Debugging 403's? - iis

whats the best way to investigate why a server is returning a 403 for a http web request?
Can an iis server be configured to provide a more detailed internal log for 403's?

A nice way to start is to analyze returned headers (using curl -vvv, or inspecting the request using your favorite web browser development tool).

Related

How to stress test NodeJS API behind NGINX?

I have an API on a remote server that I need to stress test. It is sitting behind a NGINX reverse proxy that does 301 to the API app running behind it.
Normal requests / Postman all work fine and I get 200s back. As soon as I use something like AutoCannon I get 3xx instead of 200s and the requests never hit the actual nodejs app.
Is there some special configuration I need to do on NGINX to allow stress tests to occur?
Given you're sending the same request you should get the same response so double check the URL, request body, request headers and so on. Compare the requests originating from Postman and AutoCannon using an external sniffer tool like Fiddler or Wireshark, identify the differences and amend AutoCannon configuration so it would send exactly the same request like Postman does.
You might want to switch to other load testing tool like Apache JMeter which comes with HTTP(S) Test Script Recorder so you will be able to record the request from your browser (or other application like Postman) so you won't have to guess what's wrong with your AutoCannor setup. There is also JMeter Chrome Extension so if you can access your API via browser you will be able to record JMeter script without having to worry about proxies and certificates.

loading socket.io-client.socket.io.js fails when using ssl

I have developed a node js application which works fine as long as use http. Now I need to upgrade the code too be able to work ssl and I am having problems to load the socket.io-client/socket.io.js file. (The rest is working fine. I installed the certificates and the server works well)
Firefox fails with the following message: Blocked loading mixed active content "http://"url"/socket.io/?EIO=3&transport=polling&t=NX-uS5E". which is weird because the link states a http request.
Chrome fails with this message: socket.io.js:3511 Mixed Content: The page at 'https://"url"?' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://"url"/socket.io/?EIO=3&transport=polling&t=NX-s_OB'. This request has been blocked; the content must be served over HTTPS.
It seems that socket.io-client is trying to load a resource using http instead of https. Is that possible?
How can I correct this? Any idea?
I have been searching the web for two days noow and I have not come to any indication of someone else having this issue
Ok, after letting it go for the evening and having a good rest I checked my whole code again and found the error!
I had one obfuscated code line where I was using a http request instead of a https one. I had to correct this on both, the server and the client side.
I also had to include the port number on each of the calls and force the socket on the client side to use polling instead of websockets by adding the option "transports: ['polling']"

Chrome extension background XMLHttpRequest proxy server

I have a background task in a Chrome Extension that performs some polling/checking. In error cases, I want to retry the check using a different CDN server to verify if it's a site-wide problem or just a CDN node affected. The challenge is how to control to which CDN node to send to.
e.g. let's say I'm checking www.company.com and typically that will be served by server21.cdn.co
Now if that fails I want to check server5.cdn.co and server10.cdn2.co for the same content to see if there's a correlation.
These checks are done using XMLHttpRequest but I can't find a way to specify which host/proxy to use per-request.
I wouldn't want to "hijack" the entire browser's proxy server settings because it would cause all other pages/tabs to fail.
If it's load-balancing performed on the DNS level (which is most probable), you can't affect which server you actually contact at all.
To clarify, this can't be done because XMLHTTPRequest forbids overriding the Host header in requests. See https://security.stackexchange.com/questions/46702/how-can-i-control-the-content-of-the-http-host-header-in-requests-issued-from-my/ for an explanation of why.
Conceptually/technically it's easy to do if it weren't for this security issue. For example with curl:
curl --verbose --header 'Host: www.example.com' 'http://10.1.1.36/the_url_to_test'
But as mentioned in the question, we're stuck inside a Chrome extension so curl is not an option!

Apigee API end point gives 503 on the browser, but a 200 on Apigee trace and curl

We use Apigee proxy to invoke our API. All works well when we test it out within Apigee trace. Also works fine with curl. But on a browser, it gives a 503. This is not consistent though, sometimes it gives a 200 on the browser too. Tried Chrome and Firefox, same behavior.
Our API still executes well though. We do not return any response, merely set the status. Any ideas on what we could try out to get a 200 on the browser?
Couple of things to check:
Check if your Browser has a DNS entry caching. Sometimes services like ELB changes the actual IPs. So caching DNS entries may result in 503.
Another you may want to check is the difference is in the HTTP Verb used. Browsers send a GET request. But curl commands can do all. So if your service is specifically not serving GET calls you may get some server side errors. Also curl sends certain headers even if you do not explicitly send. E.g., Accept:/ header and user-agent header etc. Check if the server is behaving differently based on those headers.
You should look into using Chrome or Firefox extensions for this. There are two in particular which support a wide range of additional features for API developers.
For Chrome, try Postman.
For Firefox, try RESTClient.
Thanks.

Using IIS as secure reverse proxy in front of less secure HTTP server?

I have a CppCMS based application and I cant use IIS's FastCGI connector as
it is broken for my use thus I want to try to
use the internal HTTP server designed for debug purposes behind IIS.
I it is quite simple web server for an application that handles basic HTTP/1.0 requests
and does not care too much about security like DoS, file serving and more.
So I'd like to know if it is possible to use IIS in front of such application such that
it would:
Sanitize all requests - ensure that they are proper HTTP
Handle all DoS issues like timeouts
Serve the static files.
Is this something that can be configured and done at all?
I would suggest this is the wrong way of doing this. I would use a web server like Nginx to proxy the requests through to backend server. It is very configurable and you will find a lot of articles with doing it to Apache.
We just did something like this. You want the URL Rewriter module. You can use it to sanitize the URLs, however, it isn't going to sanitize the payload. Which is to say, you can make sure that the URLs that hit your box are very specific ones, e.g. not attempts to hits CGI, but you can't use it to make sure that the contents of an upload are safe.
ModSecurity is out for IIS now, it can handle lots of the security related issues.

Resources