server exception on firefox it works but it will not be the case in production for customers.
Some options that I thought are:
1. Give another pop up and ask to add REST server on port 6443 exception too.But this doesn't look proper as why an end user should accept the cerf for same domain twice. Also REST api server port can change.
Can we programmatically add exception for domain and both the ports in one shot? Ofcourse with the consent of the user. 3. Use a reverse proxy. But then its going to have memory footprint on our system. Also it will be time consuming.
Please suggest some options. How do I deal with it. Thank you
I got a webservice endpoint and I stumple upon how to correctly implement it.
It seems to be an parameterized exe-file which returns an XML Reply.
There is no documentation.
I am used to soap, wcf and rest but this is completely unknown to me, has anyone a guide or a best case how to implement such a service?
I can consume it with a HTTP GET but there are some questions left to me:
I know the questions are quite broad... But I could not find anything about it in the interwebz.
Is there a secure way to publish exe files as webservice?
Are there any critical downsides implementing such an interface?
Make I myself a fool and this is just an alias?
Example Url:
http://very.exhausting.company/Version/SuperStrange.exe?parameter=String
Web servers
What you call a webservice endpoint is nothing else than a web server listening on some host (normally 0.0.0.0) and some port on a physical or virtual machine and responding with some HTTP response to HTTP requests sent to that host, port and URIs that the web server cares to process.
Any web server is itself an application or a static or dynamic component of an application as the following examples illustrate:
JBoss, Glassfish, Tomcat etc. are applications, known as application servers, into which containers/servlets/plugins implementing web servers and corresponding endpoints are deployed. These listen on some port exposing generic web servers routing requests to those containers and their servlets;
a fat jar started with java -jar on a JVM which deploys a vert.x verticle featuring a vert.x HttpServer listening on some port is nothing else than a web server;
an interpreter such as node.js parsing and executing JavaScript code based on the express module will most likely deploy a web server on some port;
finally, a statically or dynamically linked application written in languages such as C++ or Go can expose a web server listing on some port.
All of the above cases feature different deployment mechanisms, but what they deploy is essentially the same: a piece of software that listens for HTTP requests on some port, executes some logic based on request and returns HTTP responses to the caller.
Your windows exe file is most likely a statically linked application that provides a web server.
Protocols
So we know you have a web server as it reacts to an HTTP GET. How does it relate to REST, SOAP etc? Effectively, REST, SOAP etc are higher level protocols. TCP is the low level, HTTP is based on top of that and your server supports that. REST, SOAP and everything else that you mention are higher level protocols that are based, among others, on HTTP. So all you know is that your application (web server) supports HTTP, but you do not know which higher level data exchange protocol it implements. It definitely implements some, at least a custom one that its author came up with to exchange data between a client and this application.
You can try to reverse engineer it, but it is not clear how would you find out about all possible endpoints, arguments, payload structures, accepted headers etc. Essentially, you have a web server publishing some sort of an API, but there is no generic way of telling what that API is.
Security
The world around you does not have to know how the API is published. You can put any of the above 4 web server implementations behind exactly the same firewall or a reverse proxy with SSL termination exposing just one host and port over SSL. So there is no difference in security, with respect to the world, whether you deploy it as exe or as a war into JBoss. This is not to say, that your exe file is secure: depending on how it is implemented it may allow all sorts of attacks, but again, this is equally true for any mechanism.
I want to consider using a Bluemix to run my application? For a firewall problem, I want to use a secure gateway of IBM that is one service in Bluemix. It uses a web socket. I customized a web socket of jetty in the past. So I am wondering if a web socket client makes a permanent connection with a web socket server. Does the server giving data back to the client? If the connection is disconnected for some reason, how can the web socket handle this exception?
If you're wondering about how Bluemix Secure Gateway handles these situations, then yes, the Secure Gateway Client creates a persistent secure websocket connection to the Secure Gateway Servers which allows for the necessary communication between your application and your resource(s) behind the firewall. If the websocket connection goes down, the Secure Gateway Client will attempt to establish a new websocket connection with the Secure Gateway Servers.
I saw many Tunnel to host:443 in Fiddler traffic interception, when I click it I saw below info:
The selected session is a HTTP CONNECT Tunnel. This tunnel enables a client to send raw traffic (e.g. HTTPS-encrypted streams or WebSocket messages) through a HTTP Proxy Server (like Fiddler).
I also searched this -
Fiddler2: Decrypt HTTPS traffic and Tunnel to host:443
But these didn't answer my question, why do we need the HTTP CONNECT Tunnel? Why does a client need to send raw traffic?
See https://textslashplain.com/2015/11/19/understanding-connect-tunnels/
tl;dr: Browsers need to send CONNECT tunnel requests to proxies in order for the proxy to know to what server the traffic should be sent.
The encryption provided by HTTPS prevents the proxy server from seeing the URLs or HOST headers of the requests, and these are how a proxy normally decides where to send the requests. So, for HTTPS traffic, a different approach is needed-- that approach is that the client tells the proxy: "Hey, give me a tunnel to example.com and let me know when it's ready." The proxy does so and tells the client HTTP/200 Connection established. At that point, the proxy becomes a blind byte-shuffler that takes bytes from the client and sends them to the server and returns the bytes the server replied with back to the client.
I'm using a package that connects to a database and presents the database schema as APIs. The package provides the service as a webserver. I can choose to use any port, but it's still HTTP. Even if I run it with port 443, requests must be in the form of http://mydomain:443/
I may be forced to provide the service through SSL. Is it possible to run a webserver which would redirect HTTPS requests to redirect to the package running HTTP on port 80, with the outgoing traffic going back through the webserver to clients as SSL? Essentially, I need some kind of wrapper around the existing app to provide SSL.
If such a thing is possible, which webserver would be the best choice and easiest to administer on Linux?