I'm writing an application in C# that uses proxies. The proxies are sending the HTTP_X_FORWARDED_FOR during HTTP requests, and this is unwanted behavior.
I am extending the Interop.SHDocVw axWebBrowser (aka Internet Explorer) control right now, but can take another approach if needed for this problem.
Is there some way to suppress this header... can this be done in code, on the proxy server, or not at all?
The proxy server, between your C# client and web site, is adding that HTTP_X_FORWARDED_FOR header.
So, You cannot suppress that on C# client.
But if you have control on proxy server, there should be a setting to turn it off.
For example in squid, following could work.
header_access X_Forwarded_For deny all
Or
You may try to find different proxy services, which does not send your ip address.
Related
I have an multi layered application that I have developed. I communicate with the windows service using http with ServiceStack (AppHostHttpListenerBase). While this works fine in clean environments, I often find that customers computers are not so clean and one of the first problem areas is the introduction of an unwanted Proxy with causes my application not to run. I get alot of bad press that the application does not work well, when in reality it is a result of a hidden issue on the customer machine.
When I go to query my endpoints the proxy interferes and I lose all communications with the Service.
I am thinking of going back to WCF and using namedpipes but before I do so, wondered if there was a better way in the ServiceStack world (Which I absolutely love)
Ideas? Suggestions?
If a local HTTP proxy is causing issues one thing you could try is to use SSL which will let you tunnel your traffic as an opaque binary through their proxy minimizing potential for interference.
Configuring SSL for HttpListener is configured the same way for all HttpListener's, i.e. it's not specific to ServiceStack - and it needs to be configured on the OS where it's run.
This answer shows how to configure SSL on Windows: https://stackoverflow.com/a/11457719/85785
You'll be able to use https with ServiceStack HttpListener self-host by following the steps above, I used "https://*:8443/" for the url and "CN=localhost" to bypass the SSL browser warning dialog.
It's not specifically clear in the answer but you can get the Thumbprint from the details tab of the certificate where you then need to remove spaces. If it's easier, you can follow the walkthrough in the answer below to use MMC to import the certificate: https://stackoverflow.com/a/33905011/85785
I use wcf ui services communicate between my javacsript (jquery) and server side code. I find this work effectively.
However I want to make it more secure. I can I set up wcf so that the requests to the services can only be made from within the same domain, to prevent external clients from making such requests to my services.
So for example, my service opertion url is http://www.website.com/Service.svc/GetProducts. I want to set up wcf so that only requests from pages in the http://www.website.com are allowed. I presume this is in the realm of cross domain wcf requests but need some assistance in setting this up. Help would be great.
This simply isn't possible if your services are exposed to the web.
If something about your services isn't secure enough for that, you should look into fixing that problem - not trying to prevent people from making requests.
Anyone can always use a debugging proxy like Fiddler, Charles, etc. or a tool like WireShark to send any data they want to your services - including a complete replay of a request made via the browser. (Including referrer http headers, etc).
If your situation allows for it, perhaps you might consider using a VPN appliance or something similar, and restrict access to users inside your network (or coming in through the VPN). That way there is less concern about your security of the services.... however it's a known fact that "internal attackers" are just as prevalent, if not more so, than external ones... so don't get too comfy.
Let me head this argument off at the pass too, while I'm at it; someone might suggest that browsers already prevent cross site scripting like that. Yes, that's true. But usually it would be the developer of the other application adding the client side script to call those services - and he/she could just as easily make that request on the server side and proxy the results along to the client.
I've some fishy application that makes HTTP requests to a website, i would like to intersect that request and send other data to the server. Is that possible in C#,java or C++?
EDIT: The application isn't mine, i just know the endpoint that it sends http requests
Fiddler might provide the functionality you need. At the very least it may enable you to see what is being sent to the web site.
in Java You can intercept request from Filter
You may want to look into using an HttpModule, whose purpose is to intercept incoming HTTP requests.
The ASP Column: HTTP Modules
Firstly are you aware of how it is connecting to the internet? For example, is it using the settings from Internet Explorer, or is it establishing a direct connection? If the latter, this may be tricky, there is no direct port forwarding as there in Linux, so you'll need some third-party tools to redirect the traffic to a server (which you can write in Java, C++ or C#, I would go for C# if you know it for pure speed of development) In that server you can intercept the request, and then create your own to actually send to the real destination.
Sounds like a cludge, but I think you're stuck with this approach due to the lack of direct port forwarding. You'll have to configure the third-party tool that you use to forward someother well known port to 80, and your server should write to this.
I have a project where I have created web service proxy classes with wsdl.exe and then simply create an instance of that class (inherits System.Web.Services.Protocols.SoapHttpClientProtocol) and call the method that should send a SOAP message. I'm using Visual Studio 2008 if that matters. And I'm trying this in my development machine without access to actual web service that is located inside of customer's intranet. So, the sending will of course not succeed and I will not get any response back but all I would like to see is the exact content of SOAP messages this solution creates and tries to send. How do I see that?
Use fiddler.
Have a look at SOAPUI from eviware.com.
Its a free for personal use Java app. Among other things you can
set it up to run as a dummy test server. Just load up hte WSDL
and enter the dummy data.
In test server mode it will log your requests so you can see whats happening
inside the request message.
If you're Web service is accessed by clear text, non-SSL HTTP, you can just use a sniffer, like Wireshark, to see the data coming from and to your application. Wireshark can trace, filter and analyze wire data. I have used it do debug HTTP and other protocols many times, and it's a great tool to do this.
SOAP messages are simply XML data sent using the HTTP POST method. So you can for example install a local web server on your development machine, configure your web service to use some dummy URI on this server, and grab the network traffic with WireShark (AKA ethereal). The big advantage of this method is that it involves no coding.
Alternatively you can use an HTTP echo server that dumps its incoming traffic, like this one (found while googling "http echo server"):
You can intercept the call with tcpMon
I have a C# application that is a client to a web service. One of my requirements is to allow capturing the SOAP that I send, so that if there is a problem, I can either fix the bug, or demonstrate that the problem is in the service I am calling.
My WebReference proxy service class derives from System.Web.Services.Protocols.SoapHttpClientProtocol as usual. If I had a magic wand, I would make this base class implement an event OnPost that I could handle to write the SOAP into my logs and continue.
Short of running a packet sniffer like WireShark, is there an easy way to get this level of logging?
I think what you are looking for is addressed in this question:
Getting RAW Soap Data from a Web Reference Client running in ASP.net
It looks like a lot of code though.
If the application is running on your local box and the web service isn't doing anything funky, you can use Fiddler. Fire Up IE, run Fiddler, and you'll see your web service calls go through fiddler's proxy too.
I just used this this morning to do almost the same thing. I had to prove the data my web service was sending wasn't messed up.
To see this traffic in fiddler use the following code:
mySoapHttpClientProtocol.Url = mySoapHttpClientProtocol.Url.Replace("localhost", "localhost.fiddler");
Otherwise, Visual Studio's built in web server will bypass all proxies.
Take a look at SoapExtensions.
They are what you need.
For some reason Fiddler was not showing my local service calls when using the ASP.NET Development Server that comes with Visual Studio. To get around this I changed the web service Url at runtime to be the Fiddler port, just to capture the SOAP message.
You can do this from the Immediate window, for example:
myservice.Url = "localhost:8888" (or whatever port you have Fiddler on)
I used the SoapUI client to test responses.
Just "." add the address in your endpoint after "localhost".
like this:
<endpoint address="http://localhost.:8868/FEInvoice.asmx" binding="basicHttpBinding"
bindingConfiguration="FEInvoice_Test" contract="EInvoiceIntegration.FEInvoiceSoap"
name="FEInvoice_Test" />